Notes

*] Looking for "Postgresql 9.3.3" in cvedetails.com database...
[+] Exact match found in the database
[*] IDs summary: Vendor=Postgresql [336] | Product=Postgresql [575] | Version=9.3.3 [183267]
[*] Fetch results for version id 183267 ...
[+] Total number of CVEs fetched: 21
[*] Results ordered by published date (desc):
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| ID | CVSS | Date | Description | URL | Exploit? |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2019-9193 | 9.0 | 2019-04-01 | ** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM | http://www.cvedetails.com/cve/CVE-2019-9193/ | None |
| | | | PROGRAM" function allows superusers and users in the | | |
| | | | 'pg_execute_server_program' group to execute arbitrary code in the | | |
| | | | context of the database's operating system user. This functionality is | | |
| | | | enabled by default and can be abused to run arbitrary operating system commands | | |
| | | | on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an | | |
| | | | issue because PostgreSQL functionality for ?COPY TO/FROM PROGRAM? is acting as | | |
| | | | intended. References state that in PostgreSQL, a superuser can execute commands | | |
| | | | as the server user without using the ?COPY FROM PROGRAM?. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2018-16850 | 7.5 | 2018-11-13 | postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in | http://www.cvedetails.com/cve/CVE-2018-16850/ | None |
| | | | pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose- | | |
| | | | crafted trigger definition, an attacker can cause arbitrary SQL statements to | | |
| | | | run, with superuser privileges. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2018-10925 | 5.5 | 2018-08-09 | It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, | http://www.cvedetails.com/cve/CVE-2018-10925/ | None |
| | | | and 9.3.24 failed to properly check authorization on certain statements involved | | |
| | | | with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE | | |
| | | | TABLE" privileges could exploit this to read arbitrary bytes server memory. | | |
| | | | If the attacker also had certain "INSERT" and limited | | |
| | | | "UPDATE" privileges to a particular table, they could exploit this to | | |
| | | | update other columns in the same table. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2018-10915 | 6.0 | 2018-08-09 | A vulnerability was found in libpq, the default PostgreSQL client library where | http://www.cvedetails.com/cve/CVE-2018-10915/ | None |
| | | | libpq failed to properly reset its internal state between connections. If an | | |
| | | | affected version of libpq was used with "host" or "hostaddr" | | |
| | | | connection parameters from untrusted input, attackers could bypass client-side | | |
| | | | connection security features, obtain access to higher privileged connections or | | |
| | | | potentially cause other impact through SQL injection, by causing the PQescape() | | |
| | | | functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, | | |
| | | | 9.4.19, and 9.3.24 are affected. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2018-1115 | 6.4 | 2018-05-10 | postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, | http://www.cvedetails.com/cve/CVE-2018-1115/ | None |
| | | | the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs | | |
| | | | than pg_rorate_logfile. If the adminpack is added to a database, an attacker | | |
| | | | able to connect to it could exploit this to force log rotation. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2018-1058 | 6.5 | 2018-03-02 | A flaw was found in the way Postgresql allowed a user to modify the behavior of | http://www.cvedetails.com/cve/CVE-2018-1058/ | None |
| | | | a query for other users. An attacker with a user account could use this flaw to | | |
| | | | execute code with the permissions of superuser in the database. Versions 9.3 | | |
| | | | through 10 are affected. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2018-1053 | 3.3 | 2018-02-09 | In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, | http://www.cvedetails.com/cve/CVE-2018-1053/ | None |
| | | | 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current | | |
| | | | working directory containing the output of `pg_dumpall -g` under umask which was | | |
| | | | in effect when the user invoked pg_upgrade, and not under 0077 which is normally | | |
| | | | used for other temporary files. This can allow an authenticated attacker to read | | |
| | | | or modify the one file, which may contain encrypted or unencrypted database | | |
| | | | passwords. The attack is infeasible if a directory mode blocks the attacker | | |
| | | | searching the current working directory or if the prevailing umask blocks the | | |
| | | | attacker opening the file. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-15098 | 5.5 | 2017-11-22 | Invalid json_populate_recordset or jsonb_populate_recordset function calls in | http://www.cvedetails.com/cve/CVE-2017-15098/ | None |
| | | | PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x | | |
| | | | before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few | | |
| | | | bytes of server memory. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-14798 | 6.9 | 2018-03-01 | A race condition in the postgresql init script could be used by attackers able | http://www.cvedetails.com/cve/CVE-2017-14798/ | None |
| | | | to access the postgresql account to escalate their privileges to root. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-12172 | 7.2 | 2017-11-22 | PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x | http://www.cvedetails.com/cve/CVE-2017-12172/ | None |
| | | | before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non- | | |
| | | | root operating system account, and database superusers have effective ability to | | |
