Crashing Browsers Remotely via Insecure Search Suggestions
[Original here: https://wwws.nightwatchcybersecurity.com/2016/07/26/research-crashing-browsers-remotely-via-insecure-search-suggestions/] Summary Intercepting insecure search suggestion requests from browsers, and returning very large responses leads to browser crashes (but not RCE). Affected browsers areFireFox on the desktop and Android, and Chrome on desktop and Android other Chromium and FireFox derived browsers maybe affected. Internet Explorer andSafari are not affected. The issue is exploitable remotely, albeit not easily. Details Because browsers include multiple non-HTTPS search engines which also use non-HTTPS endpoints, it would be possible for an attacker on the network level to intercept the traffic flowing between the browser and the search engine endpoints, and substitute their own. If a very large response is returned (2+ GBs), the browser can run out of memory and crash. This is due to the fact that browsers do not check for sizes in the search suggestions responses. Obviously, this is more of an issue for mobile devices which have lower memory than desktops. For Android AOSP browser and Chromium, this issue appear to be directly tied to the processing code of search engine responses. For FireFox, this is a more generic issue around large XMLHTTPRequest responses, which is what the browser is using internally for search suggestions. Our bug reports with the vendors provide more details on which code is causing this. This re-enforces the fact network traffic SHOULD NEVER be trusted. The following crashes were observed we have not been able to cause an RCE or a buffer overflow: - Android AOSP stock browser on Android (v4.4) application crashes - Chrome v51 on Android (v6.01) application crashes - Chrome v51 on desktop Linux (Ubuntu v16.04) the entire computer freezes requires a reboot (this maybe to due to swapping being disabled with an SSD drive) - FireFox v47 on desktop Linux (Ubuntu v16.04) and Android (v6.01) application crashes Safari v9.1 and Internet Explorer 11 and Edge appear not to be affected, although a similar bug has happened before with Safari. We did not test prior versions of either Safari or IE. We also did not test any other browsers derived from Chromium or FireFox. The practical exploitation of this issue is mitigated by several factors: - The attacker must have control over DNS and the network traffic of the victim machine. This is most likely in cases of a rogue WiFi hotspot or a hacked router. - Most browsers have a rather short timeout for search engine suggestions response, not allowing sufficient time for the large response packet to be transferred over network - Due to the very large response size needed to trigger this issue, it is only exploitable over broadband or local networks such as rogue WiFi hotspot Vendor Responses Google response re: Android AOSP browser: "The team reviewed this issue and dont believe there is a security vulnerability here. It seems the worse things that can happen is the browser crashes due to resource exhaustion. The phone is still usable so there isnt a denial of service." Google response re: Chromium: "We dont consider DoS to be a security vulnerability. See the Chrome Security FAQ: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-"; Mozilla / FireFox response has been to remove the security restriction on this bug, therefore indicating that this is not a security issue. References Android bug reports: 214784 and 214785 Chromium bug reports: 624779 and 624794 FireFox bug reports: 1283675 and 1283672 Timeline 2016-06-30: Bug filed with Android 2016-06-30: Bug filed with Chromium 2016-06-30: Bug filed Mozilla/FireFox 2016-06-30: Response from Chromium, Wont Fix 2016-07-12: Response from Android, not a security issue 2016-07-13: Android team is ok with disclosure 2016-07-14: Mozilla removes security restrictions on the bug 2016-07-26: Public disclosure
Huawei ISM Professional XSS Vulnerability
Title: Huawei ISM Professional XSS Vulnerability Software : ISM Professional OceanStor Software Version : Copyright©Huawei Technologies Co., Ltd. 2009-2010. All rights reserved. Vendor: www.huawei.com Vulnerability Published : 2016-07-25 Author:zhiwei_jiang Email:ak47464659...@gmail.com Impact : Medium(CVSS2 Base : 4.3, AV:N/AC:M/Au:N/C:N/I:P/A:N) Bug Description : The ISM consists of device management software, cloud storage management software, and storage network management software. The device management software, downloaded over JWS or installed through a CD-ROM, is applies to the management of Huawei Symantec storage devices, the cloud storage management software applies to the management of Huawei Symantec storage devices and resources and the storage network management software applies to the management of Huawei Symantec SAN storage devices. The cloud storage management software and storage network management software are deployed on independent servers and users can access the software through browsers. ISM Professional (ver Huawei Technologies Co., Ltd. 2009-2010.) The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. PoC: http://x.x.x.x/cgi-bin/doLogin_CgiEntry POST: cfgBtn=&brand=sp©right=hst&lang=en&lang=en&loginName=en&loginPassword=test Solution : Using such encode functions as htmlencode() or filtering those certain symbols regarding JavaScript as well as Html.
