Opera Skinned : Arbitrary File Dropping And Execution (Advisory)
2003-11-13T00:00:00
ID SECURITYVULNS:DOC:5392 Type securityvulns Reporter Securityvulns Modified 2003-11-13T00:00:00
Description
Opera Skinned : Arbitrary File Dropping And Execution
I ABSTRACT:
Like other browsers, Opera Web Browser supports many standard MIME types and
also a few Opera-specific MIME types. Of the Opera-specific types, the
implementation of the various browser skin and browser configuration MIME
types(listed below) has a design flaw that allows the remote dropping of an
arbitrary file with an arbitrary name and type in a known location. This is
triggered when the victim accesses a URL.
Exploitation becomes easier when this vulnerability is combined with the other
"Directory Traversal" vulnerability described in the attached advisory.
II VERSIONS AFFECTED:
All versions upto and including 7.21 that support the flawed MIME types are
vulnerable. Version 7.22 contains the fix.
III. IMPACT:
By using this flaw, an attacker may:
i. Drop arbitrary files with arbitrary names on a victim's hard disk.
ii. Run scripts with higher privileges.
iii. Read the contents of the directories on a victim's hard disk.
iv. Read any file.
v. Read M2 emails (Built-in Opera mail client).
IV. TECHNICAL DETAILS:
We will consider the "application/x-opera-skin" MIME type first for the sake of
clarity. The issues are the same for the other five flawed MIME types. Their
specifics are mentioned in a later section below.
Skinning Opera with "application/x-opera-skin":
According to the functionality that Opera provides, a user can install a new
skin just by clicking on a link. Opera automatically downloads and applies the
skin without confirmation from the user. For this to work, the MIME type of the
skin file has to be set to "application/x-opera-skin" on the web server. The
file type of an Opera skin file is "*.zip". The Opera skin file specification
[2] says-
8<---------
"An Opera 7 skin file is a zipped file with extension .zip that contains a
"skin.ini" file at root level and a bunch of images making up the skin.
The "skin.ini" file contains the whole skin specification. All other files in
the zip file are pointed to by the specification in "skin.ini"." [2]
8<----------
Skins files are downloaded to "C:\Program
Files\Opera7\profile\Skin\<filename.ext>" (if the install directory is
"C:\Program Files\Opera7\". It is not necessary for a remote attacker to know
the install path of Opera for exploitation.)
Skin files that do not have ".zip" extensions but are valid skin files are
automatically downloaded and applied by Opera if the correct MIME is set on the
httpd. They are downloaded to the default skin file folder. However, these skins
are not shown in the "file>preferences>skin" menu. Only skins with ".zip" ext.,
are shown in the list.
The security problem here is that even invalid, corrupt skin files with any
extension (including exe,com, et al) are downloaded to the default skin file
location. The victim doesn't necessarily have to know that he is downloading a
skin. He just clicks a malicious link and he is given a harmless looking dialog
box prompt saying that the skin file is incompatible with the current version of
Opera after the file is downloaded. User may click "OK" or "CANCEL" but it has
no effect on the download behaviour. The file is still present in the skin file
folder and it is not deleted.
This means that an attacker can comfortably drop an arbitrary file with an
arbitrary name & type on a victims hard disk in a known location by making him
access a simple, not-specially crafted URL. Using an exploitation method
detailed elsewhere, the arbitrary file can be executed.
For instance, if a victim clicks on a link http://foo.com/foobar.exe where the
MIME type of foobar.exe is set as "application/x-opera-skin", foobar.exe is
downloaded automatically to the skin file folder. The name foobar.exe is
preserved. So, for a default install of Opera, the file is dropped in and as
"C:\Program Files\Opera7\profile\Skin\foobar.exe".
Other flawed MIME types:
Other than the folder location where the file will be dropped and the file type
associated with the MIME type, all the details are the same as the skin MIME
detailed above for the MIME types listed below. The file type associated with a
MIME type does not hinder the dropping of files of other types as shown above.