| | | | run arbitrary code under that system account. PostgreSQL provides a script for | | |
| | | | starting the database server during system boot. Packages of PostgreSQL for many | | |
| | | | operating systems provide their own, packager-authored startup implementations. | | |
| | | | Several implementations use a log file name that the database superuser can | | |
| | | | replace with a symbolic link. As root, they open(), chmod() and/or chown() this | | |
| | | | log file name. This often suffices for the database superuser to escalate to | | |
| | | | root privileges when root starts the server. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-7547 | 4.0 | 2017-08-16 | PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are | http://www.cvedetails.com/cve/CVE-2017-7547/ | None |
| | | | vulnerable to authorization flaw allowing remote authenticated attackers to | | |
| | | | retrieve passwords from the user mappings defined by the foreign server owners | | |
| | | | without actually having the privileges to do so. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-7546 | 7.5 | 2017-08-16 | PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are | http://www.cvedetails.com/cve/CVE-2017-7546/ | None |
| | | | vulnerable to incorrect authentication flaw allowing remote attackers to gain | | |
| | | | access to database accounts with an empty password. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-7486 | 5.0 | 2017-05-12 | PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in | http://www.cvedetails.com/cve/CVE-2017-7486/ | None |
| | | | pg_user_mappings view which discloses foreign server passwords to any user | | |
| | | | having USAGE privilege on the associated foreign server. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-7485 | 4.3 | 2017-05-12 | In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and | http://www.cvedetails.com/cve/CVE-2017-7485/ | None |
| | | | 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was | | |
| | | | no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man- | | |
| | | | in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from | | |
| | | | a connection between a client and a server. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2017-7484 | 5.0 | 2017-05-12 | It was found that some selectivity estimation functions in PostgreSQL before | http://www.cvedetails.com/cve/CVE-2017-7484/ | None |
| | | | 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x | | |
| | | | before 9.6.3 did not check user privileges before providing information from | | |
| | | | pg_statistic, possibly leaking information. An unprivileged attacker could use | | |
| | | | this flaw to steal some information from tables they are otherwise not allowed | | |
| | | | to access. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2016-7048 | 9.3 | 2018-08-20 | The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and | http://www.cvedetails.com/cve/CVE-2016-7048/ | None |
| | | | 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by | | |
| | | | leveraging use of HTTP to download software. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2016-5424 | 4.6 | 2016-12-09 | PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before | http://www.cvedetails.com/cve/CVE-2016-5424/ | None |
| | | | 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the | | |
| | | | CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " | | |
| | | | (double quote), (2) (backslash), (3) carriage return, or (4) newline character | | |
| | | | in a (a) database or (b) role name that is mishandled during an administrative | | |
| | | | operation. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2016-5423 | 6.5 | 2016-12-09 | PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before | http://www.cvedetails.com/cve/CVE-2016-5423/ | None |
| | | | 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial | | |
| | | | of service (NULL pointer dereference and server crash), obtain sensitive memory | | |
| | | | information, or possibly execute arbitrary code via (1) a CASE expression within | | |
| | | | the test value subexpression of another CASE or (2) inlining of an SQL function | | |
| | | | that implements the equality operator used for a CASE expression involving | | |
| | | | values of different types. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2015-5289 | 6.4 | 2015-10-26 | Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x | http://www.cvedetails.com/cve/CVE-2015-5289/ | None |
| | | | before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of | | |
| | | | service (server crash) via unspecified vectors, which are not properly handled | | |
| | | | in (1) json or (2) jsonb values. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2015-5288 | 6.4 | 2015-10-26 | The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before | http://www.cvedetails.com/cve/CVE-2015-5288/ | None |
| | | | 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows | | |
| | | | attackers to cause a denial of service (server crash) or read arbitrary server | | |
| | | | memory via a "too-short" salt. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+
| CVE-2015-3165 | 4.3 | 2015-05-28 | Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, | http://www.cvedetails.com/cve/CVE-2015-3165/ | None |
| | | | 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote | | |
| | | | attackers to cause a denial of service (crash) by closing an SSL session at a | | |
| | | | time when the authentication timeout will expire during the session shutdown | | |
| | | | sequence. | | |
+----------------+------+------------+----------------------------------------------------------------------------------+-----------------------------------------------+----------+




[*] [SMART] SmartPostcheck processing to update context...
