Paypal Bug Bounty #102 QR Dev Labs - Auth Bypass Vulnerability
Title: == Paypal Bug Bounty #102 QR Dev Labs - Auth Bypass Vulnerability Date: = 2013-07-05 References: === http://www.vulnerability-lab.com/get_content.php?id=995 PayPal Security UID: ZVf25kC VL-ID: = 995 Common Vulnerability Scoring System: 7.1 Introduction: = Shopping made easy with PayPal QR enabled on your mobile device. You can scan for deals using the QR Code displayed in shops, trains stations, bus-stops banners and purchase items in just a few taps. Make shopping experience easy for your customer. (Copy of the Vendor Homepage: https://qr.paypal-labs.com ) Abstract: = An independent vulnerability laboratory researcher discovered an auth bypass web session vulnerability in the PayPal QR Labs Service Web Application. Report-Timeline: 2012-05-11:Researcher Notification Coordination (Cernica Ionut) 2013-05-14:Vendor Notification (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-06-20:Vendor Fix/Patch (PayPal Inc Developer Team) 2013-07-05:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == PayPal Inc Product: QR Labs Online Service - Web Application 2013 Q2 Exploitation-Technique: === Remote Severity: = High Details: An auth bypass session web vulnerability is detected in the official PayPal QR Labs Service Web Application. The vulnerability allows remote attackers to bypass the web- or system user auth of the affected vulnerable computer system to compromise paypal accounts. The bug is located in the application account login module when processing to load manipulated j_password parameters via GET method. Attackers are able the decrypt and exchange the information in the request live with a session tamper to take-over other accounts. At the end the vulnerability allows remote attackers to enter remotely any paypal qr labs account of the web application. Exploitation of the vulnerability does not require user interaction but a low privileged paypal qr labs application user account. Successful exploitation results in account steal or compromise and stable user session manipulation with different effects. Vulnerable Service(s): [+] PayPal Inc – qr.paypal-labs.com Vulnerable Module(s): [+] Account - Login Vulnerable Parameter(s): [+] j_password Affected Module(s): [+] Account System Proof of Concept: = The vulnerability can be exploited by remote attackers with low privilege paypal qr labs application user account and without user interaction. For demonstration or reproduce ... Note: After some security checks to authenticate in the qr.paypal-labs.com web application, the last request for being authenticate in this web application it is not secure implemented. Afected Link: https://qr.paypal-labs.com/j_security_check?j_username=loger...@gmail.comj_password=96301aa9f02b5d12278b0e902dc5434ed9477d19 Note: If we look at the request wich is a GET method request we will soon see ... If we encrypt the j_username parameter value as SHA1 ... The result will be the value of the j_password parameter Note: PoC Video The username loger...@gmail.com is encrypted in SHA1 it is equals with 96301aa9f02b5d12278b0e902dc5434ed9477d19 In the demonstration above it seems that the password of the username is encrypted in SHA1 ;) Solution: = 2013-06-20:Vendor Fix/Patch (PayPal Inc Developer Team) Risk: = The security risk of the auth bypass web session vulnerability is estimated as high(+). Credits: Independent Security Researcher – Cernica Ionut Cosmin (ionut.cern...@whit3hat.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com
AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities
Title: == AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities Date: = 2013-06-30 References: === http://www.vulnerability-lab.com/get_content.php?id=963 VL-ID: = 963 Common Vulnerability Scoring System: 4.1 Introduction: = Avast! (styled avast!) is - both freeware and payable - an antivirus computer program with user interface that includes 41 languages, available to Microsoft Windows, Mac OS X and Linux users. The name Avast is an acronym of `Anti-Virus – Advanced Set`. The official, and current logo of Avast! is a white orb with the letter `a` on it and an orange circle around it, sticking out to four directions. Its developer, AVAST Software a.s. (formerly known as ALWIL Software a.s.), has headquartered in Prague, Czech Republic, with offices in Linz, Austria; Friedrichshafen, Germany; and San Mateo, California. It has been awarded VB100 Award by Virus Bulletin multiple times for 100% detection of `in-the-wild` viruses, and also won the Secure Computing Readers`Trust Award. The central scanning engine has been certified by ICSA Labs and West Coast Labs` Checkmark process. Avast! competes in the antivirus industry against Avira, AVG Technologies, Bitdefender, F-Secure, Frisk, Kaspersky, McAfee, Symantec and Trend Micro among others. (Copy of the Homepage: http://en.wikipedia.org/wiki/Avast! ) Abstract: = The Vulnerability Laboratory Research Team discovered a persistent code execution and local command path injection vulnerability in the free AVAST Antivirus v8.0.1489 software. Report-Timeline: 2013-06-06: Researcher Notification Coordination (Ateeq Khan) 2013-06-07: Vendor Notification (AVAST! - Security Incident Team) 2013-06-09: Vendor Response/Feedback (AVAST! - Security Incident Team) 2013-**-**: Vendor Fix/Patch (AVAST! - Developer Team) 