{"uuid": "df993571-3058-4275-ac12-e28e7e719acf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2017-15361", "type": "published-proof-of-concept", "source": "https://t.me/information_security_channel/14890", "content": "from March 2017 to August 2017 (728 of them). The signature count went up\n1.02% to 11,672, including 26 new softmatches.  We now detect 1224\nprotocols from filenet-pch, lscp, and netassistant to sharp-remote,\nurbackup, and watchguard.  We will try to integrate the remaining\nsubmissions in the next release.\n\n\u2022 Integrated all of your IPv4 OS fingerprint submissions from September\n2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new\ntotal to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android\n7, and more.\n\n\u2022 Integrated all 33 of your IPv6 OS fingerprint submissions from September\n2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were\nadded, as well as strengthened groups for Linux and OS X.\n\n\u2022 Added the --resolve-all option to resolve and scan all IP addresses of a\nhost.  This essentially replaces the resolveall NSE script. [Daniel Miller]\n\n\u2022 [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory\ntraversal vulnerability) in the way the non-default http-fetch script\nsanitized URLs. If a user manualy ran this NSE script against a malicious\nweb server, the server could potentially (depending on NSE arguments used)\ncause files to be saved outside the intended destination directory.\nExisting files couldn't be overwritten.  We fixed http-fetch, audited our\nother scripts to ensure they didn't make this mistake, and updated the\nhttpspider library API to protect against this by default. [nnposter,\nDaniel Miller]\n\n\u2022 [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!\nThey are all listed at https://nmap.org/nsedoc/, and the summaries are\nbelow:\n\n   - deluge-rpc-brute performs brute-force credential testing against\n   Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]\n   - hostmap-crtsh lists subdomains by querying Google's Certificate\n   Transparency logs. [Paulino Calderon]\n   - [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and\n   reports back the IP address and port of the actual server behind the\n   load-balancer. [Seth Jackson]\n   - http-jsonp-detection Attempts to discover JSONP endpoints in web\n   servers. JSONP endpoints can be used to bypass Same-origin Policy\n   restrictions in web browsers. [Vinamra Bhatia]\n   - http-trane-info obtains information from Trane Tracer SC controllers\n   and connected HVAC devices. [Pedro Joaquin]\n   - [GH#609] nbd-info uses the new nbd.lua library to query Network Block\n   Devices for protocol and file export information. [Mak Kolybabi]\n   - rsa-vuln-roca checks for RSA keys generated by Infineon TPMs\n   vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks\n   SSH and TLS services. [Daniel Miller]\n   - [GH#987] smb-enum-services retrieves the list of services running on a\n   remote Windows machine. Modern Windows systems requires a privileged domain\n   account in order to list the services. [Rewanth Cool]\n   - tls-alpn checks TLS servers for Application Layer Protocol Negotiation\n   (ALPN) support and reports supported protocols. ALPN largely replaces NPN,\n   which tls-nextprotoneg was written for. [Daniel Miller]\n\n\u2022 [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN.\nThis was causing Ncat 7.60 in connect mode to quit with error: libnsock\nselect_loop(): nsock_loop error 10038: An operation was attempted on\nsomething that is not a socket.  [nnposter]\n\n\u2022 [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on\nrenegotiation, the same issue that was partially fixed for server mode in\n[GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel\nMiller]\n\n\u2022 [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle\nmisbehaving or rate-limiting services. Most significantly,\nbrute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for\nreporing infinite loops and proposing changes.\n\n\u2022 [NSE] VNC scripts now support Apple Remote Desktop authentication (auth\ntype 30) [Daniel Miller]", "creation_timestamp": "2018-03-21T13:35:17.000000Z"}