Hola a todos, lo primero pedir disculpas por si el post no iva aqui si es asi muevanlo.
Estoy intentando acceder a un host con fines de aprendizaje, tengo permiso para hacerlo. He escaneado los puertos con nmap y he hecho un análisis con nessus integrado en msf, pero a la hora de interpretar los resultados me quedo un poco pillado ya que no entiendo bien como se explotarian esos fallos. Las vulnerabilidades mas graves son estas:
CVE-2006-3918
-------------------------------------------------------------------------------------------------
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP
Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header
from an HTTP request when it is reflected back in an error message, which might allow cross-site
scripting (XSS) style attacks using web client components that can send arbitrary headers in requests,
as demonstrated using a Flash SWF file.
----------------------------------------------------------------------------------------------------
CVE-2007-1581
----------------------------------------------------------------------------------------------------
The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary
code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which
can then be used to destroy and modify internal resources. NOTE: it was later reported that PHP 5.2 through
5.2.13 and 5.3 through 5.3.2 are also affected.
www.milw0rm.com/exploits/3529
------------------------------------------------------------------------------------------------------
CVE-2008-5814
-----------------------------------------------------------------------------------------------------
Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled,
allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the
lack of details, it is unclear whether this is related to CVE-2006-0208.
-----------------------------------------------------------------------------------------------------
CVE-2008-2371
-----------------------------------------------------------------------------------------------------
Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7
allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code
via a regular expression that begins with an option and contains multiple branches.
------------------------------------------------------------------------------------------------------
CVE-2008-5498
------------------------------------------------------------------------------------------------------
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to
read the contents of arbitrary memory locations via a crafted value of the third argument
(aka the bgd_color or clrBack argument) for an indexed image.
------------------------------------------------------------------------------------------------------
CVE-2009-3557
------------------------------------------------------------------------------------------------------
The tempnam function in ext/standard/file.c in PHP before 5.2.12 and 5.3.x before 5.3.1 allows
context-dependent attackers to bypass safe_mode restrictions, and create files in group-writable
or world-writable directories, via the dir and prefix arguments.
------------------------------------------------------------------------------------------------------
CVE-2009-3555
------------------------------------------------------------------------------------------------------
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in
Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and
earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4
and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes
with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request
that is processed retroactively by a server in a post-renegotiation context, related to a
"plaintext injection" attack, aka the "Project Mogul" issue.
------------------------------------------------------------------------------------------------------
CVE-2009-3291
------------------------------------------------------------------------------------------------------
The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform
certificate validation, which has unknown impact and attack vectors, probably related to an ability
to spoof certificates.
------------------------------------------------------------------------------------------------------
CVE-2009-2687
-----------------------------------------------------------------------------------------------------
The exif_read_data function in the Exif module in PHP before 5.2.10 allows remote attackers to cause a
denial of service (crash) via a malformed JPEG image with invalid offset fields, a different issue than CVE-2005-3353.
-----------------------------------------------------------------------------------------------------
CVE-2010-1128
-----------------------------------------------------------------------------------------------------
The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy,
which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable,
as demonstrated by session cookies generated by using the uniqid function.
-----------------------------------------------------------------------------------------------------
CVE-2010-3436
-----------------------------------------------------------------------------------------------------
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions
via vectors related to the length of a filename.
------------------------------------------------------------------------------------------------------
CVE-2010-4645
------------------------------------------------------------------------------------------------------
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products,
allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point
value in scientific notation, which is not properly handled in x87 FPU registers,
as demonstrated using 2.2250738585072011e-308.
------------------------------------------------------------------------------------------------------
CVE-2011-3389
-----------------------------------------------------------------------------------------------------
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer,
Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained
initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via
a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with javascript code that
uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API,
aka a "BEAST" attack.
-----------------------------------------------------------------------------------------------------
CVE-2011-0411
-----------------------------------------------------------------------------------------------------
The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9,
and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers
to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after
TLS is in place, related to a "plaintext command injection" attack.
------------------------------------------------------------------------------------------------------
CVE-2011-4566
------------------------------------------------------------------------------------------------------
Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2
on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause
a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different
vulnerability than CVE-2011-0708.
------------------------------------------------------------------------------------------------------
CVE-2012-0053
------------------------------------------------------------------------------------------------------
Protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information
during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain
the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction
with crafted web script.
¿Alguien sabe como se usaria alguna de estas vulnerabiliades?
Un saludo y gracias.