CAPEC |
-
Embedding Scripts within Scripts
An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts.
With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host.
Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
-
Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
|
nessus
via4
|
NASL family | Fedora Local Security Checks | NASL id | FEDORA_2017-A253644369.NASL | description | - Updated bcm 4339 4354 4356 4358 firmware, new bcm 43430
- Fixes CVE-2016-0801 CVE-2017-0561 CVE-2017-9417
----
- Updated Intel GPU, amdgpu, iwlwifi, mvebu wifi,
liquidio, QCom a530 & Venus, mlxsw, qed
- Add iwlwifi 9000 series
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-02-02 | plugin id | 105133 | published | 2017-12-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105133 | title | Fedora 26 : linux-firmware (2017-a253644369) |
NASL family | Fedora Local Security Checks | NASL id | FEDORA_2017-355AC8A91A.NASL | description | - Updated bcm 4339 4354 4356 4358 firmware, new bcm 43430
- Fixes CVE-2016-0801 CVE-2017-0561 CVE-2017-9417
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-02-01 | plugin id | 105855 | published | 2018-01-15 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=105855 | title | Fedora 27 : linux-firmware (2017-355ac8a91a) |
NASL family | MacOS X Local Security Checks | NASL id | MACOSX_SECUPD2017-003.NASL | description | The remote host is running Mac OS X 10.10.5, Mac OS X 10.11.6, or
macOS 10.12.5 and is missing a security update. It is therefore,
affected by multiple vulnerabilities :
- An overflow condition exists in the curl component in
the dprintf_formatf() function that is triggered when
handling floating point conversion. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2016-9586)
- A flaw exits in the curl component in the randit()
function within file lib/rand.c due to improper
initialization of the 32-bit random value, which is
used, for example, to generate Digest and NTLM
authentication nonces, resulting in weaker cryptographic
operations than expected. (CVE-2016-9594)
- A flaw exists in the curl component in the
allocate_conn() function in lib/url.c when using the
OCSP stapling feature for checking a X.509 certificate
revocation status. The issue is triggered as the request
option for OCSP stapling is not properly passed to the
TLS library, resulting in no error being returned even
when no proof of the validity of the certificate could
be provided. A man-in-the-middle attacker can exploit
this to provide a revoked certificate. (CVE-2017-2629)
- A remote code execution vulnerability exists in the
CoreAudio component due to improper validation of
user-supplied input when handling movie files. An
unauthenticated, remote attacker can exploit this, by
convincing a user to play a specially crafted movie
file, to cause a denial of service condition or the
execution of arbitrary code. (CVE-2017-7008)
- A memory corruption issue exists in the IOUSBFamily
component due to improper validation of user-supplied
input. A local attacker can exploit this, via a
specially crafted application, to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2017-7009)
- Multiple out-of-bounds read errors exist in the libxml2
component due to improper handling of specially crafted
XML documents. An unauthenticated, remote attacker can
exploit these to disclose user information.
(CVE-2017-7010, CVE-2017-7013)
- Multiple memory corruption issues exist in the Intel
Graphics Driver component due to improper validation of
input. A local attacker can exploit these issues to
execute arbitrary code with elevated privileges.
(CVE-2017-7014, CVE-2017-7017, CVE-2017-7035,
CVE-2017-7044)
- A remote code execution vulnerability exists in the
Audio component due to improper validation of
user-supplied input when handling audio files. An
unauthenticated, remote attacker can exploit this, by
convincing a user to play a specially crafted audio
file, to execute arbitrary code. (CVE-2017-7015)
- Multiple remote code execution vulnerabilities exist in
the afclip component due to improper validation of
user-supplied input when handling audio files. An
unauthenticated, remote attacker can exploit these
vulnerabilities, by convincing a user to play a
specially crafted audio file, to execute arbitrary
code. (CVE-2017-7016, CVE-2017-7033)
- A memory corruption issue exists in the
AppleGraphicsPowerManagement component due to improper
validation of input. A local attacker can exploit this
to cause a denial of service condition or the execution
of arbitrary code with system privileges.
(CVE-2017-7021)
- Multiple memory corruption issues exist in the kernel
due to improper validation of input. A local attacker
can exploit these issues to cause a denial of service
condition or the execution of arbitrary code with system
privileges. (CVE-2017-7022, CVE-2017-7024,
CVE-2017-7026)
- Multiple memory corruption issues exist in the kernel
due to improper validation of input. A local attacker
can exploit these issues to cause a denial of service
condition or the execution of arbitrary code with kernel
privileges. (CVE-2017-7023, CVE-2017-7025,
CVE-2017-7027, CVE-2017-7069)
- Multiple unspecified flaws exist in the kernel due to a
failure to properly sanitize input. A local attacker can
exploit these issues, via a specially crafted
application, to disclose restricted memory contents.