Dropbox 6.4.14 DLL Hijacking Vulnerability
Aloha, Summary Dropbox Installer for Windows contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. The vulnerability exists due to some DLL file is loaded by 'DropboxInstaller.exe' improperly. And it allows an attacker to load this DLL file of the attackers choosing that could execute arbitrary code without the user's knowledge. Affected Product: Dropbox 6.4.14 and prior versions Tested on: Windows 7 Impact Attacker can exploit this vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to Successful exploit the system if user creates shell as a DLL. Vulnerability Scoring Details The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) More Details: For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html, http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art" about this well-known and well-documented vulnerability. If an attacker places malicious DLL in the user's "Downloads" directory (for example per "drive-by download" or "social engineering") this vulnerability becomes a remote code execution. Proof of concept/demonstration: 1. Create a malicious PGPmapih.dll file and save it in your "Downloads" directory. 2. Download 'DropboxInstaller.exe' from https://www.dropbox.com/downloading and save it in your "Downloads" directory. 3. Execute .exe from your "Downloads" directory. 4. Malicious dll file gets executed. Informed Vendor: Yes Fixed Version: TBA Please assign a CVE ID. Chao!! Himanshu Mehta
Cross-Site Scripting vulnerability in ColorWay WordPress Theme
Cross-Site Scripting vulnerability in ColorWay WordPress Theme Yorick Koster, July 2016 Abstract Multiple Cross-Site Scripting vulnerabilities were found in the ColorWay WordPress Theme. These issues allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website. OVE ID OVE-20160712-0024 Tested versions These issues were successfully tested on ColorWay WordPress Theme version 3.4.1. Fix This issue is resolved in ColorWay WordPress Theme version 3.4.2. Details https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_colorway_wordpress_theme.html Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
[security bulletin] HPSBST03603 rev.1 - HPE StoreVirtual Products running LeftHand OS using glibc, Remote Arbitrary Code Execution, Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c05212266 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05212266 Version: 1 HPSBST03603 rev.1 - HPE StoreVirtual Products running LeftHand OS using glibc, Remote Arbitrary Code Execution, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-07-26 Last Updated: 2016-07-26 Potential Security Impact: Remote Arbitrary Code Execution, Denial of Service (DoS) Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY HPE StoreVirtual products running LeftHand OS has addressed stack based buffer overflows in glibc's implementation of getaddrinfo(). This vulnerability could be remotely exploited to cause Denial of Service (DoS) or allow execution of arbitrary code on the host with the permissions of a user running glibc library. References: - CVE-2015-7547 - PSRT110117 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP StoreVirtual VSA Software 12.6 - HP StoreVirtual 4130 600GB SAS Storage 12.6 - HP StoreVirtual 4130 600GB China SAS Storage 12.6 - HP StoreVirtual 4330 1TB MDL SAS Storage 12.6 - HP StoreVirtual 4330 450GB SAS Storage 12.6 - HP StoreVirtual 4330 900GB SAS Storage 12.6 - HP StoreVirtual 4330 1TB MDL China SAS Storage 12.6 - HP StoreVirtual 4330 450GB China SAS Storage 12.6 - HP StoreVirtual 4330 900GB China SAS Storage 12.6 - HP StoreVirtual 4330 FC 900GB SAS Storage 12.6 - HP StoreVirtual 4330 FC 900GB China SAS Storage 12.6 - HP StoreVirtual 4530 2TB MDL SAS Storage 12.6 - HP StoreVirtual 4530 3TB MDL SAS Storage 12.6 - HP StoreVirtual 4530 450GB SAS Storage 12.6 - HP StoreVirtual 4530 600GB SAS Storage 12.6 - HP StoreVirtual 4630 900GB SAS Storage 12.6 - HP StoreVirtual 4730 600GB SAS Storage 12.6 - HP StoreVirtual 4730 900GB SAS Storage 12.6 - HP StoreVirtual 4730 FC 900GB SAS Storage 12.6 - HP StoreVirtual 4330 450GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4330 900GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4330 1TB MDL SAS Storage/S-Buy 12.6 - HP StoreVirtual 4530 3TB MDL SAS Storage/S-Buy 12.6 - HP StoreVirtual 4530 450GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4335 China Hybrid Storage 12.6 - HP StoreVirtual 4335 Hybrid Storage 12.6 - HP StoreVirtual 4530 4TB MDL SAS Storage 12.6 - HP StoreVirtual 4130 600GB China SAS Storage 12.6 - HP StoreVirtual 4130 600GB SAS Storage 12.6 - HP StoreVirtual 4330 1TB MDL China SAS Storage 12.6 - HP StoreVirtual 4330 1TB MDL SAS Storage 12.6 - HP StoreVirtual 4330 1TB MDL SAS Storage/S-Buy 12.6 - HP StoreVirtual 4330 450GB China SAS Storage 12.6 - HP StoreVirtual 4330 450GB SAS Storage 12.6 - HP StoreVirtual 4330 450GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4330 900GB China SAS Storage 12.6 - HP StoreVirtual 4330 900GB SAS Storage 12.6 - HP StoreVirtual 4330 900GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4330 FC 900GB China SAS Storage 12.6 - HP StoreVirtual 4330 FC 900GB SAS Storage 12.6 - HP StoreVirtual 4335 China Hybrid SAN Solution 12.6 - HP StoreVirtual 4335 China Hybrid Storage 12.6 - HP StoreVirtual 4335 Hybrid SAN Solution 12.6 - HP StoreVirtual 4335 Hybrid Storage 12.6 - HP StoreVirtual 4530 2TB MDL SAS Storage 12.6 - HP StoreVirtual 4530 3TB MDL SAS Storage 12.6 - HP StoreVirtual 4530 3TB MDL SAS Storage/S-Buy 12.6 - HP StoreVirtual 4530 450GB SAS Storage 12.6 - HP StoreVirtual 4530 450GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4530 4TB MDL SAS Storage 12.6 - HP StoreVirtual 4530 600GB SAS Storage 12.6 - HP StoreVirtual 4530 600GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4630 900GB SAS Storage 12.6 - HP StoreVirtual 4730 600GB SAS Storage 12.6 - HP StoreVirtual 4730 600GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4730 900GB SAS Storage 12.6 - HP StoreVirtual 4730 900GB SAS Storage/S-Buy 12.6 - HP StoreVirtual 4730 FC 900GB SAS Storage 12.6 BACKGROUND CVSS Base Metrics = Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2015-7547 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docI d=emr_na-c01345499 RESOLUTION HPE has made the following software updates available to resolve the vulnerability with glibc for all of the impacted HPE StoreVirtual products. - LeftHand OS 12.6 - patch 56001 - LeftHand OS 12.5 - patch 55015 **Notes:** - These patches will upgrade glibc to 2.12-1.166 to resolve this issue. - Patches are available through StoreVirtual Online Upgrades and at the following location: ftp://ftp.hp.com/pub/hp_LeftHandOS/