2013-06-30: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == AVAST! Product: Antivirus 8.0.1489 Exploitation-Technique: === Local Severity: = Medium Details: It has been discovered that the lastest build of Avast Free Antivirus Version 8 is vulnerable to HTML code injection which eventually leads to local command / shell execution. During the testing, I was able to succesfully bypass the AVAST Sandbox and read/load and execute any file/application from local system having the local admin priviledges which makes this bug alot more critical. Initially the bug was an HTML code injection flaw only however, with more indepth analysis, it was revealed that the severity of this vulnerability is far more critical. A simple a href tag bypasses the AVAST Sandbox and drops a locall CMD shell on the system where AVAST is installed. You can technically access any file / application, execute it. It seems like We can control explorer.exe and through that we are even able to browse local folders and access any file, we can even browse external websites. The bug exists in the Maintenance / Registration Module under the Offline Registration Section in the `Insert the License Key` field. Since proper input sanatization is not being performed, a user can insert any HTML code which then gets executed successfully. For a POC i used the img and a href tags to read/load and execute files from my local system. I believe there may be possibilities of multiple attack vectors keeping in mind the scope of this vulnerability. During the POC, I was able to successfully bypass the AVAST sandbox and I was able to run local system level commands using the AVAST Interface. These sort of vulnerabilities can result in multiple attack vectors on the clients end which may eventually result in complete compromise of the end user system. This code injection vulnerability exists in the main core AVAST Antivirus application. Exploitation of this vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed resulting in local command/shell injection, persistent phishing, Client side redirects and similar dangerous attacks. Vulnerable Product(s): [+] Avast Free Antivirus Version 8 - Latest Release Vulnerable Section(s): [+] Offline Registration Vulnerable Module(s): [+] Registration Information (Maintainence) Vulnerable Input Field(s): [+] License Key Proof of Concept: = Proof of Concept #1 HTML Code Injection For reproducing the HTML Code Injection bug successfully, please follow the below mentioned steps: a) Download / Install the Latest Version of Avast Free Antivirus 8 b) After installation, Right Click on Avast Tray Icon and click on ``Registration Information`` c) Scroll down to the
LSE Leading Security Experts GmbH - LSE-2013-07-03 - rsyslog ElasticSearch Plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 === LSE Leading Security Experts GmbH - Security Advisory 2013-07-03 === rsyslog ElasticSearch Plugin - Double Free Memory Corruption - Affected Version rsyslog 7.4.0 stable = 7.4.1 stable rsyslog 7.3.2 devel = 7.5.1 devel Problem Overview Technical Risk: high Likelihood of Exploitation: low Vendor: Adiscon GmbH, Nathan Scott, Rainer Gerhards Credits: LSE Leading Security Experts GmbH employee Markus Vervier and Marius Ionescu Advisory URL: http://www.lsexperts.de/advisories/lse-2013-07-03.txt Advisory Status: Public CVE-Number: CVE-2013-4758 Problem Impact == While conducting a code review, a double free memory corruption vulnerability was discovered in the ElasticSearch plugin of rsyslog. This could allow a remote attacker to crash rsyslog and possibly execute code if he can manipulate JSON responses from ElasticSearch. Problem Description === A double free memory corruption exists in all implementations of the rsyslog omelasticsearch plugin up to 7.4.1 stable and 7.5.1 devel having the errorfile parameter explicitly set for local logging. The variable rendered in function writeDataError of omelasticsearch.c is freed twice. This allows heap corruption and possible code execution if an attacker is able to control memory between subsequent calls to free. Temporary Workaround and Fix It is advised to update to version 7.4.2 stable or 7.5.2 of rsyslog as soon as possible. As a workaround the errorfile configuration parameter should be disabled, as is the default in rsyslog. History === 2013-06-27 Problem discovery during code review at customer 2013-07-03 Original vendor contacted 2013-07-03 Vulnerability confirmed by vendor 2013-07-03 Fix released 2013-07-04 CVE-2013-4758 assigned 2013-07-05 Coordinated advisory release - -- http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel.: +49 (0) 6151 86086-0, Fax: -299, Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJR1m7aAAoJEDgSCSGZ4yd8qAcQAJlG0E7t2jnqXvxS3QUCgyF9 lMuADOj7/wbNw/oetbBLukzh9OXOKB2q2QLney6XosZOMh7/dfSXuOdJsaEufutS 5BFGHUOglixACmqju3ZcWvWYsKYrtnKyy+/GJvXR3fZjP7Jf6UEHeBlffEwYhqEe kjA/ha5EHeljehHbqc+zm+O8iSVte40dJD87/D76UwzI6cMG6eFbFRgDYxaFSGh6 0JMdBA0PqkkkF9fdrlJ00VYrPU41RUMPeiv23OyIiQgWvAbWV8RMkTetkVaqxCys ms8/s8+FlA4xBKZPiHB64i7oznKHV1AeqXjCm9AahXxCg1NWQx/DkShTZd/zWg30 uI8+2NIb/YMyPrdth44+ucpjcF1v76G3c/WBSBniIXPwUvzHTxD0DHBYX6g0i2Jr HvtD1kZaWUjk/ofD52CZ1pcUIsqyiO6hoS1vYA83EiC9KW/Yp2lrf/apoE5VgdJ8 jN4JTSU7NEIKY/S+GDFBUDqpnIJeG+VHVC2dmWa+fSfRqx5Wlk9YwE0K0KI/BU+D MrmzwO4/Fx0EdxhKxOaMAJTVAas2paW07ewrXKTRCja2mAZLaK3eeuKfdwvqVa4J SwBNnbyPPoY9H8fjx9J8rrYirfZnQ4UKiV7cgOfaXG+ZfFzaS/iZZ3i+USdMJtDS fwuOw+xvnSrruDiP1Dho =HJxe -END PGP SIGNATURE-