[+] [SMART] New vulnerability detected: CVE-2019-9193 (9.0): ** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM... (http://www.cvedetails.com/cve/CVE-2019-9193/)
[+] [SMART] New vulnerability detected: CVE-2018-16850 (7.5): postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in... (http://www.cvedetails.com/cve/CVE-2018-16850/)
[+] [SMART] New vulnerability detected: CVE-2018-10925 (5.5): It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19,... (http://www.cvedetails.com/cve/CVE-2018-10925/)
[+] [SMART] New vulnerability detected: CVE-2018-10915 (6.0): A vulnerability was found in libpq, the default PostgreSQL client library where... (http://www.cvedetails.com/cve/CVE-2018-10915/)
[+] [SMART] New vulnerability detected: CVE-2018-1115 (6.4): postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension,... (http://www.cvedetails.com/cve/CVE-2018-1115/)
[+] [SMART] New vulnerability detected: CVE-2018-1058 (6.5): A flaw was found in the way Postgresql allowed a user to modify the behavior of... (http://www.cvedetails.com/cve/CVE-2018-1058/)
[+] [SMART] New vulnerability detected: CVE-2018-1053 (3.3): In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11,... (http://www.cvedetails.com/cve/CVE-2018-1053/)
[+] [SMART] New vulnerability detected: CVE-2017-15098 (5.5): Invalid json_populate_recordset or jsonb_populate_recordset function calls in... (http://www.cvedetails.com/cve/CVE-2017-15098/)
[+] [SMART] New vulnerability detected: CVE-2017-14798 (6.9): A race condition in the postgresql init script could be used by attackers able... (http://www.cvedetails.com/cve/CVE-2017-14798/)
[+] [SMART] New vulnerability detected: CVE-2017-12172 (7.2): PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x... (http://www.cvedetails.com/cve/CVE-2017-12172/)
[+] [SMART] New vulnerability detected: CVE-2017-7547 (4.0): PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are... (http://www.cvedetails.com/cve/CVE-2017-7547/)
[+] [SMART] New vulnerability detected: CVE-2017-7546 (7.5): PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are... (http://www.cvedetails.com/cve/CVE-2017-7546/)
[+] [SMART] New vulnerability detected: CVE-2017-7486 (5.0): PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in... (http://www.cvedetails.com/cve/CVE-2017-7486/)
[+] [SMART] New vulnerability detected: CVE-2017-7485 (4.3): In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and... (http://www.cvedetails.com/cve/CVE-2017-7485/)
[+] [SMART] New vulnerability detected: CVE-2017-7484 (5.0): It was found that some selectivity estimation functions in PostgreSQL before... (http://www.cvedetails.com/cve/CVE-2017-7484/)
[+] [SMART] New vulnerability detected: CVE-2016-7048 (9.3): The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and... (http://www.cvedetails.com/cve/CVE-2016-7048/)
[+] [SMART] New vulnerability detected: CVE-2016-5424 (4.6): PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before... (http://www.cvedetails.com/cve/CVE-2016-5424/)
[+] [SMART] New vulnerability detected: CVE-2016-5423 (6.5): PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before... (http://www.cvedetails.com/cve/CVE-2016-5423/)
[+] [SMART] New vulnerability detected: CVE-2015-5289 (6.4): Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x... (http://www.cvedetails.com/cve/CVE-2015-5289/)
[+] [SMART] New vulnerability detected: CVE-2015-5288 (6.4): The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before... (http://www.cvedetails.com/cve/CVE-2015-5288/)
[+] [SMART] New vulnerability detected: CVE-2015-3165 (4.3): Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16,... (http://www.cvedetails.com/cve/CVE-2015-3165/)

[STATUS] attack finished for 192.168.8.122 (waiting for children to complete tests)
[5432][postgres] host: 192.168.8.122 login: postgres password: amber
1 of 1 target successfully completed, 1 valid password found

......................................................
map scan report for 192.168.9.9
Host is up (0.00032s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-12-24T12:52:30+00:00; +8s from scanner time.
5800/tcp open vnc-http VNC Server Enterprise Edition httpd 4.5.4 r41964 (resolution: 480x250; VNC port 5900)
|_http-server-header: VNC Server Enterprise Edition/E4.5.4 (r41964)
5900/tcp open vnc RealVNC Enterprise (protocol 4.1)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_vnc-info: ERROR: Script execution failed (use -d to debug)
5988/tcp open http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
|_http-title: Site doesn't have a title.
34571/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
34572/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|_ HTTP/1.1 400 Bad Request
34573/tcp open ssl/unknown
49152/tcp open http Liaison Exchange Commerce Suite
|_http-title: Site doesn't have a title (application/xml;charset="utf-8").
1 service unrecognized de
................................................
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-24 07:57 EST
Nmap scan report for 192.168.9.8
Host is up (0.00038s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-12-24T12:59:17+00:00; +9s from scanner time.
5800/tcp open vnc-http VNC Server Enterprise Edition httpd 4.5.4 r41964 (resolution: 480x250; VNC port 5900)
|_http-server-header: VNC Server Enterprise Edition/E4.5.4 (r41964)
5900/tcp open vnc VNC (protocol 3.3; Locked out)
|_sslv2: ERROR: Script execution failed (use -d to debug)
5988/tcp open http Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
|_http-title: Site doesn't have a title.
34571/tcp open java-rmi Java RMI
|_rmi-dumpregistry: ERROR: Script execution failed (use -d to debug)
34572/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|_ HTTP/1.1 400 Bad Request
...............................................