[SECURITY] [DSA 3630-1] libgd2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3630-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 26, 2016 https://www.debian.org/security/faq - - Package: libgd2 CVE ID : CVE-2016-6207 Secunia Research at Flexera Software discovered an integer overflow vulnerability within the _gdContributionsAlloc() function in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of this flaw to cause a denial-of-service against an application using the libgd2 library. For the stable distribution (jessie), this problem has been fixed in version 2.1.0-5+deb8u6. For the unstable distribution (sid), this problem has been fixed in version 2.2.2-43-g22cba39-1. We recommend that you upgrade your libgd2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJXl76SAAoJEAVMuPMTQ89ER7EP/jRZHZusnIg7qYcZ0hGfMNuC 9OUcbl1A4/F8fwJMim+HaUj5AcGDSCc8gLOPJKKZZexams504qgKgqbRWnJtZQhr OHJ5gSJnYXOYwg08ujbFKR+e0DsLDWods9DO9phXq+rCnueOlg+lqX+uTwoDL7nR 7kcIjnX+WL1q3+g9TtxKYWf+t32kD04bmkOxL0Oq2ZBLDFJQL05jFyZEtivSEX9v OMWalLRjUEEFP/KqD4Q/6FksH5zT3HiUQ4+MxjnbqrYyhs5iyswPFy248zJRkD80 7taRPvFEesH/1RZ9B113vLS1dZ2Lr8/eqlswaZtbUfBzRCDaeNVyhxkcUIHLzlc0 nmaRTNcVfTHaz0Y3iG1sQ1pk3yxWS30dLT4hzNf2sNMa1II2PQBxSysUypKruEqG gePrO2N80RMOKq1FWSdfjollQpiNy2ofGANa1gqCTcWvPCO+Ro8oj5Zl+TGa8s5s Yfus+l2rzV37sGpydLY3mtVZnxjCStJVlI22Xw9ek+YdACu6LSqF/JIJJKOIu9Zf nt49DSKx2uRtRL6nQ+1CkJuhlv79GDZTLJyCE4WfK7ahnk6TJWblwzAG1GWNQF2T OX2W/61vz413bzNsiP2oYAcMb6Rjr7L0AB50zF7agdKGCUiAP4IlMX3cxVgk4Q8r DQXRVQNcycb5Kkx3w/R4 =D4CK -END PGP SIGNATURE-
[SECURITY] [DSA 3631-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3631-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 26, 2016 https://www.debian.org/security/faq - - Package: php5 CVE ID : CVE-2016-5385 CVE-2016-5399 CVE-2016-6289 CVE-2016-6290 CVE-2016-6291 CVE-2016-6292 CVE-2016-6294 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.24, which includes additional bug fixes. Please refer to the upstream changelog for more information: https://php.net/ChangeLog-5.php#5.6.24 For the stable distribution (jessie), these problems have been fixed in version 5.6.24+dfsg-0+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 7.0.9-1 of the php7.0 source package. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJXl8vVAAoJEBDCk7bDfE423hAQAIPEiALq8HQACO7oVQWG1X14 T5M+RjjR/EYHqN0VLZ6JprRZDmN4noANfvWX2onKzF/KhA+1cKBvWrUz+X9623kb 6T5Cd2tsLJI9Cke83UcDJlD3wbPTW//9TRVLdPU1FI5LgJ4FU1pdxQ6KTMlcjiZ8 xAPCjwae8MOT+p4ajxjRS5DWM+oqEXi9oOIE4Ru+zUFY2y2zmV1u5rgSRRJbbeCv RUsPj6XGWHkEc36eoOLH3AC0ZKBfW6eQAC5NTUyMxFCYghD94QCHIGGNzeRrvnfX fvejjNAvgXcSle4xs2D4ltFUpF0uDWqrqflJKO7IvnNXB1uBgrCVcXsK+laz9dIX hYEy/HX/+lAcjPFSlZGj1LMKKHjVAvNJpjMGcC7hizOPVSOT/r0BvBhdID4sV26S WtkE60R6NcSwe589N+aIBLSPeR1YMs5wVi+Ez4iUR5VPOkqxOio412I5s1GiGeAg RJbZVHgxMPpsRpWhrXho+ZdDNI4Nd865MdQn8yIbCK4FmjsnN/gz5urWyLQcsSTT 8xnq3yaWK3dbfzWC6ZcvAdTBrDVXHTUeFU7XFMylMiCUGBHw7cgznJ47amWDmnnc Y2usZhlKV/c7rBDgYYH0dQfAIm93SSi5236wpWNA9utxbks0Lg0Uh2HpJ0zAZv1V LaE1mifVk8/cCxLvmcXn =7J9V -END PGP SIGNATURE-