It is just presented here as useful information.
For all the MIME types below, the locations for a default install are given.
However, a default install is not necessary for exploitation.
i."application/x-opera-skin" - Detailed above
ii."application/x-opera-configuration-skin" - File is dropped in C:\Program
Files\Opera7\profile\skin.
iii."application/x-opera-configuration-keyboard" - File is dropped in
C:\Program Files\Opera7\profile\keyboard. The file type associated is "*.ini".
iv."application/x-opera-configuration-mouse" - File is dropped in C:\Program
Files\Opera7\profile\mouse. The file type associated is "*.ini".
v."application/x-opera-configuration-menu" - File is dropped in C:\Program
Files\Opera7\profile\menu. The file type associated is "*.ini".
vi."application/x-opera-configuration-toolbar - File is dropped in C:\Program
Files\Opera7\profile\toolbar. The file type associated is "*.ini".
About these MIME types, Opera's documentation says-
8<------------
"If the server returns content-type "application/x-opera-configuration-menu" or
"application/x-opera-configuration-keyboard" or
"application/x-opera-configuration-mouse" and the file has the "ini" extension,
Opera will download and install the menu, keyboard or mouse gestures setup
directly" [3]
8<------------
IV EXPLOITATION SCENARIOS & EXPLOIT:
According to my investigation, files can only be dropped in the default folders
mentioned above. Using directory traversal techniques to drop the file in other
locations does not seem to be feasible.
Although any file can be dropped on a victim's computer, the highest compromise
that can be accomplished seems to be the running of scripts with higher
privileges. Files other than the file types handled by Opera cannot be executed.
This means file types like exe, bat, etc.., cannot be executed although they may
be dropped and file types like html, txt, gif, etc., can be executed.
Nevertheless, the executable files dropped using this vulnerability can be
executed by using other vulnerabilities(possibly in other software).
This flaw can be exploited alone but, if Opera is not installed in the default
path, a 'blind' exploit will not work. Nevertheless, when this flaw is combined
with the Directory Traversal vulnerability (detailed in the advisory "Opera Web
Browser Directory Traversal in Internal URI Protocol" published by me, attached
to this one), 'blind' exploitation, i.e., exploitation without knowledge of the
install path becomes possible.
A proof of concept exploit is attached with this advisory.
V. VENDOR RESPONSE & SOLUTION:
The vendor, Opera Software, deserves special mention here. I had previously
read about Opera Soft's promptness in resolving security vulnerabilities in
their products. My experience with them is one of the best I ever had with any
vendor. I hope they continue to maintain their good record even with future
security issues.
An updated version with a fix (7.22) is available from the site -
http://www.opera.com/download/
VI. CREDIT:
S.G.Masood (sgmasood@yahoo.com)
Hyderabad,
India.
VII. DISCLAIMER:
This advisory is meant only for the dissemination of information, alerting the
general public about a security issue. Use this information at your own
discretion.
In brief, the author is not responsible for any use, misuse, abuse of this
information. Also, this information is provided "as is" without any warranty of
any kind.