(CVE-2017-7028, CVE-2017-7029, CVE-2017-7067)
- A flaw exists in the Foundation component due to
improper validation of input. A unauthenticated, remote
attacker can exploit this, by convincing a user to open
specially crafted file, to execute arbitrary code.
(CVE-2017-7031)
- A memory corruption issue exists in the 'kext tools'
component due to improper validation of input. A local
attacker can exploit this to execute arbitrary code with
elevated privileges. (CVE-2017-7032)
- Multiple unspecified flaws exist in the Intel Graphics
Driver component due to a failure to properly sanitize
input. A local attacker can exploit these issues, via a
specially crafted application, to disclose restricted
memory contents. (CVE-2017-7036, CVE-2017-7045)
- A memory corruption issue exists in the libxpc component
due to improper validation of input. A local attacker
can exploit this issue, via a specifically crafted
application, to cause a denial of service condition or
the execution of arbitrary code with system privileges.
(CVE-2017-7047)
- Multiple memory corruption issues exist in the
Bluetooth component due to improper validation of input.
A local attacker can exploit these issues to execute
arbitrary code with system privileges. (CVE-2017-7050,
CVE-2017-7051)
- A memory corruption issue exists in the Bluetooth
component due to improper validation of input. A local
attacker can exploit these issues to execute arbitrary
code with system privileges. (CVE-2017-7054)
- A buffer overflow condition exists in the Contacts
component due to improper validation of user-supplied
input. An unauthenticated, remote attacker can exploit
this to cause a denial of service condition or the
execution of arbitrary code. (CVE-2017-7062)
- A buffer overflow condition exists in the libarchive
component due to improper validation of user-supplied
input. An unauthenticated, remote attacker can exploit
this, via a specially crafted archive file, to cause a
denial of service condition or the execution of
arbitrary code. (CVE-2017-7068)
- A certificate validation bypass vulnerability exists in
the curl component due to the program attempting to
resume TLS sessions even if the client certificate
fails. An unauthenticated, remote attacker can exploit
this to bypass validation mechanisms. (CVE-2017-7468)
- A memory corruption issue exists in the Broadcom BCM43xx
family Wi-Fi Chips component that allows an
unauthenticated, remote attacker to execute arbitrary
code. (CVE-2017-9417) | last seen | 2019-01-16 | modified | 2018-07-14 | plugin id | 101957 | published | 2017-07-25 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=101957 | title | macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-003) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DLA-1573.NASL | description | Several vulnerabilities have been discovered in the firmware for
Broadcom BCM43xx wifi chips that may lead to a privilege escalation or
loss of confidentiality.
CVE-2016-0801
Broadgate Team discovered flaws in packet processing in the Broadcom
wifi firmware and proprietary drivers that could lead to remote code
execution. However, this vulnerability is not believed to affect the
drivers used in Debian.
CVE-2017-0561
Gal Beniamini of Project Zero discovered a flaw in the TDLS
implementation in Broadcom wifi firmware. This could be exploited by
an attacker on the same WPA2 network to execute code on the wifi
microcontroller.
CVE-2017-9417 / #869639
Nitay Artenstein of Exodus Intelligence discovered a flaw in the WMM
implementation in Broadcom wifi firmware. This could be exploited by a
nearby attacker to execute code on the wifi microcontroller.
CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081
Mathy Vanhoef of the imec-DistriNet research group of KU Leuven
discovered multiple vulnerabilities in the WPA protocol used for
authentication in wireless networks, dubbed 'KRACK'.
An attacker exploiting the vulnerabilities could force the
vulnerable system to reuse cryptographic session keys,
enabling a range of cryptographic attacks against the
ciphers used in WPA1 and WPA2.
These vulnerabilities are only being fixed for certain
Broadcom wifi chips, and might still be present in firmware
for other wifi hardware.
For Debian 8 'Jessie', these problems have been fixed in version
20161130-4~deb8u1. This version also adds new firmware and packages
for use with Linux 4.9, and re-adds firmware-{adi,ralink} as
transitional packages.
We recommend that you upgrade your firmware-nonfree packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-13 | plugin id | 118888 | published | 2018-11-13 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=118888 | title | Debian DLA-1573-1 : firmware-nonfree security update (KRACK) |
|