automatic module_metadata_base.json update

2019-04-19 11:02:36 -07:00 · 2019-04-19 11:02:36 -07:00 · 0169c0afe5
parent d7a89f8341
commit 0169c0afe5
1 changed files with 147 additions and 4 deletions
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@ -15504,6 +15504,55 @@
    "notes": {
    }
  },
+  "auxiliary_gather/rails_doubletap_file_read": {
+    "name": "Ruby On Rails File Content Disclosure ('doubletap')",
+    "full_name": "auxiliary/gather/rails_doubletap_file_read",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Carter Brainerd <0xCB@protonmail.com>",
+      "John Hawthorn <john@hawthorn.email>"
+    ],
+    "description": "This module uses a path traversal vulnerability in Ruby on Rails\n          versions =< 5.2.2 to read files on a target server.",
+    "references": [
+      "URL-https://hackerone.com/reports/473888",
+      "URL-https://github.com/mpgn/Rails-doubletap-RCE",
+      "URL-https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q",
+      "URL-https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/",
+      "CVE-2019-5418",
+      "EDB-46585"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-04-18 16:10:24 +0000",
+    "path": "/modules/auxiliary/gather/rails_doubletap_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/rails_doubletap_file_read",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": "DoubleTap"
+    }
+  },
  "auxiliary_gather/safari_file_url_navigation": {
    "name": "Mac OS X Safari file:// Redirection Sandbox Escape",
    "full_name": "auxiliary/gather/safari_file_url_navigation",
@ -51821,7 +51870,7 @@
      "Tavis Ormandy",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges on Fedora systems with\n        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n        as the crash handler.\n\n        A race condition allows local users to change ownership of arbitrary\n        files (CVE-2015-3315). This module uses a symlink attack on\n        '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,\n        then adds a new user with UID=0 GID=0 to gain root privileges.\n        Winning the race could take a few minutes.\n\n        This module has been tested successfully on ABRT packaged version\n        2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop\n        19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64.\n\n        Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.",
+    "description": "This module attempts to gain root privileges on Linux systems with\n        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n        as the crash handler.\n\n        A race condition allows local users to change ownership of arbitrary\n        files (CVE-2015-3315). This module uses a symlink attack on\n        `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,\n        then adds a new user with UID=0 GID=0 to gain root privileges.\n        Winning the race could take a few minutes.\n\n        This module has been tested successfully on:\n\n        abrt 2.1.11-12.el7 on RHEL 7.0 x86_64;\n        abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64;\n        abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64;\n        abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64;\n        abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.",
    "references": [
      "CVE-2015-3315",
      "EDB-36747",
@ -51849,7 +51898,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-04-18 09:01:51 +0000",
    "path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/abrt_raceabrt_priv_esc",
@ -52398,7 +52447,7 @@
      "Tavis Ormandy",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n        glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not\n        properly restrict use of the LD_AUDIT environment variable when loading\n        setuid executables which allows control over the $ORIGIN library search\n        path resulting in execution of arbitrary shared objects.\n\n        This module opens a file descriptor to the specified suid executable via\n        a hard link, then replaces the hard link with a shared object before\n        instructing the linker to execute the file descriptor, resulting in\n        arbitrary code execution.\n\n        The specified setuid binary must be readable and located on the same\n        file system partition as the specified writable directory.\n\n        This module has been tested successfully on glibc version 2.5 on CentOS\n        5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).\n\n        RHEL 5 is reportedly affected, but untested. Some versions of ld.so,\n        such as the version shipped with Ubuntu 14, hit a failed assertion\n        in dl_open_worker causing exploitation to fail.",