PHEW
EOF
{"id": "SECURITYVULNS:DOC:5392", "bulletinFamily": "software", "title": "Opera Skinned : Arbitrary File Dropping And Execution (Advisory)", "description": "\r\nOpera Skinned : Arbitrary File Dropping And Execution\r\n======================================================\r\n\r\n\r\n\r\n\r\n\r\nI ABSTRACT:\r\n\r\nLike other browsers, Opera Web Browser supports many standard MIME types and\r\nalso a few Opera-specific MIME types. Of the Opera-specific types, the\r\nimplementation of the various browser skin and browser configuration MIME\r\ntypes(listed below) has a design flaw that allows the remote dropping of an\r\narbitrary file with an arbitrary name and type in a known location. This is\r\ntriggered when the victim accesses a URL.\r\n\r\nExploitation becomes easier when this vulnerability is combined with the other\r\n"Directory Traversal" vulnerability described in the attached advisory.\r\n\r\n\r\n\r\nII VERSIONS AFFECTED:\r\n\r\nAll versions upto and including 7.21 that support the flawed MIME types are\r\nvulnerable. Version 7.22 contains the fix.\r\n\r\n\r\n\r\nIII. IMPACT:\r\n\r\nBy using this flaw, an attacker may:\r\n\r\ni. Drop arbitrary files with arbitrary names on a victim's hard disk.\r\nii. Run scripts with higher privileges.\r\niii. Read the contents of the directories on a victim's hard disk.\r\niv. Read any file.\r\nv. Read M2 emails (Built-in Opera mail client).\r\n\r\n\r\nIV. TECHNICAL DETAILS:\r\n\r\nWe will consider the "application/x-opera-skin" MIME type first for the sake of\r\nclarity. The issues are the same for the other five flawed MIME types. Their\r\nspecifics are mentioned in a later section below.\r\n\r\n1. Skinning Opera with "application/x-opera-skin":\r\n\r\nAccording to the functionality that Opera provides, a user can install a new\r\nskin just by clicking on a link. Opera automatically downloads and applies the\r\nskin without confirmation from the user. For this to work, the MIME type of the\r\nskin file has to be set to "application/x-opera-skin" on the web server. The\r\nfile type of an Opera skin file is "*.zip". The Opera skin file specification\r\n[2] says-\r\n\r\n8<---------\r\n\r\n"An Opera 7 skin file is a zipped file with extension .zip that contains a\r\n"skin.ini" file at root level and a bunch of images making up the skin. \r\nThe "skin.ini" file contains the whole skin specification. All other files in\r\nthe zip file are pointed to by the specification in "skin.ini"." [2] \r\n\r\n8<---------- \r\n\r\nSkins files are downloaded to "C:\Program\r\nFiles\Opera7\profile\Skin\<filename.ext>" (if the install directory is\r\n"C:\Program Files\Opera7\". It is *not* necessary for a remote attacker to know\r\nthe install path of Opera for exploitation.)\r\n\r\nSkin files that do not have "*.zip" extensions but are valid skin files are\r\nautomatically downloaded and applied by Opera if the correct MIME is set on the\r\nhttpd. They are downloaded to the default skin file folder. However, these skins\r\nare not shown in the "file>preferences>skin" menu. Only skins with "*.zip" ext.,\r\nare shown in the list.\r\n\r\nThe security problem here is that even invalid, corrupt skin files with any\r\nextension (including exe,com, et al) are downloaded to the default skin file\r\nlocation. The victim doesn't necessarily have to know that he is downloading a\r\nskin. He just clicks a malicious link and he is given a harmless looking dialog\r\nbox prompt saying that the skin file is incompatible with the current version of\r\nOpera *after the file is downloaded*. User may click "OK" or "CANCEL" but it has\r\nno effect on the download behaviour. The file is still present in the skin file\r\nfolder and it is not deleted.\r\n\r\nThis means that an attacker can comfortably drop an arbitrary file with an\r\narbitrary name & type on a victims hard disk in a known location by making him\r\naccess a simple, not-specially crafted URL. Using an exploitation method\r\ndetailed elsewhere, the arbitrary file can be executed.\r\n\r\nFor instance, if a victim clicks on a link http://foo.com/foobar.exe where the\r\nMIME type of foobar.exe is set as "application/x-opera-skin", foobar.exe is\r\ndownloaded automatically to the skin file folder. The name foobar.exe is\r\npreserved. So, for a default install of Opera, the file is dropped in and as\r\n"C:\Program Files\Opera7\profile\Skin\foobar.exe".