View Issue Details

IDProjectCategoryView StatusLast Update
0006206Kali Linux[All Projects] Kali Package Bugpublic2020-03-31 13:13
Reporteraech66 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version2020.1 
Target VersionFixed in Version 
Summary0006206: sudo apt dist-upgrade breaks searchsploit results
Descriptionstarting with a Kali 2020.1 virtualbox last updated TWO WEEKS AGO.
default installation with kali-linux-large installed.

command: searchsploit --nmap scan.xml -v
(using the scan.xml file attached to this bug report)
gives satisfactory results, including both OpenSSH exploits and a Nostromo exploit
(see attached file before.txt)

when just updating this single package to the newest:
sudo apt install exploitdb
doesn't change anything, still working fine.

But after full system upgrade:
sudo apt update && sudo apt dist-upgrade -y
the results become incomplete, only some results for OpenSSH show, and not even all of them.
(see attached file after.txt)

So the update of SOME OTHER package then exploitdb breaks the search results for searchsploit when using the --nmap flag

Steps To ReproduceI couldn't reproduce on live cd, but on an installed system it happens each time, just take an older system, eg Kali 2019.4 and it works, then dist-upgrade and it goes wrong.
I tested it with different xml files from different nmap scans and each time the results are incomplete.
At this point I wouldn't know where to start troubleshooting.

Activities

aech66

2020-03-20 16:20

reporter  

after (5,248 bytes)
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                      |  Path
                                                                                                                    | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation                                                | exploits/linux/remote/6094.txt
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service                                                  | exploits/multiple/dos/1572.pl
FreeBSD OpenSSH 3.5p1 - Remote Command Execution                                                                    | exploits/freebsd/remote/17462.txt
Novell Netware 6.5 - OpenSSH Remote Stack Overflow                                                                  | exploits/novell/dos/14866.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite                                                                          | exploits/linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                            | exploits/linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                      | exploits/linux/remote/45210.py
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One                                                                   | exploits/unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow                                                          | exploits/linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)                                                                | exploits/unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)                                                                | exploits/unix/remote/21579.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service                                                          | exploits/multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation                                                                | exploits/linux/local/41173.c
OpenSSH 7.2 - Denial of Service                                                                                     | exploits/linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection                                                             | exploits/multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration                                                                                | exploits/linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                                                                        | exploits/linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                                              | exploits/linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                | exploits/linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                            | exploits/linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                | exploits/linux/remote/45939.py
OpenSSH SCP Client - Write Arbitrary Files                                                                          | exploits/multiple/remote/46516.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident                                                                 | exploits/linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool                                                                   | exploits/linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration                                                                               | exploits/linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack                                                                | exploits/multiple/remote/3303.sh
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read                                                              | exploits/linux/local/258.sh
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


after (5,248 bytes)
before.txt (10,636 bytes)
---------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------------
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Escalation                          | exploits/linux/remote/6094.txt
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service                            | exploits/multiple/dos/1572.pl
FreeBSD OpenSSH 3.5p1 - Remote Command Execution                                              | exploits/freebsd/remote/17462.txt
Novell Netware 6.5 - OpenSSH Remote Stack Overflow                                            | exploits/novell/dos/14866.txt
OpenSSH 1.2 - '.scp' File Create/Overwrite                                                    | exploits/linux/remote/20253.sh
OpenSSH 2.3 < 7.7 - Username Enumeration                                                      | exploits/linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                | exploits/linux/remote/45210.py
OpenSSH 2.x/3.0.1/3.0.2 - Channel Code Off-by-One                                             | exploits/unix/remote/21314.txt
OpenSSH 2.x/3.x - Kerberos 4 TGT/AFS Token Buffer Overflow                                    | exploits/linux/remote/21402.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (1)                                          | exploits/unix/remote/21578.txt
OpenSSH 3.x - Challenge-Response Buffer Overflow (2)                                          | exploits/unix/remote/21579.txt
OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service                                    | exploits/multiple/dos/2444.sh
OpenSSH 6.8 < 6.9 - 'PTY' Local Privilege Escalation                                          | exploits/linux/local/41173.c
OpenSSH 7.2 - Denial of Service                                                               | exploits/linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection                                       | exploits/multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration                                                          | exploits/linux/remote/40136.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                                                  | exploits/linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                        | exploits/linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Esc | exploits/linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                      | exploits/linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                          | exploits/linux/remote/45939.py
OpenSSH SCP Client - Write Arbitrary Files                                                    | exploits/multiple/remote/46516.py
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident                                           | exploits/linux/remote/26.sh
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool                                             | exploits/linux/remote/25.c
OpenSSHd 7.2p2 - Username Enumeration                                                         | exploits/linux/remote/40113.txt
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack                                          | exploits/multiple/remote/3303.sh
glibc-2.2 / openssh-2.3.0p1 / glibc 2.1.9x - File Read                                        | exploits/linux/local/258.sh
---------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


---------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration                                                      | exploits/linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                | exploits/linux/remote/45210.py
OpenSSH 7.2 - Denial of Service                                                               | exploits/linux/dos/40888.py
OpenSSH 7.2p1 - (Authenticated) xauth Command Injection                                       | exploits/multiple/remote/39569.py
OpenSSH 7.2p2 - Username Enumeration                                                          | exploits/linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Esc | exploits/linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                      | exploits/linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                          | exploits/linux/remote/45939.py
OpenSSHd 7.2p2 - Username Enumeration                                                         | exploits/linux/remote/40113.txt
---------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


---------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------------
Nostromo - Directory Traversal Remote Command Execution (Metasploit)                          | exploits/multiple/remote/47573.rb
nostromo 1.9.6 - Remote Code Execution                                                        | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                          | exploits/linux/remote/35466.sh
---------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


---------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------------
nostromo 1.9.6 - Remote Code Execution                                                        | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                          | exploits/linux/remote/35466.sh
---------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


---------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------------
nostromo 1.9.6 - Remote Code Execution                                                        | exploits/multiple/remote/47837.py
nostromo nhttpd 1.9.3 - Directory Traversal Remote Command Execution                          | exploits/linux/remote/35466.sh
---------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


---------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------------
nostromo 1.9.6 - Remote Code Execution                                                        | exploits/multiple/remote/47837.py
---------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result


before.txt (10,636 bytes)
scan.xml (5,483 bytes)

aech66

2020-03-22 19:22

reporter   ~0012506

The cause has been traced to the following package: libxml2-utils.
When updating this package to the newest version 2.9.10+dfsg-4, searchsploit gets in trouble parsing xml files.
It shows only results for the first open port detected by nmap!

Maybe the libxml2-utils package affects other tools that depend on it.

aech66

2020-03-31 13:13

reporter   ~0012572

Since neither exploitdb package and libxml2-utils package have the word kali in them, I reported this issue directly at the exploitdb git:

https://github.com/offensive-security/exploitdb/issues/158

Issue History

Date Modified Username Field Change
2020-03-20 16:20 aech66 New Issue
2020-03-20 16:20 aech66 File Added: after
2020-03-20 16:20 aech66 File Added: before.txt
2020-03-20 16:20 aech66 File Added: scan.xml
2020-03-22 19:22 aech66 Note Added: 0012506
2020-03-31 13:13 aech66 Note Added: 0012572