+    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n        glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not\n        properly restrict use of the `LD_AUDIT` environment variable when loading\n        setuid executables which allows control over the `$ORIGIN` library search\n        path resulting in execution of arbitrary shared objects.\n\n        This module opens a file descriptor to the specified suid executable via\n        a hard link, then replaces the hard link with a shared object before\n        instructing the linker to execute the file descriptor, resulting in\n        arbitrary code execution.\n\n        The specified setuid binary must be readable and located on the same\n        file system partition as the specified writable directory.\n\n        This module has been tested successfully on:\n\n        glibc 2.5 on CentOS 5.4 (x86_64);\n        glibc 2.5 on CentOS 5.5 (x86_64);\n        glibc 2.12 on Fedora 13 (i386); and\n        glibc 2.5-49 on RHEL 5.5 (x86_64).\n\n        Some versions of `ld.so`, such as the version shipped with Ubuntu 14,\n        hit a failed assertion in `dl_open_worker` causing exploitation to fail.",
    "references": [
      "CVE-2010-3847",
      "BID-44154",
@ -52422,7 +52471,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-04-18 15:35:37 +0000",
    "path": "/modules/exploits/linux/local/glibc_origin_expansion_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/glibc_origin_expansion_priv_esc",
@ -53170,6 +53219,50 @@
    "notes": {
    }
  },
+  "exploit_linux/local/systemtap_modprobe_options_priv_esc": {
+    "name": "SystemTap MODPROBE_OPTIONS Privilege Escalation",
+    "full_name": "exploit/linux/local/systemtap_modprobe_options_priv_esc",
+    "rank": 600,
+    "disclosure_date": "2010-11-17",
+    "type": "exploit",
+    "author": [
+      "Tavis Ormandy",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module attempts to gain root privileges by exploiting a\n        vulnerability in the `staprun` executable included with SystemTap\n        version 1.3.\n\n        The `staprun` executable does not clear environment variables prior to\n        executing `modprobe`, allowing an arbitrary configuration file to be\n        specified in the `MODPROBE_OPTIONS` environment variable, resulting\n        in arbitrary command execution with root privileges.\n\n        This module has been tested successfully on:\n\n        systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and\n        systemtap 1.1-3.el5 on RHEL 5.5 (x64).",
+    "references": [
+      "BID-44914",
+      "CVE-2010-4170",
+      "EDB-15620",
+      "URL-https://securitytracker.com/id?1024754",
+      "URL-https://access.redhat.com/security/cve/cve-2010-4170",
+      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=653604",
+      "URL-https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html",
+      "URL-https://bugs.launchpad.net/bugs/677226",
+      "URL-https://www.debian.org/security/2011/dsa-2348"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-04-19 12:54:30 +0000",
+    "path": "/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/systemtap_modprobe_options_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/local/udev_netlink": {
    "name": "Linux udev Netlink Local Privilege Escalation",
    "full_name": "exploit/linux/local/udev_netlink",
@ -59308,6 +59401,56 @@
    "notes": {
    }
  },
+  "exploit_multi/http/confluence_widget_connector": {
+    "name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
+    "full_name": "exploit/multi/http/confluence_widget_connector",
+    "rank": 600,
+    "disclosure_date": "2019-03-25",
+    "type": "exploit",
+    "author": [
+      "Daniil Dmitriev",
+      "Dmitry (rrock) Shchannikov"
+    ],
+    "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n        allows embed online videos, slideshows, photostreams and more directly into page.\n        A _template parameter can be used to inject remote Java code into a Velocity template,\n        and gain code execution. Authentication is unrequired to exploit this vulnerability.\n        By default, Java payload will be used because it is cross-platform, but you can also\n        specify which native payload you want (Linux or Windows).\n\n        Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n        6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n        This vulnerability was originally discovered by Daniil Dmitriev\n        https://twitter.com/ddv_ua.",
+    "references": [
+      "CVE-2019-3396",
+      "URL-https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html",
+      "URL-https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/",
+      "URL-https://paper.seebug.org/886/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Java",
+      "Windows",
+      "Linux"
+    ],
+    "mod_time": "2019-04-19 12:35:36 +0000",
+    "path": "/modules/exploits/multi/http/confluence_widget_connector.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/confluence_widget_connector",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/http/cups_bash_env_exec": {
    "name": "CUPS Filter Bash Environment Variable Code Injection (Shellshock)",
    "full_name": "exploit/multi/http/cups_bash_env_exec",