\r\n\r\n\r\n2. Other flawed MIME types:\r\n\r\nOther than the folder location where the file will be dropped and the file type\r\nassociated with the MIME type, all the details are the same as the skin MIME\r\ndetailed above for the MIME types listed below. The file type associated with a\r\nMIME type does not hinder the dropping of files of other types as shown above.\r\nIt is just presented here as useful information.\r\n\r\nFor all the MIME types below, the locations for a default install are given.\r\nHowever, a default install is not necessary for exploitation.\r\n\r\ni."application/x-opera-skin" - Detailed above\r\n\r\nii."application/x-opera-configuration-skin" - File is dropped in C:\Program\r\nFiles\Opera7\profile\skin.\r\n\r\niii."application/x-opera-configuration-keyboard" - File is dropped in\r\nC:\Program Files\Opera7\profile\keyboard. The file type associated is "*.ini".\r\n\r\niv."application/x-opera-configuration-mouse" - File is dropped in C:\Program\r\nFiles\Opera7\profile\mouse. The file type associated is "*.ini".\r\n\r\nv."application/x-opera-configuration-menu" - File is dropped in C:\Program\r\nFiles\Opera7\profile\menu. The file type associated is "*.ini".\r\n\r\nvi."application/x-opera-configuration-toolbar - File is dropped in C:\Program\r\nFiles\Opera7\profile\toolbar. The file type associated is "*.ini".\r\n\r\nAbout these MIME types, Opera's documentation says-\r\n\r\n8<------------\r\n\r\n"If the server returns content-type "application/x-opera-configuration-menu" or\r\n"application/x-opera-configuration-keyboard" or\r\n"application/x-opera-configuration-mouse" and the file has the "ini" extension,\r\nOpera will download and install the menu, keyboard or mouse gestures setup\r\ndirectly" [3]\r\n\r\n8<------------\r\n\r\n\r\n\r\nIV EXPLOITATION SCENARIOS & EXPLOIT:\r\n\r\n\r\nAccording to my investigation, files can only be dropped in the default folders\r\nmentioned above. Using directory traversal techniques to drop the file in other\r\nlocations does not seem to be feasible.\r\n\r\nAlthough any file can be dropped on a victim's computer, the highest compromise\r\nthat can be accomplished seems to be the running of scripts with higher\r\nprivileges. Files other than the file types handled by Opera cannot be executed.\r\nThis means file types like exe, bat, etc.., cannot be executed although they may\r\nbe dropped and file types like html, txt, gif, etc., can be executed.\r\nNevertheless, the executable files dropped using this vulnerability can be\r\nexecuted by using other vulnerabilities(possibly in other software).\r\n\r\nThis flaw can be exploited alone but, if Opera is not installed in the default\r\npath, a 'blind' exploit will not work. Nevertheless, when this flaw is combined\r\nwith the Directory Traversal vulnerability (detailed in the advisory "Opera Web\r\nBrowser Directory Traversal in Internal URI Protocol" published by me, attached\r\nto this one), 'blind' exploitation, i.e., exploitation without knowledge of the\r\ninstall path becomes possible.\r\n\r\nA proof of concept exploit is attached with this advisory.\r\n\r\n\r\nV. VENDOR RESPONSE & SOLUTION:\r\n\r\n\r\nThe vendor, Opera Software, deserves special mention here. I had previously\r\nread about Opera Soft's promptness in resolving security vulnerabilities in\r\ntheir products. My experience with them is one of the best I ever had with any\r\nvendor. I hope they continue to maintain their good record even with future\r\nsecurity issues.\r\n\r\nAn updated version with a fix (7.22) is available from the site -\r\nhttp://www.opera.com/download/\r\n\r\n\r\n\r\nVI. CREDIT:\r\n\r\n\r\nS.G.Masood (sgmasood@yahoo.com)\r\n\r\nHyderabad,\r\nIndia.\r\n\r\n\r\nVII. DISCLAIMER:\r\n\r\nThis advisory is meant only for the dissemination of information, alerting the\r\ngeneral public about a security issue. Use this information at your own\r\ndiscretion.\r\n\r\nIn brief, the author is not responsible for any use, misuse, abuse of this\r\ninformation. Also, this information is provided "as is" without any warranty of\r\nany kind. \r\n\r\n*PHEW*\r\n\r\nEOF\r\n\r\n\r\n", "published": "2003-11-13T00:00:00", "modified": "2003-11-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5392", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 15, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1299.NASL"]}, {"type": "cve", "idList": ["CVE-2020-5392", "CVE-2020-6753"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10160", "WPVDB-ID:10149"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34153", "1337DAY-ID-34159", "1337DAY-ID-34134"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 6.3}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mul-tor[.]ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 104[.]247.82.10\nWhois:\n Created: 2020-02-19 14:01:40, \n Registrar: RUCENTERRU, \n Registrant: Private Person.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3FD270AA-5392-3E60-B629-F4E5158BDFF5", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: mul-tor.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **aceline-bertrand[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3344FF05-5392-3EAF-B421-E2C58B8B07BA", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: aceline-bertrand.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **365changje[.]net.ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:E57A8CE7-5392-3621-9B51-209F62BEE228", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 365changje.net.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **biswajitpanda[.]cu.ma** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 192[.]187.120.244\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:5588456F-5392-34BE-B272-BF929B3CCD19", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: biswajitpanda.cu.ma", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **bot[.]poluchenie-avito.ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **12**.\n First seen: 2020-08-25T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **phishing**.\nDomain has DNS A records: 104[.]27.141.121,104.27.140.121,172.67.196.71\nWhois:\n Created: 2020-08-08 14:10:24, \n Registrar: REGRURU, \n Registrant: Private Person.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-25T00:00:00", "id": "RST:674B9915-5392-3501-847B-1F8034EB3700", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: bot.poluchenie-avito.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **c-67-181-44-244[.]hsd1.ca.comcast.net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 67[.]181.44.244\nWhois:\n Created: 1997-09-25 00:00:00, \n Registrar: CSC CORPORATE DOMAINS INC, \n Registrant: Comcast Domains.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:0A5BCEAC-5392-3209-B9C2-2CD07111E736", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: c-67-181-44-244.hsd1.ca.comcast.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **iscanj1939[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 192[.]185.35.43\nWhois:\n Created: 2014-03-28 11:50:11, \n Registrar: Launchpadcom Inc, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:06217EAC-5392-39AC-8135-254D5857F275", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: iscanj1939.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **68[.]118.49.40** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **42**.\n First seen: 2021-01-11T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **shellprobe**.\nASN 20115: (First IP 68.118.20.0, Last IP 68.118.114.255).\nASN Name \"CHARTERNETHKYNC\" and Organisation \"Charter Communications\".\nASN hosts 30248 domains.\nGEO IP information: City \"Medford\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-11T00:00:00", "id": "RST:BFE48257-5392-386F-B32E-584B55B771B4", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 68.118.49.40", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **135[.]148.33.64** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **tor_node, tor_exit, generic**.\nASN 16276: (First IP 135.148.0.0, Last IP 135.148.127.255).\nASN Name \"OVH\" and Organisation \"\".\nThis IP is a part of \"**ovh**\" address pools.\nASN hosts 8553004 domains.\nGEO IP information: City \"\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:7B3F6C14-5392-386B-AAC2-F30EDEBAB6B7", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 135.148.33.64", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-19T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **188[.]166.178.84** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-18T03:00:00, Last seen: 2021-01-19T03:00:00.\n IOC tags: **generic**.\nASN 14061: (First IP 188.166.23.128, Last IP 188.166.255.255).\nASN Name \"DIGITALOCEANASN\" and Organisation \"DigitalOcean LLC\".\nThis IP is a part of \"**digitalocean**\" address pools.\nASN hosts 3198609 domains.\nGEO IP information: City \"\", Country \"Singapore\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-18T00:00:00", "id": "RST:B9A1DD39-5392-34D3-8EF0-3A09149F3EAA", "href": "", "published": "2021-01-20T00:00:00", "title": "RST Threat feed. IOC: 188.166.178.84", "type": "rst", "cvss": {}}]}
